Password security without a password manager

Daniel from published an article with some of his ideas on how to create passwords for multiple sites.

The idea is to create an algorithm and use that for every site. It is a good concept, but there is a small danger if someone steals the password from one site and figure out the algorithm used. You then lost all your passwords.

My idea and what I always use is a bit different. I don’t like password managers, but I like crypto, so I take advantage of one-way hashes (md5, sha1, etc) and generate passwords using them.

How it works?

First, I choose a good long password that I will use everywhere. For example qwerty (don’t use that, just an example). Now for every site, your password will be the md5 (or sha1) of qwerty + site name. For example:

$ echo “qwerty” | md5

$ echo “qwerty” | md5

That way my password for facebook is 9d7d9b30592fd43dd6629ef5c12c6e9a and for twitter is: cdf0e74e19836efb20f29120884b988d

Both long and secure. If someone steals my twitter password he has no way to reverse back to figure out the other passwords. Plus, doing that you don’t need any password software stored (just the md5/sha1 binaries which come by default on Linux and are easy to find on Windows).

Simple and easy..

  1. "both long and secure"

    Actually no it isnt. If they steal your Twitter password and now know you use the URL the extra entropy introduced by the URL as a salt is irrelevant.

    Any attack on the password is now only as strong as the common password you use.

    I advise you change your schema sharpish; this method is *only* secure if no one knows what it is 🙂 and you just told us all 😛

  2. What if you also have pin number and other numbers that the web site assigns to you… so its not always only password therefore I need a password manager to store the other stuff other than passwords…

  3. Yes, but I only have to remember one long and secure password (or passphrase) instead of dozens. Brute forcing sha1 (what I really use) or md5 is not simple with long and strong passwords… (qwerty was just an example).Thanks,–dd

  4. Por que dicen que la vulnerabilidad esta en Joomla, cuando no es así, si se fijan el problema esta en que el desarrollador de Virtuemart dijo a esto filtra usuarios, bueno yo me lo salto, así que consideraría corregir la parte donde se le echa la culpa Joomla en la clase JUser class cuando no es así, este fue un error del desarrollador de Virtuemart que por suerte lo soluciono pronto. Todos cometemos errores ustedes también.

Comments are closed.

You May Also Like