You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

170 lines
10 KiB

<!DOCTYPE html>
<html lang="en">
<meta charset="utf-8">
<title>YBlog - 40 character's passwords</title>
<meta name="keywords" content="password, security" />
<link rel="shortcut icon" type="image/x-icon" href="../../../../Scratch/img/favicon.ico" />
<link rel="stylesheet" type="text/css" href="/css/y.css" />
<link rel="stylesheet" type="text/css" href="/css/legacy.css" />
<link rel="alternate" type="application/rss+xml" title="RSS" href="/rss.xml" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="apple-touch-icon" href="../../../../Scratch/img/about/FlatAvatar@2x.png" />
<!--[if lt IE 9]>
<script src=""></script>
<!-- IndieAuth -->
<link href="" rel="me">
<link href="" rel="me">
<link href="" rel="me">
<link rel="pgpkey" href="../../../../pubkey.txt">
<body lang="en" class="article">
<div id="content">
<div id="header">
<div id="choix">
<span id="choixlang">
<a href="../../../../Scratch/fr/blog/Password-Management/">French</a>
<span class="tomenu"><a href="#navigation">↓ Menu ↓</a></span>
<span class="flush"></span>
<div id="titre">
<h1>40 character's passwords</h1>
<div class="flush"></div>
<div id="afterheader" class="article">
<div class="corps">
<img src="../../../../Scratch/img/blog/Password-Management/main.png" alt="Title image" />
<div class="intro">
<p><span class="sc"><abbr title="Too long; didn't read">tl;dr</abbr>: </span> How I manage safely my password with success for some years now.<br />
<strong><code>sha1( password + domain_name )</code></strong><br />
I memorize only one password. I use a different password on all website.</p>
<p>Disclamer, this is an unashamed attempt to make you download my iPhone app ;-). You’re always here? Even if you won’t download my app, you should read more. My method doesn’t necessitate my app. It is both safe and easy to use everyday.</p>
<p>If you just want to <em>use</em> the tools without searching to understand why it is safe, just jump at the <a href="#in-practice">end of this article by clicking here</a>.</p>
<h2 id="why-you-should-use-a-password-manager">Why you should use a Password Manager?</h2>
<p>Even paranoid could have ennemies.</p>
<p>Imagine you find a really good password. You use it on GMail, Amazon, PayPal, Twitter, Facebook… One day you see a nice online game you want to try. They ask you your email and a password. Some week passes, and the host machine of this online game is hacked. Your mail and password is now in bad hands. Unfortunately for you, you use the same password everywhere. Then, the attacker can simply try your password everywhere. On PayPal for example.</p>
<p>Well now, how could we fix that?</p>
<h2 id="which-methodology">Which methodology?</h2>
<p>the good, the bad <em>&amp;</em> the ugly</p>
<p>The mostly used method is to remember a subset of different passwords. In the best cases, your remember about 13 password. Some strong, some weak.</p>
<p>What to do if you use more online services than your memory can handle?</p>
<p>A <em>bad</em> solution would be to chose passwords like this:</p>
<li>twitter: <code>P45sW0r|)Twitter</code></li>
<li>gmail: <code>P45sW0r|)gmail</code></li>
<li>badonlinegame: <code>P45sW0r|)badonlinegame</code></li>
<p>Unfortunately, if someone get your password on badonlinegame, he could easily find your other passwords. Of course you can imagine some better transformation. But it is hard to find a very good one.</p>
<p>Fortunately, there exists functions which handle exactly this problem. <em>Hash Function</em>. Knowing the result of a hash function, it is difficult to know what was their input. For example:</p>
<div class="sourceCode" id="cb1"><pre class="sourceCode zsh"><code class="sourceCode zsh"><a class="sourceLine" id="cb1-1" title="1"><span class="kw">hash(</span><span class="st">&quot;P45sW0r|)&quot;</span><span class="kw">)</span> = 9f00fd5dbba232b7c03afd2b62b5fce5cdc7df63</a></code></pre></div>
<p>If someone has <code>9f00fd5dbba232b7c03afd2b62b5fce5cdc7df63</code>, he will have hard time to recover <code>P45sW0r|)</code>.</p>
<p>Let choose SHA1 as hash function. Now the password for any website should of the form:</p>
<p><code lang="zsh"> sha1( master_password + domain_name ) ~~~~~~</p>
<li><code>master_password</code> is your unique master password,</li>
<li><code>domain_name</code> is the domain name of the website you want the password for,</li>
<hr />
<p>But what about some website constraint? For example regarding the length of the password? What to do if you want to change your password? What to do if you want number or special characters? This is why, for each website I need some other parameters:</p>
<li>the login name</li>
<li>the password’s length,</li>
<li>the password number (in order to change it),</li>
<li>The output format: hexadecimal or base64.</li>
<h2 id="in-practice">In practice?</h2>
<p>Depending on my situation here are the tools I made <em>&amp;</em> use:</p>
<li>On my Mac:
<li>I use the dashboard widget <a href="">YPassword</a></li>
<li>Sometimes, some password field are forbidden to paste into. For time like this, I use this AppleScript made tool: <a href="">ForcePaste</a>.</li>
<li>On my Linux Box: I use the script <a href="">ypassword</a></li>
<li>On my iPhone: I use the <a href=";mt=8">YPassword app</a></li>
<li>On any other computer:
<li><a href="">Cappuccino Made YPassword</a> Web application</li>
<li><a href="">jQuery Made YPassword</a> Web application</li>
<p>My password are at a copy/paste on all environment I use. I have some services for which I have password of 40 characters. Now I use 10 character for most of my passwords. Further more using shorter password make it even harder for an attaquer to retrieve my master password.</p>
<p>I would be happy to hear your thoughts on using this methodology.</p>
<div id="afterarticle">
<div id="social">
<a href="/rss.xml" target="_blank" rel="noopener noreferrer nofollow" class="social">RSS</a>
<a href="" target="_blank" rel="noopener noreferrer nofollow" class="social">Tweet</a>
<a href="" target="_blank" rel="noopener noreferrer nofollow" class="social">FB</a>
<br />
<a class="message" href="../../../../Scratch/en/blog/Social-link-the-right-way/">These social sharing links preserve your privacy</a>
<div id="navigation">
<a href="../../../../">Home</a>
<span class="sep">¦</span>
<a href="../../../../Scratch/en/blog">Blog</a>
<span class="sep">¦</span>
<a href="../../../../Scratch/en/softwares">Softwares</a>
<span class="sep">¦</span>
<a href="../../../../Scratch/en/about">About</a>
<div id="totop"><a href="#header">↑ Top ↑</a></div>
<div id="bottom">
Published on 2011-05-18
<a href="">Follow @yogsototh</a>
<a rel="license" href="">Yann Esposito©</a>
Done with
<a href="" target="_blank" rel="noopener noreferrer nofollow"><strike>Vim</strike></a>
<a href="" target="_blank" rel="noopener noreferrer nofollow">spacemacs</a>
<span class="pala">&amp;</span>
<a href="" target="_blank" rel="noopener noreferrer nofollow"><strike>nanoc</strike></a>
<a href="" target="_blank" rel="noopener noreferrer nofollow">Hakyll</a>
<hr />
<div style="max-width: 100%">
<a href="">
<img src="../../../../Scratch/img/ada-logo.png" class="simple" style="height: 16px;
border-radius: 50%;
display:inline-block;" />
<code style="display:inline-block;
text-align: left;
vertical-align: top;
max-width: 85%;">