Remembering dozens of passwords

You’ll never forget your password ever again

In recent weeks, there have been claims that username/passwords of Dropbox have been leaked online. While Dropbox has denied that any passwords were leaked, their advice was for “users not to reuse passwords across services”. For people who don’t use second-factor authentication or password manager services, this is good advice.

In fact, I’ve moved away from the approach I described previously of how to choose a strong password. There is no such thing as a strong password once it’s leaked. Sadly, even well regarded sites like Evernote and LinkedIn have had their passwords stolen, and no service can be considered immune to hacks.

Previously, I simply remembered passwords relating to different tiers of service: a password for my most secure service, another for secure but less important services, another for services I use regularly but don’t need to be secure, and another for services that I don’t really use. This way I just needed to remember a handful of passwords across many sites. Unfortunately, this method is not proof against hacks.

However, to remember a different password for every site is infeasible for most people (including me!). Still, there is a way to have a large number of different passwords across different sites but need to remember only two things: a password stub and a password algorithm. When logging in, a user just needs to apply the name of the service and the stub to the algorithm, and out should pop a (relatively) unique password. Different stubs might be used for different accounts, e.g. if the same service is used for both work and personal purposes.

Here’s an example of how this might be used. Take the password stub “pa55word” and the algorithm “insert the second and third letter of the site name in the third position”, then if this user was logging in to “www.dropbox.com”, the second and third letter would be “ro” and the unique password would be “paro55word”. (Let me just say that this is neither a stub that I use nor an algorithm, and now that it’s documented here, not one that you should use either.)

Since there are potentially 676 (26 x 26) combinations of second and third letters, this algorithm can generate hundreds of passwords without needing to remember more than two things. It’s easier than my previous approach where I needed to remember at least four things.

In choosing a stub, it’s helpful to include the sorts of things that password strength tests look for, e.g. some punctuation, a number and both upper and lower case letters. In choosing an algorithm, you want it to be pretty simple so that it will work for many different site names, so don’t go overboard.

So this will let you follow Dropbox’s advice, and avoid you reusing passwords, but when (!) a service has its passwords hacked and you need to change the password, it’s not going to work. So, probably you need to remember a third thing – how many times a given service has been hacked (hopefully there aren’t too many). Then you would have a modification of the algorithm that would incorporate this information as well, e.g. have as the letters inserted for the second iteration of a password on www.dropbox.com to be “rro” instead of “ro”, and the third iteration being “rrro”, etc. This does expose the main weakness of the method, in my opinion, so I’m hopeful of coming across a better approach at some point.

As I mentioned at the top, second-factor authentication and password manager services are also approaches that can be considered, but have their own downsides. I’m more hopeful that these services will improve in usability and utility over time so that I can make more use of them, before I need to remember the details of too many website hacks.

US Patent 6,285,999

There are several fundamental inventions that have shaped the formation of the Internet business models as we know them today. There was the selling of banner ads (credited to HotWired back in 1994), the keyword auction for displaying ads (invented by Goto.com in 1999), and there is Google’s algorithm for ranking search results, also known as PageRank (described in US Patent 6,285,999).

This patent was the foundation for Google, and enabled them to differentiate themselves from other well-established search engines at that time. So, given its significance, I thought it was time that I got around to reading it, which I did this weekend.

Search engines, such as Google’s, “crawl” the web, grabbing copies of all the web pages that they can find, and following the links within them to find more web pages. Then they create an enormous index of all the information within the web pages. So, when you type in some keywords to search for, they look them up in the index, to find all possible matches, and then rank and order those matches such that the most likely ones appear in the first page of results. The PageRank algorithm supplies this ranking.

Essentially their algorithm produces a scaled version of the estimated probability of a web surfer ending up on a given page. If one page is better linked-to than another page (based on the number of links from other well-linked-to pages), it will gain a higher ranking.  They describe how this can be estimated through iteratively multiplying a probability matrix with itself.

As I was reading this, I recalled a discussion that I had back in the late 90s with my then-housemate Brendan. We were discussing a reputation database, where people would recommend others who they respected, based I think on a concept in David Brin’s book Earth. The solution to calculating these reputations was pretty much the same as Google’s method for PageRank. I’m not saying this to big-note myself, just to point out that as neither Brendan nor I had a PhD in database algorithms and since it took us 5 minutes to think up the solution, the algorithm is hardly rocket science.

Since then, Google’s gone on to greatness, and to produce many other patents. Today, PageRank is considered to be just one of hundreds of factors that go into ranking their results. However, it’s interesting to see how a simple invention (and a lot of hard work from talented people!) has been the basis for one of the most respected global companies.