My Solution to Online Password Management

Hello,
Today’s blogpost is about password management. I have (what I think) is a good solution that means you’ll only need to remember a few small details for all your online passwords.

An entirely unexciting topic for most – including myself. You’ve all heard and possibly uttered phrases such as ‘the longer the password the better’ and ‘use complicated passwords’ which are of course true. Here’s a blurb taken from Intel’s Supplier Password rules via https://supplier.intel.com/Auth/PasswordRules.asp :

In order to protect your security, Intel has certain rules for choosing passwords. Please read the following rules so that you will know how to choose a good password.
The following rules apply to all passwords:

  • The password must be at least 8 characters long.
  • The password must contain at least:
    • one alpha character [a-zA-Z];
    • one numeric character [0-9];
    • one special character from this set:
      ` ! @ $ % ^ & * ( ) – _ = + [ ] ; : ‘ ” , < . > / ?
  • The password must not:
    • contain spaces;
    • begin with an exclamation [!] or a question mark [?];
    • contain your login ID.
  • The first 3 characters cannot be the same.
  • The sequence of the first 3 characters cannot be in your login ID.
  • The first 8 characters cannot be the same as in your previous password.
  • Passwords are treated as case sensitive.

*yawn* Please don’t give up on this post yet, I do have a point to make! Now, the next commonly quoted rule is ‘never usethe same password on multiple sites’. So, how do you remember the wacky combination? XKCD has half the answer:

Via http://xkcd.com/936/

Great for a single password, but again how do we manage 100’s? Many people use databases such as KeePass, or notepad files inside encrypted zip files with another password on top. Cumbersome in my opinion, you don’t want to have to go checking for passwords each time you log in somewhere. There’s also other solutions that save the websites, usernames and passwords in a centralised location – a big risk in itself I say. So, here’s my two layer solution:

1) Have your own email domain, and use a different email address for every single site you sign up to. On top of that, make the email address something that always identifies with the site.

For example, I could buy the domain passwordssuck.com, set up Google Apps with it, and have a catch all. This means I can tell people I like an email address like “adam.fowler@passwordssuck.com” but also if I were to sign up for Blogger, I could use “blogger@passwordssuck.com”.

Why do this? The first reason is spam. If you sign up to a site that gets compromised, or sells off email addresses, the most likely impact to you is getting a bunch of spam. If you no longer use the site, you can blacklist the email address you signed up with (in this example, blogger@passwordssuck.com) and you’ll never see spam on that address again. If you still use the site, you’ll have to either live with the spam that gets by any spamfilters, or change your email address. I don’t like the idea of changing it, because for this overall formula (coming up!) to work, you just want to look at a site and immediately know what the login is.

The second reason – again if the site gets compromised, is that your email address and password combination are now useless anywhere else. Even if you used the same password anywhere, the email address to log in is a one off.

2) The password part. You need a formula. Once you remember the formula, you don’t need to remember anything else.

You can adjust this how you like, but I’ll give an idea of a decent formula (and no, this isn’t exactly what I use!). First, come up with two words. Let’s go with ‘keyboard’ and ‘mouse’. Now, let’s use some special characters. Now we have ‘K3yboard’ and ‘mou5e’ – these will never change.

Between our two words, let’s go back to the site we’re on. Blogger.com. What I’ll do is take the first and last letter of the domain. B and R. We’re going to put this in between our two chosen words. ‘K3yboardBRmou5e’ – but let’s get even trickier! Instead of B and R, we’ll go up two letters in the alphabet. B goes to D, and R goes to T.

Now we have ‘K3yboardRTmou5e’ as our final password. This means, when I go to blogger.com and think ‘hmm what’s my username/password’ it’s going to be “blogger@passwordssuck.com” and password “‘K3yboardRTmou5e'”.

Youtube.com? That’d be “youtube@passwordssuck.com” and “‘K3yboardAGmou5e'”

If someone obtained your credentials for Youtube, there’s no way these details will work anywhere else. If someone targets you specifically for some reason, they’re still going to need to know your formula. They have no idea which parts of your password are static, and which change, and even if they thought the AG was the bit that changed, they then need to work out what that means.

In summary, once you remember your formula, that’s the last thing you’ll need to remember. You don’t have to go down the full path of having a different email address for each site, but I’d put a bit more work into varying your password formula.

If you have any feedback on the above, or think it’s a terrible idea for any reason please let me know!

3 thoughts on “My Solution to Online Password Management

  1. It sounds to me like it might be just as much work as using KeePass. Also with Google Apps you can only create up to 10 email addresses before you have to upgrade to the paid business version. Once you hit the business version you have to pay $5 a month. A little expensive for keeping passwords organized if you ask me. But if you already have your own mail server or hosting option that allows more account for a lower cost than the money argument could be thrown out the window.

  2. Thanks for the response Jeremy. I use Google Apps and it costs me nothing – you just use a catchall so everything sent to your domain goes to your single inbox, and you can set up a second account as a blacklist of addresses if you like, still under the 5 accounts.

    I use both KeePass and the above method, and I can tell you from my experience at least, the above method is easier. If you’re on your mobile phone and need to log onto a website, it’s a lot of pain to get to KeePass somehow and to copy/paste a really long password.

    For business use, I think KeePass and other similar producats are a better idea still, but for personal web logins the above is so much easier.

Leave a Reply