Using a Password Tool

2015-10-03T13:36:51.631+0900

Sites get hacked and user information gets leaked. It's a common problem; the most recent big one is the Patreon hack. My account was compromised as part of this, but I'm not very worried - Patreon had none of my payment information (since I pay through PayPal) and my password was a random assortment of characters that I don't use on any other sites. It wasn't hard to set this up, so I thought I'd explain what I do for passwords.

I use a tool called PasswordMaker. PasswordMaker is not a password manager - the passwords it generates are not stored anywhere, so I don't have to transfer files or worry about my password service getting hacked. PasswordMaker isn't even a company, it's just a method of generating passwords in a repeatable way. You configure initial settings like password length and possible character set (alphanumeric, symbols, etc.), and then use a master password and URL components (typically domain) to generate a password whenever you need to log into a site. PasswordMaker provides tools for all common browsers and phone operating systems.

In practice this is what I do with PasswordMaker:

  1. Go to a site's login page
  2. Open the PasswordMaker tool in my browser
  3. Enter my master password from memory
  4. PasswordMaker calculates my password for the site and puts it into the login form

Because PasswordMaker is not connected to the Internet, the master password stays just in my head, and each site I log into has a completely different password.

In this sense PasswordMaker is similar to the hashing algorithms any reasonable site uses to store passwords. A one-way hash is like the modulo function - 10 modulo 8 = 2 means divide ten by eight and take the remainder, leaving two. Because 2 modulo 8 and 18 modulo 8 are also 2 you can't tell what the original value was with just the hash. Hashing functions of the kind used to store passwords take text data as input and result into a pile of bytes which can be thought of as a really large number, so unlike the modulo example trying to come up with another input that hashes to the same thing is very hard.

In the case of PasswordMaker, it uses the mathematical properties of hash functions to do something like (master password + site domain + optional extras) modulo ??? = site password so you have a different password for every site without having to think about it.

Cases like the Patreon one are a little annoying because to change my password I need add an extra parameter, but most PasswordMaker clients support a list of domains to use special rules on. Some issues that have caused me to make exceptions for sites:

  • Site requires shorter passwords (limits of 16 or occasionally 8 characters)
  • Site doesn't allow punctuation (*$%&,+- etc.)
  • Site requires periodic change (fixed by adding an extra text field for new randomness)

Between that and using a credit card for online payments I don't have to worry about any particular site being hacked reaching out into other parts of my life, which is nice.

So, if you haven't done it yet, get yourself set up with PasswordMaker, and if you have trouble feel free to contact me. As an extra step, sign up at HaveIBeenPwned so you'll be notified if you're in any large-scale hacks. Stay safe, and good luck! Ψ