/tech home / projects / personal 'blog / about


ARCHIVE: What's the deal with passwords?

Sat. Sep 10th 2005, 03:30pm:

Every other day some IT security company comes out with a new security method claiming it will eliminate the need for usernames and passwords forever. From the use of biometrics that grant access to systems to a picking out a series of pictures that only you remember, they try their best to make you stop using passwords. Sometimes they want to consolidate all of your logins into one, e.g. MS Passport or provide software to remember them for you, e.g. RoboForm. After all, it's not easy to remember the usernames and passwords for tens (sometimes hundreds) of different websites and systems you have an account on. So solving the password problem is big business and will be as long as humans don't have perfect memory. Or until everybody starts doing what I do.

While every method proposed to eliminate passwords has its own set of security, implementation, and logistic problems, I am unable to see any issues with the following one-step method:

  1. Store HINTS to all your passwords in an easily accesible secure storage bin.
You should never ever save or write your exact passwords anywhere. That's an instant security-loophole. Anyone gets hold of that and bam! You're screwed. Just write hints. Here's an example: - username: someguy44 - password: LP8. Now at most, someone can figure out your username and that your password has something to do with LP8. Now it could be that your password hint refers to "Luke Perry" and his movie "8 seconds" or that you once lived on "8 Lake Palm Road" or anything else LP8 might mean TO YOU. The "to you" part is important because LP8 to you has a different meaning than LP8 has to me. And hence, even if I manage to hack your entire list of password hints, I can't really make much out of it.

The most I can learn is that your password hint is LP8 and so is your And if I happen to know one, I can find out the other. For important accounts that require more security, you can just use different passwords and write down good hints. The hints could be symbols, words, sentences, or anything you want. Just make it so that nobody other than you can ever figure it out. I'm so sure of my hint methods that I'm posting some of my hints exactly below. I use hints for everything, not just the passwords so there's slightly more secrity. However, that is a personal preference and you are pretty secure just writing hints to passwords with everything else being written out explicitly.

If that looks very cryptic, well it is, because that's my way of giving hints to myself. You can give whatever hints to yourself that you want. One thing to remember is that you shouldn't be giving hints that others can figure out. If my password is GigaTera2004, my hint should not be "Capitalized names of both my pets and which year I got them." My hint should be GT04 or something along those lines. It should be good enough for me to go... "ah... GT04 means GigaTera2004" and that's it.

A lot of people use software applications to store and auto-fill their passwords. Sounds great till your hard drive crashes or worse, your laptop is stolen! Now whoever has your laptop, also has access to your bank account, your PayPal account, your domain registry account, and of course, all your email. Additionally, do you have the source code to the software? Don't you think if crackers can write malicious spyware, they can also write Password-Managers that pretend to help you remember things but once a night upload ALL your logins to some random IP address? How do you know if the software you use is trustable? If you EVER store passwords to your bank/financial accounts and there's more than $100 in it, you would be taking a BIG risk, trusting anyone, let alone a software that you downloaded from the Internet. All software or web-applications that store your password exactly, no matter HOW securely, are a security-loophole. You just cannot give your password verbatim to anyone or anything. EVER.

Password hints that mean something to you and nothing to others are absolutely the only secure way. Because even if your hints are stolen, they're useless to anyone but you. You can always make your hints, well, more "hintful" so that they ALWAYS mean something to you and that you never forget what they stand for.

Store your hints in a secure location - online/offline. But don't ever trust your secure location. Also if you use online storage like Yahoo Notepad or, use a totally different password for your secure location and make sure that is absolutely the ONLY password you ever 100% remember. Write a hint for that password on paper and put it in your wallet.

Just FYI, I created last year and it works great for me because in addition to being web-accessible and SSL-enabled, it also has a little software that runs on your PC and makes it easy to access your notes with a single click. You can get a free account on ChimeNote and begin using it rightaway - just don't store your credit card numbers etc. in there. Because I don't want to be held liable in case someone figures out your password.

Additionally, the entire database is backed up to a remote PC every day. Worse that can happen is you lose a few hours of stuff. Moreover, the backup is useless to anyone, including me, because every note you make is encrypted with your own password. Now, playing the devil's advocate, I could have written the pages to secretly store the notes unencrypted somewhere that only I can access. However, if you have only password hints, then you are still good. I don't know what " - username: someguy44 - password: LP8" means, but I'm sure you would.

Alternatively, use Yahoo's NotePad feature or write your own online notepad/post-it style application. It's not that I'm plugging but the idea of password hints as the only viable solution to the password problem. ChimeNote's website and the free software just make it easy to access your password storage notes.

But please, don't suggest that I take a retinal scan just to post on