I had another person “share” his password with me today. I didn’t ask for it. He was having a problem with a system that required a username and password. Instead of logging in, he blurted out his password so that I could login.
I gave him the normal lecture about security. I asked if he knew how many other people already knew his password, and how many people those people has shared it with. On top of that, this was his “master” password. By that, I mean he uses it for everything. Who knows how many people can log into his online class, check his email, sell his stuff on eBay and modify his MySpace page? I hope he did some password changing after our talk.
I am somewhat of a password freak. How can you be surprised by that? For the last ten years my passwords have been varying strings of random characters. I don’t write them down. In my opinion, I good password should never even be spoken. The reason is simple. My accounts tend to have a lot of access (grades, student records, etc). I need to have secure passwords.
I tell my students this. A good password should be treated like underwear.
Don’t leave it lying around.
Don’t share it with friends.
Change it often.
With all the things that require passwords, it is difficult to use good passwords everywhere without using the same one in multiple places. I have an account on Yahoo and an account on Google. I don’t want to use the same password everywhere, but I want to use something that is semi-secure. I also need to recall it without pulling out too much hair.
A long time ago, I came up with a domain/secret “hash” that could easily be used to recreate a password. If I went to Yahoo, I would take the domain name, “yahoo” and mix that with a “secret” word, to make a unique password. It could be as simple as
ysaehcoroet
Google’s password would be
gsoeocgrleet
The only problem with this is that someone from Google could see that I have added “google” to the word “secret” and then they could use my algorithm on any page where I have an account. I needed something a little more complex (remember, I’m a security freak).
I scripted up something that took all the letters of my secret word and domain name, converted them to ASCII, did some massaging and then parsed out chunks into a series of letters and numbers. I have been using this for a couple of years. I have it on a web page (running HTTPS). I can get to it from anywhere so I don’t have to remember any of my passwords.
Recently I had to create a lot of accounts for domains that were very similar. I ended up having a lot of passwords that were very similar. I decided that I wasn’t the only person on the planet with this problem, so I went looking for a solution created by someone with some crypto knowledge. Here is what I found SuperGenPass:
http://labs.zarate.org/passwd_new/mobile.html
You can save the source of this page to your own page. It’s written in Java, so nothing needs to be processed by a server and transmitted over the Internet when creating or recreating a password. I copied it to my USB drive, my office computer and laptop. Now I can create a very good password any time and all I ever need to remember is my master password.
Now I have to change a lot of underwear.
Pingback: Password News » Blog Archive » Passwords
Pingback: Alvin’s Educational Technology Blog » Passwords Again