Password security without a password manager

Daniel from http://www.dailyblogtips.com published an article with some of his ideas on how to create passwords for multiple sites.

The idea is to create an algorithm and use that for every site. It is a good concept, but there is a small danger if someone steals the password from one site and figure out the algorithm used. You then lost all your passwords.

My idea and what I always use is a bit different. I don’t like password managers, but I like crypto, so I take advantage of one-way hashes (md5, sha1, etc) and generate passwords using them.

How it works?

First, I choose a good long password that I will use everywhere. For example qwerty (don’t use that, just an example). Now for every site, your password will be the md5 (or sha1) of qwerty + site name. For example:

$ echo “qwerty http://www.facebook.com” | md5
9d7d9b30592fd43dd6629ef5c12c6e9a

$ echo “qwerty http://www.twitter.com” | md5
cdf0e74e19836efb20f29120884b988d


That way my password for facebook is 9d7d9b30592fd43dd6629ef5c12c6e9a and for twitter is: cdf0e74e19836efb20f29120884b988d

Both long and secure. If someone steals my twitter password he has no way to reverse back to figure out the other passwords. Plus, doing that you don’t need any password software stored (just the md5/sha1 binaries which come by default on Linux and are easy to find on Windows).

Simple and easy..

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://www.blogger.com/profile/02209987468203140732 Tom | Errant

    "both long and secure"

    Actually no it isnt. If they steal your Twitter password and now know you use the URL the extra entropy introduced by the URL as a salt is irrelevant.

    Any attack on the password is now only as strong as the common password you use.

    I advise you change your schema sharpish; this method is *only* secure if no one knows what it is :) and you just told us all :P

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Yes, but I only have to remember one long and secure password (or passphrase) instead of dozens.

    Brute forcing sha1 (what I really use) or md5 is not simple with long and strong passwords… (qwerty was just an example).

    Thanks,

    –dd

  • http://www.blogger.com/profile/05433149454970178238 Tomer

    What if you also have pin number and other numbers that the web site assigns to you… so its not always only password therefore I need a password manager to store the other stuff other than passwords…

  • http://sucuri.net http://sucuri.net

    Tomer:

    That's for sure. I never had any site assign a pin number to me, but in that case you would need to remember it, write it down or use a password manager.

    –dd

  • ZonaSitio

    Por que dicen que la vulnerabilidad esta en Joomla, cuando no es así, si se fijan el problema esta en que el desarrollador de Virtuemart dijo a esto filtra usuarios, bueno yo me lo salto, así que consideraría corregir la parte donde se le echa la culpa Joomla en la clase JUser class cuando no es así, este fue un error del desarrollador de Virtuemart que por suerte lo soluciono pronto. Todos cometemos errores ustedes también.