.png)
4 months ago
8
There are two sorts of people in the world; those who know they are stupid and those who think they are clever.
Stupid people use a password manager. They know they can't remember a hundred different passwords and so outsource the thinking to something reasonably secure. I'm a stupid person and am very happy to have BitWarden generate and save fiendishly complex unique passwords which are then protected by the app's MFA. Lovely!
But people who think they are clever decide to bypass that and use their own super-secret algorithm.
Every clever person's algorithm boils down to the same thing:
- Have a single strong main password.
- Add to it some information related to the service.
For example P@ssw0rd!_facebook and P@ssw0rd!_linkedin. On the surface, that's quite an attractive proposition. You remember one thing and you don't need to trust a password manager.
People who are extra clever use the same algorithm but wrap it in a command-line function which XORs both pieces of data, creates a SHA-512 hash, takes every prime numbered bit, converts to ASCII, and uses that to generate a password. Smart!
Either way, these algorithms suck! Let me explain why.
Password Leaking
One day, LinkedIn decides to LeakedOut its users' passwords. Anyone who can see P@ssw0rd!_linkedin can make a pretty good guess at your password for Facebook, banking, dating, and shopping etc. This means you now need to change every password that you have.
Even if you have used some amazing cryptographic powerhouse of an algorithm, there's still a chance you'll accidentally leak it or get so paranoid that you decide to invalidate it. Now you need to change your password on hundreds of sites.
Password Rotation
We all know that it is a bad idea to ask your users to regularly change their passwords - yet sites often persist in doing so.
How does your algorithm cope with this?
Do you have to remember that it is P@ssw0rd!_facebook_1 and P@ssw0rd!_linkedin_23?
Perhaps you'll write down all the suffixes and find a way to store them securely - like, say, a password manager?
Password Requirements
One site says "Your password must contain a special character and a number" another says "You can use any special character except % or ?" another refuses to let your password contain two consecutive identical characters, or it must start with a number, or it cannot be longer than 12 characters. Yes, I know password rules like this aren't sensible - but they are common.
How does your algorithm cope with that?
If you manually have to tweak a couple of dozen passwords generated by your algorithm, you are going to tie yourself in knots remembering the arcane requirements for each one.
Be Stupid - Use A Password Manager
Humans are stupid0. Humans get tired, forgetful, or sick. Our delicious meaty brains are not optimised to remember long strings of complex information or hundreds of rarely used combinations. Knowing that you know not is a super-power. It allows you to offload things that you don't understand to something more competent.
Pick a password manager. Secure it with a reasonably strong password and multi-factor authentication. Let it do the hard work of remembering.
