Solving the “Forgot password?” problem
Finding a safe way to keep track of your passwords on the web is a critical task that many of us put on the back burner. When the average American user has 150 online accounts, it’s no wonder “75 to 93 percent of users” resort to reusing old passwords. The cognitive burden of memorization and organization, for most, is a non-starter.
Raise your hand if you use one password with slight variations for all your accounts. Guess what? You’re not alone.
According to Have I Been Pwned, a site that allows you to check if web accounts associated with your email address have been compromised, over 6 billion accounts have been breached for widely used, ubiquitous services like LinkedIn, Dropbox, Tumblr, and others. A 10.3GB list of Pwned Passwords is available to search against, leading most to an inevitable conclusion: your passwords have been breached. If you recycle any of these passwords for other accounts guarding sensitive financial, personal, or health-related data, the threats instantly become very serious.
Researching the available options
Password managers like 1Password or LastPass are steps in the right direction for overcoming these threats but have compromises of their own. Committing to a password manager means outsourcing memorization to a third-party: entrusting storage to a remote server and passing your passwords over the internet. Aside from the safety concerns, users report that 1Password and LastPass are not user-friendly and that issues arise when they attempted to sync passwords between devices.
There are also password generators that will create a random series of characters. While these passwords are technically “strong,” they offer no route for recovery if they’re lost. And because a user wouldn’t be able to remember the password itself, they would likely end up writing it down or saving it to a device keychain, which introduces security vulnerabilities. Then we started thinking…
What if there was a password generator that when given the same input, it produces the same output, giving you an easy way to recall your passwords?
We set out to solve these problems by creating hashphrase. Hashphrase is a password generator app that takes two pieces of information and uses them to create a unique 8 digit password. The beauty of hashphrase is that you are able to recover your password yourself. Having to constantly reset your password because you forgot is frustrating. If you need your password again, you simply put in two pieces of information into the app, and there’s your password.
The two pieces of information that hashphrase uses to create your password are a nickname and a master password.
What’s a nickname?
A nickname is what you will call the account that you are making a password for. Think of it this way: If you were making a password for Amazon, and let’s say this is your work account, you could enter the nickname as “Amazon Work”. You could actually call the account anything you want. You could call it “The black hole where all my money goes” as long as you remember that’s what you named it. Also, note that nicknames and master passwords are both case-sensitive.
What’s a master password?
You are probably more familiar with master passwords. It’s one password that you use to access all your accounts.
But what if you can’t remember these bits of information?
We know you have many accounts that require passwords and that you probably want a way for the app to remember them for you. However, there’s a problem with that. Anytime you are storing your password or even your nickname anywhere, it could be compromised. In order to help you remember your nicknames, we recommend that you create a naming convention that works for you. An example of an effective naming convention for nicknames could be [accountname][year][ month], which could look something like “Citibank2019May.” This sort of structure is easy to remember and enforces that you change your password once a month, which may be a good idea for sensitive accounts.
As for the master password, we recommend that you make it something unique but memorable. If you currently have that “one password” that you use for everything, you can use it here without fear that it will compromise your accounts.
At Vermonster we believe that when information is shared, the world benefits from it. This is why we have made our code open source in addition to our design files. You can also check out our case study that gives more detail about our UX processes for the development of this app. Finally, our next step is to make hashphrase into a progressive web app. We’d love to hear from you about your experience using hashphrase before we release the next version.