Super strong passwords

Like everyone else on the planet, I have been fretting about setting and using strong passwords for each of the myriad online accounts I own.

I tried the xkcd (HorseStapleBattery...) trick but after a while, it became prohibitively hard to remember which combination of words was being used on which website.

To get around this, I started saving passwords in a draft email but that meant that if I ever forgot my email password, I was FUBAR. Additionally, if my email got hacked, my entire online life was compromised.

In response, I started saving those password combinations in a text file on my laptop. Now, if I left my laptop at home, I couldn’t log in anywhere. If the laptop crashed, that would make it very hard to use any of my online accounts.

Then I started using patterns to generate passwords. My pattern looked something like this - <3 letter constant prefix> + site specific keyword + <3 letter constant suffix>

E.g., if my 3 letter prefix was Ben and my 3 letter suffix was d0g, one possible password would be Benicloudd0g for my Apple iCloud account. This was great. The only thing that changed was the site specific keyword. I was using a prefix and suffix only I knew but I was worried about two things - most passwords I created using this method were not very long and if anyone could crack a couple of my passwords, the pattern would become obvious.

Yet, from this formulation, I have been able to devise a workable and sufficiently robust password solution.

I generate my password in two or at most three steps.

1. Create a string using the above formula e.g., Benicloudd0g

2. Generate the SHA256 hash of the string created in step 1 i.e., SHA256(“Benicloudd0g”)

SHA256(“Benicloudd0g”) yields a standard 64 character string. Most modern websites support long passwords so I use this 64 character string as my password. If the website has specific capitalization and special character rules, I just capitalize the first character of the string and insert a special character in front.

If the password is length limited, I use the longest valid substring of that sha256 string.

Edit 1: this password generation mechanism can be made even more robust by using only the first 25 or so characters of the sha256 string as your password. That way, even if one password gets hacked, there is literally no way for the hacker to determine the underlying pattern whose partial hash they are seeing.

Advantages:

1. I don’t have to remember passwords
2. Losing one password doesn’t compromise the rest since all a hacker sees is an arbitrary collection of letters and numbers. They don’t see the underlying pattern whose sha256 hash created the password (See also the edit above.)
3. I use a third party library to generate the sha256 hash which has no idea what’s so special about the string