Cogitas Blog:
Musings on developing Android apps,
machine learning and misc tech stuff.

What’s your password strategy?

Filed under: google android, web — March 10, 2013

Not a week goes by without a high profile online service getting cracked (most recently, Evernote). Yet, thanks to smartphones and faster connections, cloud services are so compelling that many of us have come to rely on them. So what’s your password strategy?

Firstly, yes, we know, we should never use the same password twice. Many people do it but it’s bad… The problem is, how do you remember all your passwords?

A plethora of services have appeared, to help you store your passwords on a cloud server somewhere. Services such as 1Password store securely all your passwords on their servers and you access them with the 1 password. Mmm, what if they get cracked? Is a server really secure?

Then, you have the option of offline storage in a little black book. It’s fine if you are mostly desk based and have a secure storage area (like a safe).

Most people use a strategy in between. For example, they will use variations on a memorable word, so their passwords between services are technically different but not very dissimilar (for example, it may be “MonkeyT” on Twitter and “MonkeyF” on Facebook).

Another method, used by many self proclaimed geeks, is to mentally apply an algorithm to words. For example, you may replace “o” with “8″, capitalise every third letter and so on. For “converting” your password across different services, you may, for example, add the 3rd, 6th and 7th letter of the service, in the 2nd, 8th and 6th position of your basic memorable word. How complex it gets depends on how logical you are, mostly, but I know some individuals who have developed this to a fairly high level of sophistication.

Inspired by the method above, I designed an Android app called SafePass. The app lets you enter 3 words (or short phrases)  and generates a safe password for you. By safe password, I mean something that looks random, with small and big caps and digits. The way it works is simple: the 2nd word is used as a key to encrypt 1st word (AES Encryption), and then 3rd word is used as a key to encrypt the result of 1st encryption. The app has no internet permission so you know your generate password doesn’t get sent off somewhere to a server.

OK, you may say, but I still need to remember loads of words? As the app uses 3 words, you have a variety of options: you can use always the same first 2 words and change the third word to be based on the service you are creating the password for.  If you want to be a little bit clever, you can also change the order in which you enter the words (as this will change the generated password). Other options include remembering sentences, not words – this works particularly well if you remember a funny sentence. Your Facebook memorable words could be ‘My boss’ ‘is on’ ‘Facebook’ (this will serves as a handy reminder to yourself to think twice before posting compromising pictures of you!).

The app costs only £0.99 (= US$1.48) and there is a free 14 days SafePass demo available. It requires no permission of any kind, and it works on Android 4+ whatever the screen size.

There are other apps out there, I encourage you to try them all and assess them in terms of security, both in terms of “Should I trust the app publisher” and “Does it rely on a system whose safety could be breached by hackers?”.

Lastly, protect your loved ones, particularly those who are less aware of online dangers. If you have an elderly parent using a variety of online delivery services for example, do advise them on how to choose a password and tricks to remember it.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment