/ security

Evolution Of Password Management - Algorithmic Password Generators

We've seen that password managers may be useful but have their drawbacks. Another way to avoid remembering tons of passwords is to have a generator algorithm. This is supposed to combine a master password with the name of the desired service. This algorithm can be quite simple so you can use it without the support of any technology. An example of a trivial algorithm can be “take the name of the service and append my year of birth” (where the year acts as the master password).

Of course a password like "Twitter1970" is not very secure. And the worst part is that it's really easy to guess the algorithm once you know one of the generated passwords. This means that, if someone steal one of your passwords (by compromising a server or using a man-in-the-middle attack), he can easily calculate all the others ("Facebook1970", "Gmail1970", etc.).

Another easy-but-not-so-secure algorithm

A more sophisticated and secure algorithm is the one provided by James Coglan (called Vault) and illustrated in this post few years ago:

  • Take two values from the user and make a hash (A) out of them
  • Construct a character set (B) acceptable by the target site
  • Encode the hash A using the character set B

So, a well-designed password calculator needs to have a one-way function (hash) that makes impossible to guess the master password. In this case, the fact that the algorithm is public doesn't represent a big threat, provided that the hash function is secure enough.

The ideal solution is a multi-platform application that can run both on PCs and smartphones/tablets. An online service is not recommend for two main reasons:

  1. Security: there is always the risk of a server compromission or a man-in-the-middle attack. In addition, if the algorithm is closed source, it cannot be inspected and you cannot be sure about it's security.

  2. Reliability: it's hard to guarantee a 100% uptime and it's harder to have it run virtually forever. An open source algorithm may mitigate the risk related to the shutting down of the service.

Other posts in this series

Image by @GwynethJones -The Daring Librarian! taken from Flickr licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Generic license.