Password management made easy… (uh huh)

And, on to managing all those passwords….

We need passwords for just about everything these days. Most of us have a tough time keeping track of all of them, and end up writing many of them down on a piece of paper that we’ll need to covet somehow from prying eyes. Writing down passwords really isn’t such a bad idea for the average computer user, as a compromise of the list means that someone has gained physical access to them in your personal space – and invasion of your personal space is probably far more disconcerting than the possible discovery of your password list (unless you are trying to hide them from those who already have access to your personal space).

There are several software applications that try to remedy this issue by creating a “vault” for you to store all of your passwords. You simply have to remember one “master” password to gain access to the vault. While this eliminates the need to write anything down, it still doesn’t address how to manage them.

But, let’s talk about so-called “password strength” for a moment. The simple reason we can’t remember all of our passwords is that we are now generally required to create a password containing a combination of of letters, numbers, and special characters to create a strong, unique password. This is due to the fact that there is a prevalence of password-cracking, brute-force dictionary attack programs that have millions of words and names in their databases, and can be tried in rapid succession. We’re told not to use common words or names, as these passwords can be cracked quite easily (in many cases, simple passwords you’ve chosen are rejected on those grounds).

A simple and easy method of creating a password that adheres to the requirements of a “combination of of letters, numbers, and special characters” is to use the first or last letter of each word in an easily remembered phrase to create the password. An example would be, “Security is mostly a superstition. It does not exist in nature” – you simply take the first (or last) letter of each word in the phrase to create the password – in this case it would be, “SIMASIDNEIN”….obviously not a word that will be found in a password-cracking dictionary. To complete the password requirements, just add a number and a special character to the new word, e.g., “4SIMASIDNEIN*”. Now you have a strong password that you can remember (if you can remember the phrase you used, and the numbers and special characters you chose). Change the case of a couple letters in the new word, and you have a very strong password (example: “4SIMAsIDNeIN*”).

So, are we to create a unique password like this for every bank account, social media site, and vendor we wish to access? That would be just messy, and very difficult to manage even if we use a password “vault” application.

Let’s check out how passwordmaker.org handles this.

“Passwordmaker” is a brilliant application that makes managing all of your passwords a nearly thoughtless task. “PasswordMaker is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS/X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there’s nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution.”

Here’s how it works:

“You provide PasswordMaker two pieces of information: a “master password” — that one, single password you like (like the one we described created from a phrase above) — and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does “not reveal anything about the input that was used to generate it.” In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won’t help!”

To simplify, you create a master password, and Passwordmaker creates a unique password for every site you that you need a password for, based on your master password combined algorithmically with the address of the specific site you wish to visit. You really never need to even know the actual password for each site….just your master password.

I have no idea what any of my passwords are (for any given site that I need one for)….all I need to enter for the website is my master password, and Passwordmaker will calculate the hash of the URL and the master password to enter the real password for that site. And, I never have to remember any of my passwords. Passwordmaker computes the hash (you get to chose the algorithm of your liking) of my master password with the URL I need to access (e.g, facebook.com), and creates the password for that site.

So how secure can this be? Well, provided your master password isn’t compromised, very secure.

What if your master password is compromised?

There are ten other variables one can add that would be needed for each account you have. You need to add at least a few of these to thwart any real-world attack. They are:

* URL
* character set
* which of nine hash algorithms was used
* modifier (if any)
* username (if any)
* password length
* password prefix (if any)
* password suffix (if any)
* which of nine l33t-speak levels was used
* when l33t-speak was applied (if at all)

Probably the most interesting of these is “character set” because it gives you the flexibility to determine precisely which characters can and can’t be included in generated passwords.

Selecting a strong hash algorithm is also paramount to functionality. The hash algorithms supported by Passwordmaker are:

* MD4
* HMAC-MD4
* MD5
* MD5 (for PasswordMaker v 0.6)
* HMAC-MD5
* HMAC-MD5 (for PasswordMaker v 0.6)
* SHA-1
* HMAC-SHA-1
* SHA-256
* HMAC-SHA-256
* HMAC-SHA-256 (for PasswordMaker v 1.5.1)
* RIPEMD-160
* HMAC-RIPEMD-160

“Which hash algorithm should I use?

All of the algorithms are cryptographically strong, but of the algorithms PasswordMaker offers, many people regard SHA-256, HMAC-SHA1, HMAC-MD5 and HMAC-SHA-256 as the strongest.”

Please visit Passwordmaker.org for more details and FAQ (http://passwordmaker.org/F.A.Q.).

IMHO, this is the best password management solution available at this time. And, it is compatible with almost every system (Windows, Mac, linux, etc.) that you may be using.

~MT

Advertisements

One thought on “Password management made easy… (uh huh)

  1. I’m surprised I haven’t heard of this application for a password manager, seeing that its been around since 2003. Thanks for the very thorough description of how it works.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s