Box Relatives

Thoughts about puzzles, math, coding, and miscellaneous

Passwords

| 0 comments

Update 7/6/2011 — Mirroring this site is not only allowed, but encouraged!  If you’re interested, grab the javascript and the code and post it on your site. I’d love it if you would post a comment here if you do so.

In recent weeks I’ve gotten increasingly worried about my passwords, what with all the hacking that has been going on. I was a serial password re-user and now I realize that this was a mistake. I’ve started using a password manager for Firefox at home, but this isn’t an ideal solution, as my passwords are only on my home computer. I was discussing this with some colleagues at work and thought the following might be the best solution: for each website simply take the first few (say 5) characters of the name of the site, then concatenate that with a key phrase (perhaps the password you’ve been reusing). Then create a hash of the result and take the first few (say 12) characters. Thanks to this site, I’ve embedded a SHA-256 hash generator below. Don’t worry — it only uses javascript so no information you type will be passed to my server.

Input
Calculate
Result

Let me give some examples here so it’s clear what’s going on. Say you’ve been using the ultra-insecure password “MyPassword” for gmail, paypal, and ebay, but now you want something more secure. Using the method detailed above, you would take the three strings “gmailMyPassword”, “paypalMyPassword” and “ebayMyPassword” and feed them into the generator above to get the three much more secure passwords “f8809f148b90”, “04b1bbe378d3”, and “691b2660c9e2”. You can then save them in a Firefox password manager for everyday use, and if you are at a new computer and need the passwords, you can come back to this page to retrieve them.

Now, this system isn’t perfect. Some sites will require you to have at least one uppercase letter — in that case I recommend changing the first letter in the generated password to uppercase (e.g. 691b2660c9e2 -> 691B2660c9e2). Some sites may require you to not start your password with a numeral, which is stupid, so you shouldn’t be on any of those sites (kidding! … though I don’t know how you would adapt this to that situation — Update: maybe pick a letter to add to the beginning in those situations?) And in case you are worried that this page may not be here forever, don’t worry — there are plenty of other SHA-256 hash generators online; you’ll just have to truncate to the first 12 characters manually.

Notes and updates:

  • Out of an overabundance of caution, you may not want to generate passwords in exactly the way I’ve described. Consider forming your strings like MyPasswordgmail, MyPassword@gmail, MyPassword!gmail, MyPasgmailsword, gmail.com-MyPassword, etc.
  • Yes, there are other sites that do something similar. But I would be worried that if those sites disappear, you would be left without a way to recover your original passwords. This process is simpler, only relying on the SHA-256 algorithm, which, as mentioned above, is popular and has many implementations.
  • I’ve re-posted this on Blogger so that in case I fail to pay for my web hosting, at least this service will remain active so long as I don’t violate Google’s terms of service or anything.
  • I’ve added an “advanced” method that does the following: it passes your string through the SHA-256 hash function as before, but then converts that output to a Base64 encoding, removes any ‘+’ or ‘/’ in the result, and gives you the first 12 characters of the output. This will give passwords with more characters, but is not as easily reproduced without this site.
  • 7/6/2011 — All right, I’ve added two more modes that rely on the popular MD5 hash, as opposed to SHA-256.  I may add more at some point as well.

Leave a Reply

Required fields are marked *.


This site uses Akismet to reduce spam. Learn how your comment data is processed.