Secure passwords

This post has moved to a new home! If you're interested in Ivan's technology-related ramblings, please see!

I remade my entire online account password strategy. It was quite a project.

I have about 170 online accounts that I care about. These range from pointless web sites that I rarely use to crucial email and bank accounts. Each has a unique password. But I haven’t memorized 170 unique passwords, oh no. I’m not that crazy. I have password generation algorithms that I use to create passwords. Depending on the type of site that I’m viewing, I used one of a handful of (very similar) algorithms to “generate” the password.

It was sufficient at the time. But the world is now more dangerous than it used to be. Security breaches happen all the time; millions of accounts are compromised at once. And you only hear of the ones that go public.

Enter the Risk Matrix (not as cool as the real Matrix, but probably less deadly). This is a tool used in Risk Management to describe the idea that Risk is a factor of both Likelihood and Consequence. Apropos of the topic at hand, even an extremely unlikely event can be considered risky if the consequences are catastrophic.

I realized that my password strategy had not been secure enough. If one or two of my passwords were to be compromised, an astute attacker would me able to guess the algorithms fairly easily; they would instantly gain the key to my entire digital identity. Low likelihood, extreme consequences.

I researched hacking techniques to figure out how to make the best password strategy. Of course, the best strategy is to have a unique password for everything. But that involves actually memorizing everything. I could use a password management system, but I’d rather not have a SPOF. The next best alternative (as far as I can tell) is to have a very secure set of algorithms that are easy to memorize, yet hard to deduce from a set of compromised passwords. So that’s what I set out to do.

It took me about 11 hours to develop them.

(I was also watching anime during that entire time. That probably had something to do with how long it took.)

For over a year I’ve collected information about which sites I use (that is, where I have an account), which username/email are associated with them, which SSO can be used, etc. Having generating my new algorithms, I used this list to make sure I updated all of my accounts.

(Having such a list has been extremely beneficial for me in other ways. For example, when my physical address or phone number changes, I know which accounts to update and do not forget any. I highly recommend making such a list for yourself. Just don’t store any actual credentials in it!)

The end result: a tangle of characters, numbers, and symbols that make sense to me, but which a dedicated attacker would be hard-pressed to decode. Unfortunately, because the algorithms are complex, it takes me about four times longer to type in a password than before. But I suppose that’s a price I’m willing to pay for security.


FED Journal 7

This post has moved to a new home! If you're interested in Ivan's technology-related ramblings, please see!

I’ve been unemployed for a month now. After two weeks of taking it easy (and a brief and strange foray into the mad world of contracting at a Large Financial Institution™) I have finally begun my studies in earnest. The finances are in place; I am secure for much longer than I plan to study. Current goal is to find a great employer by November or to get any programming job if I can’t find a desirable job by January.

My plans for July are the following:

  • Develop a functional prototype of MemoryTyper that may be adapted to become the web component of the mobile app Remember Me
  • Develop my website and migrate my tech posts from here
  • Read the HTTP, HTML, and CSS specifications (this is the one I’m most excited about. I’m a nerd like that)
  • Become reasonably well-versed in the new ES6 features
  • Read one technical book, Universal Principles of Design and Design of Everyday Things
  • Review SPD1 (I took this a long time ago in Coursera, would like to refresh)
  • Gain a greater awareness of the items in my master list so I can make more informed decisions about future study plans
  • Improve my keyboarding speed from 60-80 to 80-100 words per minute (why is my speed so low?)
  • Finally finish IIPP (just for fun. This will be my fifth or sixth attempt. I keep missing deadlines accidentally)

Future plans involve actually turning MemoryTyper into Remember Me, taking the follow-up courses to IIPP and SPD, and reading yet more books. This is the boring stuff, but I feel it needs to be done now. The exciting stuff comes in the following months: a review of Startup Engineering, a read of Interaction Design (which I’ve been wanting to read since I was forced to drop the class back in university), Soft Skills, and things like that.

I hope to put out more frequent updates to chronicle my progress. I’m considering using the Codepen blog instead for code-specific posts and leave other technical topics, but I have legal concerns about the content I put on there. Whoops, sorry, I just said something boring again. It keeps happening.