{"id":58,"date":"2011-06-28T22:30:49","date_gmt":"2011-06-28T22:30:49","guid":{"rendered":"http:\/\/alexboisvert.com\/musings\/?p=58"},"modified":"2011-07-06T16:34:18","modified_gmt":"2011-07-06T16:34:18","slug":"passwords","status":"publish","type":"post","link":"https:\/\/alexboisvert.com\/musings\/2011\/06\/28\/passwords\/","title":{"rendered":"Passwords"},"content":{"rendered":"<p><strong>Update 7\/6\/2011<\/strong> &#8212; Mirroring this site is not only allowed, but encouraged!\u00a0 If you&#8217;re interested, grab the javascript and the code and post it on your site.  I&#8217;d love it if you would post a comment here if you do so.<\/p>\n<p>In recent weeks I&#8217;ve gotten increasingly worried about my passwords, what with all the hacking that has been going on.  I was a serial password re-user and now I realize that this was a mistake.  I&#8217;ve started using a password manager for Firefox at home, but this isn&#8217;t an ideal solution, as my passwords are only on my home computer.  I was discussing this with some colleagues at work and thought the following might be the best solution: for each website simply take <span style=\"text-decoration: line-through;\">the first few (say 5) characters of<\/span> the name of the site, then concatenate that with a key phrase (perhaps the password you&#8217;ve been reusing).  Then create a hash of the result and take the first few (say 12) characters.  Thanks to <a href=\"http:\/\/pajhome.org.uk\/crypt\/md5\">this site<\/a>, I&#8217;ve embedded a SHA-256 hash generator below.  Don&#8217;t worry &#8212; it only uses javascript so no information you type will be passed to my server.<br \/>\n<script src=\"\/javascript\/sha256.js\" type=\"text\/javascript\"><\/script> <script src=\"\/javascript\/md5.js\" type=\"text\/javascript\"><\/script><br \/>\n<script type=\"text\/javascript\">\/\/ <![CDATA[\n   function toggleType() {     var obj = document.getElementById('input');     if (obj.type == 'text') {         obj.type = 'password';     } else {         obj.type = 'text';     } }\n\/\/ ]]><\/script><\/p>\n<table>\n<tbody>\n<tr>\n<th>Input<\/th>\n<td><input id=\"input\" style=\"font-family: Courier;\" size=\"30\" type=\"password\" \/><input onclick=\"toggleType();\" type=\"button\" value=\"Show\/hide text\" \/><\/td>\n<\/tr>\n<tr>\n<th>Calculate<\/th>\n<td><input onclick=\"document.getElementById('hash').value = sha256_truncate(document.getElementById('input').value); document.getElementById('hash').focus(); document.getElementById('hash').select()\" type=\"button\" value=\"SHA-256\" \/><input onclick=\"document.getElementById('hash').value = b64_sha256_password(document.getElementById('input').value); document.getElementById('hash').focus(); document.getElementById('hash').select()\" type=\"button\" value=\"SHA-256 + B64\" \/><br \/>\n<input onclick=\"document.getElementById('hash').value = md5_truncate(document.getElementById('input').value); document.getElementById('hash').focus(); document.getElementById('hash').select()\" type=\"button\" value=\"MD5\" \/><input onclick=\"document.getElementById('hash').value = b64_md5_password(document.getElementById('input').value); document.getElementById('hash').focus(); document.getElementById('hash').select()\" type=\"button\" value=\"MD5 + B64\" \/><\/td>\n<\/tr>\n<tr>\n<th>Result<\/th>\n<td><input id=\"hash\" style=\"font-family: Courier;\" size=\"30\" type=\"text\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Let me give some examples here so it&#8217;s clear what&#8217;s going on.  Say you&#8217;ve been using the ultra-insecure password &#8220;MyPassword&#8221; for gmail, paypal, and ebay, but now you want something more secure.  Using the method detailed above, you would take the three strings &#8220;gmailMyPassword&#8221;, &#8220;paypalMyPassword&#8221; and &#8220;ebayMyPassword&#8221; and feed them into the generator above to get the three much more secure passwords &#8220;f8809f148b90&#8221;, &#8220;04b1bbe378d3&#8221;, and &#8220;691b2660c9e2&#8221;.  You can then save them in a Firefox password manager for everyday use, and if you are at a new computer and need the passwords, you can come back to this page to retrieve them.<\/p>\n<p>Now, this system isn&#8217;t perfect.  Some sites will require you to have at least one uppercase letter &#8212; in that case I recommend changing the first letter in the generated password to uppercase (e.g. 691b2660c9e2 -&gt; 691<strong>B<\/strong>2660c9e2).  Some sites may require you to not start your password with a numeral, which is stupid, so you shouldn&#8217;t be on any of those sites (kidding! &#8230; though I don&#8217;t know how you would adapt this to that situation &#8212; <strong>Update<\/strong>: maybe pick a letter to add to the beginning in those situations?)  And in case you are worried that this page may not be here forever, don&#8217;t worry &#8212; <a href=\"http:\/\/www.xorbin.com\/tools\/sha256-hash-calculator\">there<\/a> <a href=\"http:\/\/hash.online-convert.com\/sha256-generator\">are<\/a> <a href=\"http:\/\/www.google.com\/search?q=sha-256+generator\">plenty<\/a> of other SHA-256 hash generators online; you&#8217;ll just have to truncate to the first 12 characters manually.<\/p>\n<p><strong>Notes and updates:<\/strong><\/p>\n<ul>\n<li>Out of an overabundance of caution, you may not want to generate passwords in exactly the way I&#8217;ve described.  Consider forming your strings like MyPasswordgmail, MyPassword@gmail, MyPassword!gmail, MyPasgmailsword, gmail.com-MyPassword, etc.<\/li>\n<li>Yes, <a href=\"http:\/\/dandyer.co.uk\/password\/index.php\">there are other sites that do something similar.<\/a> But I would be worried that if those sites disappear, you would be left without a way to recover your original passwords.  This process is simpler, only relying on the SHA-256 algorithm, which, as mentioned above, is popular and has many implementations.<\/li>\n<li><a href=\"http:\/\/sha256.blogspot.com\/\">I&#8217;ve re-posted this on Blogger<\/a> so that in case I fail to pay for my web hosting, at least this service will remain active so long as I don&#8217;t violate Google&#8217;s terms of service or anything.<\/li>\n<li>I&#8217;ve added an &#8220;advanced&#8221; method that does the following: it passes your string through the SHA-256 hash function as before, but then converts that output to a Base64 encoding, removes any &#8216;+&#8217; or &#8216;\/&#8217; in the result, and gives you the first 12 characters of the output.  This will give passwords with more characters, but is not as easily reproduced without this site.<\/li>\n<li><strong>7\/6\/2011<\/strong> &#8212; All right, I&#8217;ve added two more modes that rely on the popular MD5 hash, as opposed to SHA-256.\u00a0 I may add more at some point as well.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Update 7\/6\/2011 &#8212; Mirroring this site is not only allowed, but encouraged!\u00a0 If you&#8217;re interested, grab the javascript and the code and post it on your site. I&#8217;d love it if you would post a comment here if you do &hellip; <a href=\"https:\/\/alexboisvert.com\/musings\/2011\/06\/28\/passwords\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-58","post","type-post","status-publish","format-standard","hentry","category-coding"],"_links":{"self":[{"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/posts\/58","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/comments?post=58"}],"version-history":[{"count":30,"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/posts\/58\/revisions"}],"predecessor-version":[{"id":89,"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/posts\/58\/revisions\/89"}],"wp:attachment":[{"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/media?parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/categories?post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alexboisvert.com\/musings\/wp-json\/wp\/v2\/tags?post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}