Passwords are hell sometimes

A few months ago I came home, made me some diner and decided, yes it’s time for Netflix. As psyched as I was I started the web app and found out there suddenly where some extra profiles on my screen. The first thing I did of course was changing my password, at least I tried. Yes my account was poorly protected with a reasonably simple to hack password. So after contacting the Netflix support (which helped me awesomely and fast) I decided to completely change the way I handle my passwords.

Hackable

So I mentioned I used a easy to hack password for this account of mine. But what is a easy to hack password? In my quest of creating myself a better way to handle passwords I ran into a few Youtube video’s about this topic. They went way too technical for the point I want to make with this post, so I give you the simple explanation. The way most hackers try to hack your password is to use a list of most used words for passwords. The web is floated with lists like this.

For every word they would then append it with a few variations people append or prepend to their passwords like this: “Crocodile123”. Where “Crocodile” is of course the word you use and is in such a list of passwords. Then you have the 123 that has a few variations where people could use there zipcode or the year of his or her’s birthday. As you can imagine this is a very easy task to just run brute force on random accounts and finding a hit pretty easily.

Then I suppose the question rises “o.m.g. What can i do about this, I can’t remember all these random shaped passwords?” The answer I give is split into two major options I would advise. First we have the option of a password vault. This is a solution that lets you store all your passwords in a so called encrypted data storage. We will dive into this shortly. The second option is to remember these “random” string yourself. But what is a random string for a hacker? I’ll get to that.

Password vaults

When we talk about password vaults we talk about systems like Lastpass or the Zoho Vault. These vaults store your passwords in a data storage that is encrypted by your own secret and is therefore not accessible for people you do not share your password with. Yes I mention sharing. In companies it is very likely that there will be passwords shared from time to time. This is not a bad thing per se, with these password vaults you have the choice to create passwords that are easily shared within organisations. They have special tools for this very purpose.

Most of these tools work with a simple browser plugin. This plugin will then recognize when you are on a login page. If you enter your username and password and then press the login button it will popup a small window in the same screen that will ask if it can save your password. “But why should I use this, my browser already has this built in?” This is of course true, but this will not store your passwords in a safe environment. You can get these passwords without any security straight from your browser settings in most cases. In a vault you can save all these passwords with one major password that secures all other passwords.

Random

When you do this you can make your password as random as acting like you can type just as fast as bruce almighty. Because you do not have to worry about recognizing your password you are not bugged by the fact that this password is not rememberable.

I mentioned that the passwords will be stored in a data storage. This is also important to understand what this is. This storage is a system that will save passwords and other data you want to securely store. But where is it stored, mostly you can choose this yourself. There is the option to store it in the cloud or on your pc. In both cases it will be encrypted and safely stored behind a major password. When storing it on your pc you will not be able to share it on the web with for instance your workstation at the company you work, when you store it in the cloud you can do this yourself.

Vault problems

But these vaults have a major problem, when your master password is hacked they can access all your accounts on every service you have saved in there. Therefore I can understand that not everyone is comfortable with storing their password in a vault. Therefore I learned a trick from someone to make it easier to remember a “random” password.

A “random” password is not per se random. As vague it may sound at first it doesn’t have to be like that. A password like this one: “Cro1cod2ile3” is also considered “random”. Because this alone is already a way better password than “Crocodile123” we used earlier. Creating a password like this, preferably with a little more characters like “[)*” or similar you can create a pretty decent way stronger password.

If you’re still reading I suppose you are not satisfied with the solutions I proposed till now. I learned a trick along the way that will make for a very decent password that you can pretty much safely use for all your different accounts on different services. That is not entirely true, because they differ per website and account. You can call it a flexible password. One that you can generate by hand and the way you do that is easy to remember.

Before I start with a example I want to point out that you need to create your own trick based on this small tutorial

Flexible password

To better explain how you create such a flexible password, let’s just make one together. For the first step we need a website url to make it a password specific for that website. I chose “www.google.com” for this example. Next we need our account name “nrdtalks@google.com”. Now we have two parameters we can use to generate a unique password based on the service we want to access with it.

Next we can use some other parameters that can differ per type of service. This can be a small word that you can use to split the other parameters up. The easiest one to choose is a four letter word. For this example we will use “mule”. Also we need some numbers and type characters to keep make it even more random. So for this we choose the number “97” and the characters “_+”.

Next thing is to make a step by step plan of how we are going to generate this password by these parameters. Let’s give it a go.

Example

  1. Take the first random type character
    “_”
  2. Take the first character of the domain name in uppercase.
    “_” + “G”
  3. Take the third and fourth character of the random word and put the first in uppercase and second in lowercase.
    “_” + “G” + “le”
  4. Take the third character of the domain name and put it in lowercase.
    “_” + “G” + “le” + “O”
  5. Take the second type character.
    “_” + “G” + “le” + “O” + “+”
  6. Take the first character of the username and put it in lowercase
    “_” + “G” + “le” + “O” + “+” + “n”
  7. Take the first character of the random number
    “_” + “G” + “le” + “O” + “+” + “n” + “9”
  8. Take the first character of the random word and put it in uppercase
    “_” + “G” + “le” + “O” + “+” + “n” + “9” + “M”
  9. Take the second character of the username and put it in uppercase
    “_” + “G” + “le” + “O” + “+” + “n” + “9” + “M” + “R”
  10. Take the second character of the random number
    “_” + “G” + “le” + “O” + “+” + “n” + “9” + “M” + “R” + “7”
  11. Take the second character of the random word and put it in lowercase
    “_” + “G” + “le” + “O” + “+” + “n” + “9” + “M” + “R” + “7” + “u”

Now let’s take a look at the result: “_GleO+n9MR7u” . Now we have generated a password that is pretty much secure. I’m not throwing me to the wolves to say that this is unhackable, nothing is. Though this is the best way to create a pattern where you have a random password that is not on any basic hackable way brute forceable and still you are able to remember it per website because of this pattern.

Last words

It stands for reason that you should not use this example and be creative with your own pattern. Share this with anyone that writes their passwords down, only have a simple password with the name of their dog and the birth year of his wife, basicly all people that didn’t bought a big enough lock on their front door. If you have questions or a hard time with figuring out your own pattern, you can allways twitter me @JCombee.

Keep on hacking and have a nice day!