I Love Belgium... and you?
Cookies éphémères (7 jours au plus) pour les utilisateurs authentifiés uniquement. Aucun traçage.
Temporary cookies (7 days max) for authenticated users only. No tracking.

Home page > II. Pro > 4. Informatique/Computing > My password strategy

My password strategy

Ma stratégie de mots de passe

Sunday 7 March 2010 / 28 March 2015, by CeD

Other versions of this article:

To protect your privacy, forget your passwords. Store them in a safe. Or don’t store them at all.

Frequently, I am asked to advise friends and colleagues on how to manage their passwords in order to have both good security and acceptable convenience. These days, with dozens of passwords needed and more and more privacy/safety issues, ordinary people (I mean non-professionals) are getting confused about their credentials and the complexity involved. Here is my personal answer.

The essentials: (i) Differentiate your passwords (one for each account, never twice the same), (ii) Protect them with a personal “superpassword” that is unique, unforgettable, unguessable, uncrackable, never stored anywhere but inside your brain, (iii) Use a tool that will generate strong passwords and will remember them safely for you.
1. Create a strong yet unforgettable main seed (“Master Key”) from a personal pass phrase:

Frag­ment­ed Suite for Piano and Bass Duke Elling­ton and Ray Brown 1972FSfPaBDEaRB1972 (this is just an ex­am­ple of course, not my own pass phrase; an ex­cel­lent choice any­way. According to howse­cureis­my­pass­word.net, It would take a com­put­er about 609 mil­lion years to crack it. However, a pass­word like goofy2014 would take on­ly 42 min­utes.)

The per­son­al pass phrase and the derived seed will nev­er be stored any­where ex­cept in your brain.

2. Generate a unique password for each protected resource:
  • Save the “portable page” locally as passhash.html, open it with any web browser [2]:
    PNG - 5.5 kb
  • Assuming your ID is “thepianoplayer” for the domain “orches.tra”, enter Site Tag = orches.tra+thepianoplayer, Master Key = FSfPaBDEaRB1972,
  • → Strong generated password = sqG&Xaj0 (digit, punctuation and mixed case ticked, size 8)
  • → Stronger generated password = sqGGcaj-FjR2 (digit, punctuation and mixed case ticked, size 12)

The very in­ter­est­ing fea­ture of this tool is this: no pass­word is saved any­where, even in an en­crypt­ed form. They are re-cal­cu­lat­ed ev­ery time you need them, then van­ish after use. Unstoppable: no­body can steal some­thing that sim­ply doesn’t ex­ist.

At the same time, re­place your old “qw­er­ty” or “123456” so-called pass­words with re­al ones.

(You may now shoot the pi­anist, he is ar­moured)

You may copy/paste the gen­er­at­ed pass­words; the pass­word man­ager of your browser/mail client will gen­er­al­ly re­mem­ber them on­ce you have used them for the 1st time. However, this is not safe if you didn’t set up a Master pass­word to pro­tect saved pass­words (you may use your main seed “FSfPaBDEaRB1972” for this) plus a per­son­al pro­file [3]. Even if you did, it is still not safe if you are us­ing an old-fash­ioned browser/mail client, as those ob­so­lete prod­ucts (some are still avail­able from their pub­lish­ers, un­for­tu­nate­ly) store pass­word in an un­safe way. Anybody us­ing a sim­ple, free util­i­ty like SIW might dis­cov­er them in sec­onds. So, do not al­low an old browser/mail client to re­mem­ber your pass­words, or even bet­ter: do not use old browsers or mail clients. Never.

You may use this strat­e­gy not on­ly for com­put­er-re­lat­ed mat­ters, but for many other things, for in­stance:

  • Your bicycle: Site Tag = bicycle+thepianoplayer, Master key = FSfPaBDEaRB1972 → lock code = 267470 (digits only, size 6)
  • Your suitcase: Site Tag = suitcase+thepianoplayer, Master key = FSfPaBDEaRB1972 → lock code = 579736 (digits only, size 6)
  • Your garage: Site Tag = garagedoor+thepianoplayer, Master key = FSfPaBDEaRB1972 → lock code = 510303 (digits only, size 6)
  • Your credit card: Site Tag = creditcard+thepianoplayer, Master key = FSfPaBDEaRB1972 → PIN code = 297672 (digits only, size 6)
  • Your phone: Site Tag = telephone+thepianoplayer, Master key = FSfPaBDEaRB1972 → PIN code = 470939 (digits only, size 6)

(use on­ly the first 4 dig­its here, as passhash ig­nores the size set­ting if less than 6, which makes sense to avoid weak pass­words.)

So, my pass­words are com­pli­ant with the fol­low­ing 5 re­quire­ments:

  1. They are unique (one distinct password for each protected resource, so if one password is compromised, only one access would be struck) [4]
  2. They are strong (i.e. reasonably resistant to brute force or dictionary attacks) [5]
  3. Almost impossible to steal, as they aren’t stored anywhere.
  4. I can’t forget them, as I don’t need to remember them — I am able to restore them in case of need.
  5. I do not need a sophisticated, possibly expensive and protected piece of software to keep my secrets, as I have no multiple and sophisticated secrets to keep, just my pass phrase.


[1] Note: csync.org cur­rent­ly on­ly of­fers the “portable page”, not the Firefox plug­in it­self; a back-up copy is still avail­able here. The “portable page” is per­fect­ly us­able with­out the plug­in.

[2] Except, as usu­al, Microsoft Internet Explorer

[3] Never store pass­words on a pub­lic ma­chine, of course

[4] This re­quire­ment is the most im­por­tant one: peo­ple us­ing the same pass­word ev­ery­where may loose their email, blog, bank ac­count, per­son­al web site, even their iden­ti­ty if this “one for all” pass­word is stolen from just one site with poor se­cu­ri­ty, or if you get con­nect­ed from a rot­ten cy­ber­café (most are). You nev­er know how se­cure a site is when you cre­ate your pass­word.

[5] With a good prob­a­bil­i­ty of putting in no-win si­t­u­a­tion a tool like OphCrack, which al­lows crack­ing most sim­ple pass­words in two min­utes.

Reply to this article

6 Forum messages

Follow-up of the site's activity RSS site | RSS brèves RSS brèves | Site Map | Private area | Écrire au taulier | Stop Spam Harvesters, Join Project Honey Pot | Creative Commons
and in in created that
and in in created that
and in in created that
and in in created that
write me