“When Sidestep detects you connecting to an unprotected wireless network, it automatically encrypts all of your Internet traffic and reroutes it through a secure connection to a server of your choosing, which acts as your Internet proxy. And it does all this in the background so that you don’t even notice it.”
https: portion of the URL. For example:
The browser will then make the determination as to whether it should call the asset using SSL (
https:) or not (
My buddy Christian recently asked me about my personal password creation algorithm, which is something I’ve mentioned a few times (including once or twice at a Refresh Austin meeting). After doing a quick walk through with Christian over IM, it seemed appropriate for me to write it up in a more legible format so others can benefit.
It all comes down to this: you want a memorable, but complex password to use on the Web. Ideally it isn’t the same on every site you access to ensure that one compromised Web site doesn’t leave every one of your other accounts open to nefarious evildoers.
Short & Sweet
This post is longer than I anticipated, so here’s the bit-sized version.
- Start with a memorable phrase.
- Strip spaces, substitute a few characters (‘e’ becomes 3) and play with letter case. You will use this base to create the same foundation for each site’s password.
- Use part of the domain to modify the base, creating a unique password. This example uses the first and last letter from www.amazon.com. Ignore subdomains (‘www’) altogether. Every site will use this same pattern (first and last letter, no subdomain) to fill out it’s password.
- Add some complexity. In this case we add a number (’22’) and a dash at the beginning and a question mark at the end. This becomes a part of the base for all passwords, just like the initial phrase.
- Examples from different domains: www.microsoft.com, www.facebook.com and store.apple.com.
I recommend you read the full post as I give other examples and provide a couple of usage tips throughout.
There are a few simple steps to achieve these goals.
Start With a Phrase
For this first example, we’ll use the title of a seminal jazz album, Miles Davis’ “Kind of Blue“.
Formatting and Substitutions
Let’s begin by removing the the spaces as most login systems won’t accept them in your passwords. We now have
KindofBlue. Next, we’ll do some simple substitutions of numbers for letters (the capital “O” in “of” becomes a zero and the ‘e’ in “Blue” becomes a three) and play with capitalization, which results in
kind0fBlu3. This isn’t that complex, and the number-for-letter substitutions is easily recognized (and broken), but it should be easy for you to remember.
Making it Unique per Site
This is where it gets more interesting and more secure – we’re going to take a bit of the Web site to use in our password. In this example, let’s take the first letter and last letters of the domain and insert ’em at the beginning and the end of our password. So for www.amazon.com the password is
akind0fBlu3n. For the Apple Store (http://store.apple.com/us) it is
akind0fBlu3e. You’ll notice that while they are similar (the only difference is the last letter), they are different, so if someone learns your Amazon password, they can’t get into your Apple account unless they deduce the overall pattern.
You should only use the main part of the URL (amazon.com, apple.com). Ignore subdomains (“www.”, “store.”) as you will likely only have one account on a domain, but the domain may have several subdomains. This keeps life much more simple for you.
Rounding it Off
I like to add a couple of extra touches to make my password a bit more complex and to make it more difficult for someone to recognize that there could be a human-readable pattern. Continuing with our example, we’ll add a number (22) and a dash at the beginning and a question mark at the end, which generates
22-akind0fBlu3n? for Amazon. These latest additions don’t change from domain to domain, so you don’t need to memorize a bunch of different patterns. For example, the password for Microsoft’s site would be
A note: Some login systems don’t allow punctuation, so it’s handy to stick it at the end or at a specific spot. For a domain that won’t let me use the dash or question mark, I know to delete the third character and the last character of my normal pattern resulting in
22akind0fBlu3n for Amazon.
The sample I used above is pretty simple, and easy to recognize as a word or phrase. A better pattern would be to use a sentence or phrase and take the first few letters of each word as your base and/or shortening words. Sticking to our musical theme, here are a couple of ideas:
“Dance Me to the End of Love” by Leonard Cohen
We could take the first two letters of each word:
dametothenoflo which with some substitution and additions becomes
9+adam3tothenofl0n! for Amazon and
9+mdam3tothenofl0t! for Microsoft.
“Little Red Corvette” by Prince
We can get a bit more creative here and substitute “Lil” for “Little” and only use the first three letters of “Corvette”:
LilRedCor. As before, finishing out the pattern could result in
00=aLilredcorn! for Amazon.
Of course you don’t have to choose the first and last letters from the domain, you could choose the second and third (assuming the domain is longer than two letters) or you could take the first letter and put it at the end and take the last letter and put it at the beginning.
A Couple of Notes
I didn’t come up with the idea, and I no longer recall where I first learned of it, so while I have adopted it wholeheartedly, someone smarter than me deserves credit for it.
This is not foolproof and I am not a security expert. Following this pattern means your password is not truly random and someone who has access to your account on one system and is clever enough, could determine how it works and get into other systems. That said, it is at least more secure than not using a system like this.
I recommend creating and using a few of these patterns to reduce the risk that breaking one will allow somebody to access every account you have on the Web. For truly important sites (your bank account, anywhere that stores your credit card numbers), you should go with a random password generator paired with a secure password manager, like my personal favorite 1Password (Mac only, I’m afraid).
So, how can we improve this practice and how do we ensure that this is something that non-technical people can use to be a bit safer online?
1Password, an amazingly useful password manager for the Mac has just released a beta version which provides the ability to auto-fill and submit your passwords on the iPhone. This is a massive improvement for anyone who uses even slightly secure passwords, but gets frustrated when inputting them via the on-screen keyboard.
The info is stored using 448-bit Blowfish encryption on the iPhone itself, and requires that you input a master password on the phone, so there isn’t any communication with external devices. So, now you have the ability to use secure passwords sans frustration, for all of your accounts, knowing that your passwords will stay secure.
If you don’t have a Mac, I’m afraid you are out of luck. But, if you do have a Mac, you need to download 1Password, it is a great program, that makes my life much much easier every day – seriously. The addition of the iPhone autofill bookmarklet has now made the program invaluable.
Mac Geekery has a nice little article discussing how to remotely destroy data on your laptop should it be stolen. The concept is great, and the use of Perl could easily be replaced by other technologies. I like the idea of taking the machine down and notifying the user that the machine is stolen, in addition to gathering additional info as to the laptop’s whereabouts.
For those with a Mac laptop, Orbicule’s Undercover software could prove a very useful bit of kit, should the computer ever be stolen. If someone absconds with your iBook/Powerbook/MacBook Pro, Undercover will reveal the Net location (IP address) of the machine plus “it also transmits screenshots, enabling you to closely monitor your stolen Mac… As these screenshots are sent at regular intervals, they will sooner or later reveal the thief’s identity (e.g. when chatting, reading e-mail,…) making it much easier to work with law enforcement in order to recover your Mac.” And if that doesn’t work, it will:
simulate a hardware failure, gradually making the Mac’s screen unusable. This erratic behaviour will be accompanied by a Mac OS X system message stating that a hardware failure has been detected. All this should urge the thief to bring the Mac to an authorized Apple reseller. At that point, Undercover will show a full-screen message alerting the reseller (or someone who bought the Mac from the thief) that the Mac has been stolen, that it has become unusable and that it needs to be returned as soon as possible.
Apparently it checks against their central server to determine if your Mac is in the “stolen list”.
Found via Gizmodo.