How to fix a bleeding heart

A practical guide to creating unique, secure and easy to remember passwords

In light of the Heartbleed Bug, many of you out there will be going through the process of changing your various online passwords — and you should. Mashable has a good list of which sites were affected and which passwords you should change immediately.

After having my identity stolen in 2011 and spending the last few years building privacy products at Reputation.com, I developed the following approach for managing passwords. I hope sharing it will help a few of you out there keep your accounts secure and avoid a digital hijacking.

The problem

Every couple months or so, it seems that another major international company is breached and its users’ sensitive data is released into the wild. Heartbleed is a different type of event but presents the same reality. You need a password approach that’s resilient in the event that one or more of your passwords is exposed online and available to hackers or prying government agencies.

To that end, here are a few high level objectives when developing a password approach.

1. You shouldn’t use the same password twice. Ever. Unless you really don’t care if the account is taken over. The reason for this is simple. When account information is compromised in a breach, hackers programmatically try to login to various sites with the same username and password combo in the hope of finding a match.
2. Don’t write your passwords down and store them in plain text. I’ve cringed too many times at the sight of someone opening up a Passwords.doc file to remember a forgotten password. All it takes is for you to download and open the wrong program on your computer and Pandora’s box will open.
3. Your password scheme should always output passwords with numbers, symbols, uppercase and lowercase characters and should be at least eight characters long. This is to limit the chance your password winds up in a rainbow table but is also for convenience. You want to minimize the number of edge cases you have to accommodate so it’s best to just adopt the most rigorous password requirements enforced by sites.

Ok, so now how do we develop a strategy that achieves these goals that is simple and easy to use?

A simple solution

The solution I recommend is based on the idea that the password for a site should be derived from the name of the site. Since each site name is unique, each password is unique. As a result, you only have to remember two things (a) the procedure for generating the password (b) the name of the site, which will be sitting right in front of you. The procedure you create and use is essentially a homebrew of what’s referred to as a cryptographic hash function.

The procedure you come up with should be easy to remember and hard to reverse engineer by looking at it. Remember, you should expect that one of your passwords will leak at some point so something like “Medium1!” isn’t good enough.

A better example would be something like “eDhbfs!66" where “eD” is derived from the second and third letters of the word “Medium”, “hbfs!” is a set of letters you use in every password and “66" is a repeat of 6, the number of characters in the site name.

The procedures I use typically have a mix of static information (i.e. characters that are in every password) and variable content (i.e. characters and letters generated from the name of the site). In the first example, “Medium” is the variable content and “1!” is static. In the second, “eD” and “66" are variable, while “hbfs!” is static. Ideally, everything should be variable but I find doing this requires a lot of mental effort every time I’m trying to remember or create a password.

For variable content, the name of the site has a couple useful attributes that you can use.

1. The length of the site name. For example, Medium is six characters long. 6 can be a number used in the password to give it uniqueness.
2. Each letter in the name can be used in various ways. You could take the first letter of the name, for instance, capitalize it and always have that sit at the end of the password. I usually don’t go passed the third letter because sites like Box and CNN exist — unless I’m using the notion of “last letter in the name”.

For added security, there are a couple tricks that you can also use to obscure the origin of your variable content.

1. Turn letters into numbers (e.g. a = 1 because it’s the first letter of the alphabet).
2. Offset characters and numbers. So if “Medium” is 6 characters long, I might use 7 instead, which is the number of characters + 1.

For static content, you want something that’s easy to remember but also isn’t easy to distinguish from the dynamic content. I think taking the first letter of each word in the lyrics for a song does a pretty good job. So for instance, “hbfs!” really stands for “Harder Better Faster Stronger!” and is easy to remember.

With this approach, you should do pretty well for yourself. No more forgetting your password. And no need to change all of your passwords if one site is breached.

Ok, so what happens if my information is breached?

It’s 10AM and you get the typical email from the latest large corporation to get breached: “Hey.. so you need to reset your password.. really sorry but yeah your data was stolen.” Or you find out that the NSA has been exploiting a vulnerability in OpenSSL for years to sniff encrypted web traffic — typical stuff.

In this case, you can’t use the same password that your procedure generated before so you’ll need something new. This introduces the need for multiple password generating procedures. You’ll likely need at least two. I’m paranoid so I have more than this and use specific procedures for specific types of sites like banks and credit agencies.

Other solutions

Many of my friends and colleagues are fans of software solutions like 1Password. I find these solutions cumbersome since I use a number of different devices and if I’m borrowing someone’s computer, I’m typically hosed. I also know that no one can hack my brain; whereas there’s a leap of faith involved in storing your passwords with a third party.

That said, if you have passwords that fall outside of your scheme that have been generated for you rather than by you, software like this can be a good place to store them.

Interested in hearing your thoughts and long live a free and secure web.