Jan 14

Always use protection...

...for your passwords, of course! (what did you think I meant?)

Twenty years ago when I was in college (OMG... did I really just type that?) I had three passwords to remember. Two for two different email systems I had access to and one for my dorm room voice mail. That was it. There was no online anything. My bank didn't dole out ATM cards till a few years later.

Well, times have changed. Sitting on my computer here, I have a spreadsheet that has 113 passwords. And that doesn't count the half a dozen passwords and pin numbers I have to remember and use on a daily basis at my day job. I'm sure it also doesn't include a handful of "throw away" passwords... you know those websites that require to you sign in and create an account even though you'll only ever be there that one time? Yeah, there must be a couple dozen or so of those with my name on it.

Everything is fine and dandy when I'm home. But when I travel, I have some issues. You see... I keep my passwords in a spreadsheet (a password protected spreadsheet, of course) - I think I mentioned that.

I'm sometimes a little old school with my computing habits. I haven't fully adjusted to having all my sensitive data in "the cloud." Yes, there are some supposedly really good password keepers out there. But I've never really been comfortable with them and their ability to keep my data in sync between my desktop and other devices (smartphone, laptop, and now tablet). I'm not saying that they aren't safe and secure, I'm only saying that I've never felt comfortable. So I keep my spreadsheet.

Which is a problem when I travel. If I was traveling with my laptop, I'd still be fine. The laptop has two passwords to get on and in and the spreadsheet is hidden and itself has a password. But these days, if I'm traveling it's for vacation and I rarely need to travel with my laptop since I have that smartphone and tablet. And I'm not comfortable with the Excel readers (and not even sure if they do the password thing).

And while I try to do things like pay my bills before I leave town... I never know when I'm going to need one of those passwords that I don't use too often.

You see where this is going? I needed another way to be comfortable with written passwords.

Enter my little java app, the Password Obfuscator.

I figured that if I modified my password in a way that only made sense to me, I'd feel comfortable writing it down and comfortable saving it in some cloud-enabled online app that syncs to a website, my phone, etc (like Evernote. I love Evernote for non-sensitive things). That way, if someone got hold of my password(s), by the time they figured out my scheme (if they figured out my scheme), I'd already have received some email that my account was locked out and voila!

For me, the best way to obfuscate a password was to look at the keyboard, and shift all the letters and numbers by some number to the right. So, if my password was "dog" and my shift number was 2 (on the qwerty keyboard) the password I'd write down would be "gqj". (note the rollover from "p" to "q") The chance that anyone would get "dog" from seeing that well... it's not impossible... but small enough for me to be comfortable writing some things down.

Anyone could do this with a password or two.  But 113? Yeah, it was much easier to write the little java app that could do it for me.

The app is here:  http://riotsw.com/passwordObfuscator.html

It should be reasonably straightforward. Choose how many characters you want to move your passwords by. Decide if you want to change case. Decide if you want to move your numbers and characters, too. Then copy your passwords into the input, press the "Do it!" button and viola... examine your output.  Here's what it looks like:


You can further obfuscate things by not tying them directly to their site. For example, if "test" was the password for your bank... well, you're likely not in danger of forgetting what bank is yours, right? So wherever you keep the changed password, just label it "my bank." Someone who finds that isn't going to try the couple hundred banks in the world.

Then when you need to use the password, you only need to remember how you shifted it. I presume that anyone looking at a keyboard can reverse the process to get their password (and since it's one at a time, it shouldn't be that cumbersome).

A note about passwords... Good passwords are long passwords. Long doesn't necessarily mean complicated or difficult to remember. myMymyMymyMySharona is a better password than My.1!Shar0na#.

The best post and description of why this is true is here: https://www.grc.com/haystack.htm

I would love to muse on passwords some more... but it's time to watch Big Bang Theory.

One Response for "Always use protection..."

  1. Anand says:

    I've seen similar rsrteictions but still consider the security sufficient ifa) you have some random login number that you write downb) your account gets blocked after 3 tries.If the login number was your account number it could be used for denial of service, so I prefer a random number.Of course someone could still steal your hashed password from the bank and brute-force it which is easier for simple password.But then this is not much easier than installing a trojan, staging a man in the middle attack or sniff your password by other means.

Leave a Reply

You must be logged in to post a comment.