login.jpgAs we’ve learnt from following the news, simple passwords like 123456 aren’t the safest. On the other hand, if you pick a safe password with both letters and numbers, you’ll end up forgetting it. You can’t have your cake and eat it. Or can you? We’ll show you how you can use secure passwords on sites without ever having to write them down to remember them… James Bond style.

Method 1: converting simple words to secure gibberish

What you’ll need to remember: the URL of your favorite website

  1. Get the URL of your favorite website. Attention: use just the domain name part to avoid confusion later! You’ll thank me for that, trust me. Valid examples are google.com and google.co.uk. Bad: http://google.com, google.com/ and Google.com.
  2. Open this site. Enter the domain name in the “Input” field.
  3. What we’re going to do is convert your domain name into an md5 hash. All we need to know about the md5 algorithm is that it’s commonly used to encrypt data.
  4. Hit the “Create MD5″ button.
  5. Take the first eight characters from the “MD5 hash” field and use it as your new secure password.

Obviously, it will take you a few weeks to remember this much securer password. Whenever you forget your password, repeat the above process to recover it. No need to write that password down!

Method 2: your favorite MP3 is the key

hashtab.jpgWhat you’ll need: an MP3 file

  1. Download HashTab. Ryan explains how it works here.
  2. Go find your favorite MP3 on your computer and pull up its parent folder in Windows Explorer or Safari.
  3. Right-click the MP3, select Properties and go to the File Hashes tab. Mac users: select File Hashes from the right-click menu.
  4. Look for the MD5 hash, right-click the entry and select Copy. This hash is a unique identifier for your file.
  5. Again, take the first eight characters from the hash and use it as your new secure password.

Just like with method 1, you can follow these steps to recover your password until you’ve learned it by heart. Remember to never alter your MP3 in any way, otherwise the MD5 hash will change and this little trick will no longer work.

Image credit: Curious Findings

There Are 10 Comments

  1. For the first hash remember that an attacker could just as easily stick the name of the site into an MD5 algorithm. Also you don’t explain why using the full URI is bad, it will still hash the same, though obviously is harder to type.

    With MP3s certain libraries may alter your files without telling you (replacing metadata, adding tags for the library, copying it pointlessly) so be careful with that.

    Finally do remember that by using a string from an MD5 hash you’re actually reducing the number of possible combinations of letters and numbers, as there are only 16 different characters that can appear in a hash. Obviously an attacker wouldn’t know this, but from a security standpoint its relevant.

    • You’re right, it reduces the amount of possible combinations to 16^(password length). However… there’s the security through obscurity argument. md5 hashes hold up better against dictionary-based brute force attacks with either words or common passwords because most people (including crackers) don’t go the extra mile with md5. Of course I wouldn’t recommend it for businesses, but it’ll keep crackers busy for a while and it’s safe enough for the average person.

  2. Method 1 can be automated with a bookmark JavaScript utility like [supergenpass.com] which creates an MD5 hash based on both the domain name and a master password. Very easy to use since you only have to remember one master password but get unique generated passwords for each site.

    • Aww man, I was gonna write a Firefox extension that does just that… :)

      Thanks for the tip though. That bookmarklet saves me a lot of work.

  3. I think I’d want a site-unique phrase so that I’d have a different password hash for each site that I use. And something easy to remember. For example if ‘zulu’ is may favorite memorable word then make a hash of citibank.zulu for my Citibank a/c, a hash of amazon.zulu for Amazon, and so on.

  4. This is already available as Stanford PwdHash. See [pwdhash.com]

    And is also available as Firefox plugin

  5. All that or just use LastPass Firefox add-on.

  6. Method 1 is scary.. I think it make password insecure rather.

  7. ;/ just remember a phrase that you can remember (avoiding friend, pet, family member names) and leetspeak it; it’ll take a week or so to remember it but it incorporates letters, numbers and characters.

  8. Computer Video Tutorials

    You can use PasswordHash insteal MD5 Hash for more security.

Leave Your Comment

Message is the only required field.
Emails are not published.