Perfect Unforgettable Passwords.

petersmart

petersmart

Messages
5,001
Edit My Images
Yes
Trying to remember passwords is a real pain - especially if you need to remember a lot.

This describes a method I've been using for years with complete success.

I never have to remember a password and I never forget them - even 64 bit passwords are a piece of cake.

All you need are 3 things:

1. A nonsense phrase which is simple, short and easy to remember - this is your secret token.

2. The SHA256 Generator downloaded from here:

https://securityxploded.com/download-software.php?id=4131

3. A protocol which you keep to all the time.

With this you can produce up to 64 bit passwords any time you want - and never forget them.

Firstly install the SHA256 generator on your PC - it only takes up a few MB.

Then click on the Text button and enter your nonsense phrase - eg "I love Gerbils" (with or without the apostrophes)

Now click on the button which says "Generate Hash"

I love Gerbils will produce the following 64 bit hash:

d413e8450b19f873e72d9829b7f4d48469b62986fb0e47f7c8047e2a90e96d10

"I love Gerbils" produces this one:

7ec82d7e5606595b5a7995452749db07685e8429666784eeec1a417e5a5e5b35

A totally different result - and that is the incredible thing about hashing - alter a single character and you get a totally different result.

To get a totally unique password whenever you need it you simply combine your nonsense phrase with your email address or the name of a website you want a password for.

So combine "I love Gerbils" and Amazon gives you "I love Gerbils" Amazon - and the unique 64 bit password for Amazon is:

9af42250abb411294dbeee3a9917303aa62fc9560b474023365a1070eeabfb0d

Since Amazon only takes 16 bit passwords then truncate it to get 9af42250abb41129 for your unique Amazon password.

And as long as you remember your token (your nonsense phrase) and how you use it then you can never forget a password - even though you never rememberit!

E-mails are as easy.

"I love Gerbils" (your e-mail address) - eg "I love Gerbils" johnsmith@outlook.com gives you:

fbbe000c42df810eb0312de9fb820fc535dfb6638e9d3488ae09993c376e87cd

But make sure that you always use the same protocol regarding capitalisation and spacing because a single wrong space can give you the wrong password.

"I love Gerbils"johnsmith@outlook.com gives c749458226f3b86e8d70b9bb49d9896e40fc4b00b2d52d80377d7b9e01fb4857 - a totally different result to "I love Gerbils" johnsmith@outlook.com.

Personally I just run everything together and capitalise my token - eg: PETERSMARTpeter@outlook.com for e-mails and PETERSMARTtalkphotography for this site.

BTW PETERSMART is NOT my token.

Experiment with this method and sort out what you feel comfortable with until you have a simple phrase and the protocols associated with it and then you're set!

But NEVER EVER tell anyone your token - that is how you keep all your passwords secret and unhackable.

EDIT: you never have to store the hash you simply paste it directly into the website etc when needed.

.
 
Last edited:
Password managers are great until they get hacked - then the hackers have the keys to the kingdom - you kingdom.

Which is why I prefer to keep my passwords locked safely away - in my head.

And I'm so used to this method that it only takes me about 30-40 secs to get a password when I need to.
.
 
petersmart said:
Password managers are great until they get hacked - then the hackers have the keys to the kingdom - you kingdom.

Which is why I prefer to keep my passwords locked safely away - in my head.

And I'm so used to this method that it only takes me about 30-40 secs to get a password when I need to.
.
Click to expand...

You need to read up on 1Password security. Even if they are hacked, they won’t be able to decrypt the data without my key. It takes me about 5 seconds to get one of my passwords including 2FA.

Not saying your way it wrong but there are easier ways to store and retrieve complex passwords.

I can also store card details fro quick payment, store secure encrypted documents and notes so if I drop dead tomorrow my wife knows where to access all the important documents even if the house burned to the ground.
 
I actually checked back to the header to see if this was in the ‘just joking’ section.

What a massive process. Is this legit? Seems a bit over the top unless you are head of MI5 or the big red button.
 
petersmart said:
Password managers are great until they get hacked - then the hackers have the keys to the kingdom - you kingdom.

Which is why I prefer to keep my passwords locked safely away - in my head.

And I'm so used to this method that it only takes me about 30-40 secs to get a password when I need to.
.
Click to expand...

Peter, have a read of this. Lastpass was actually breached some years ago but because of how it works there was virtually zero risk is you used a robust master password in the first place.

I use Lastpass on phone and pc and it takes me only a few seconds to get my passwords autofilled into the input fields where I need them. I'm not saying what you are doing is wrong or insecure but there are much quicker and equally as safe methods.
 
Last edited:
gremlin16 said:
I actually checked back to the header to see if this was in the ‘just joking’ section.

What a massive process. Is this legit? Seems a bit over the top unless you are head of MI5 or the big red button.
Click to expand...

It may seem long winded but I've used it for years and it works and once you get used to it it works perfectly.
.
 
ChrisJ_SLH said:
Peter, have a read of this. Lastpass was actually breached some years ago but because of how it works there was virtually zero risk is you used a robust master password in the first place.

I use Lastpass on phone and pc and it takes me only a few seconds to get my passwords autofilled into the input fields where I need them. I'm not saying what you are doing is wrong or insecure but there are much quicker and equally as safe methods.
Click to expand...

Well it certainly isn't wrong since I've used it for years and never been hacked and I never try to remember my PWs since I can create them the moment I need them.

And new ones are just as easy to create.

And I know LastPass is secure but you still have to have a totally secure master PW for it and can you remember a 64 bit PW - I can't.

But with this method you could easily create a master PW for LastPass and never need to store it anywhere eg:

PETERSMARTlastpass hashes to 9fa5efcf336bab05c7dd68f2b2450e86b4f3d672e826a40a4cc54ecfa7621562 which would me my master PW if I needed it nor would I need to remember it or store it anywhere - just my token phrase and the name of the website (lastpass)

And Auto Filling has been used to put malware onto PCs which is another reason I never use Auto Fill.

Even LastPass says "However, your passwords are vulnerable when they leave LastPass to autofill on a site. Once autofilled, the password is now on a website and could potentially be grabbed. We recommend that you only use extensions that you trust."

And I trust my way more than autofilling a site.
.
 
petersmart said:
And I know LastPass is secure but you still have to have a totally secure master PW for it and can you remember a 64 bit PW - I can't.
Click to expand...

64 bit? That's only 8 characters. I use an easily recalled 28 character password which in brute force cracking terms will be as hard as nails.

Every password, even the ones you generate using using your method are vulnerable are vulnerable once they reach a third party website. Auto-filling has nothing to do with it.
 
Length is important, and loads of the same character are as hard to crack as loads of random characters.
 
Interesting method there Peter. I am quite security conscious and have 2 Factor Authentication enabled whereever possible. I also can remember 30 or so secure passwords due to muscle memory from work.

What I want to look into is those USB Secure keys, but not fully sure on how they work.
 
If not using a password safe (I do), we recommend at work simply choosing a sentence you'll remember, a song lyric for example, and using then first characters. So, the first line of Harry potter for example. M&MDon4PDwvptsttwpntyvm.

I train charity workers though, and so often no passwords saved or on post-its is a win. :)

Steve
 
An interesting approach.

Many of the sites I use require a new password to be changed every 30 days so there's a need to incorporate another factor - could be month name etc.

That said, I work on a simpler basis:
  • I use a password manager - yes it's cloud based and it syncs to all my PC's, Phones and Tablets.
  • The password manager itself has Two Factor authentication enabled, so it can only be opened with both the password and a one time code.
  • Within the password manager, generated passwords for sites etc, so if they are compromised individually it has a limited blast radius so to speak.
  • If a site allows two factor authentication and it's a key site - email, banking etc, I'll use that too.
Which means I sign on once per session to the password manager, and then everything is immediate for that session as passwords are pre-filled (apart from banking, email etc). It's not as secure as your approach, but it's a better balance of security versus convenience for me.

We're having an interesting conversation at work at the moment - post GDPR, the security team is going overboard on aspects of an app we're publishing, and frankly, if we adopted 100% of their recommendations, the app would be so difficult to even log into, with such limited functionality, it would be as much use as a chocolate tea-pot. It's all about balancing the two, while remaining compliant.
 
ChrisJ_SLH said:
64 bit? That's only 8 characters. I use an easily recalled 28 character password which in brute force cracking terms will be as hard as nails.

Every password, even the ones you generate using using your method are vulnerable are vulnerable once they reach a third party website. Auto-filling has nothing to do with it.
Click to expand...

A 64 bit password means 64 characters - we're talking about computers in that context NOT JPEGs.
.
 
Steve SJ said:
If not using a password safe (I do), we recommend at work simply choosing a sentence you'll remember, a song lyric for example, and using then first characters. So, the first line of Harry potter for example. M&MDon4PDwvptsttwpntyvm.

I train charity workers though, and so often no passwords saved or on post-its is a win. :)

Steve
Click to expand...

But my approach produces a 64 bit PW every time you need one with no need to remember it.
.
 
Jake said:
Interesting method there Peter. I am quite security conscious and have 2 Factor Authentication enabled whereever possible. I also can remember 30 or so secure passwords due to muscle memory from work.

What I want to look into is those USB Secure keys, but not fully sure on how they work.
Click to expand...

If you can remember them from muscle memory then I would say you either have a prodigious memory or they're not safe enough.
.
 
petersmart said:
So Windows 64 bit is really only 8 bits? - WOW - looks like Microsoft REALLY screwed up:

https://support.microsoft.com/en-gb/help/15056/windows-7-32-64-bit-faq

.
Click to expand...
Eh? Not sure where you get that idea from...

You know the difference between a bit and a byte?
8 bits make a byte (interesting fact, 4 bits make a nibble, or half a byte!)
2 bytes make a word etc.

The article you link explains what this mean in the context of Windows OS - it's largely to do with the way it addresses memory (there are other differences, but lets focus on that).
32 bit windows uses 32 bits of information (also known as a DWORD, 4 bytes etc) to address memory. That means, the maximum number of individual memory locations it can address is 4,294,967,295 (assuming unsigned notation, no point in using signed with would give −2,147,483,648 to 2,147,483,647). That's 4GB.

64 bit windows uses 64 bits of information for memory addresses - dramatically expanding on the addressable memory space.

None of this changes the meaning of the word 'bit' by the way.

Back to passwords, depending on the character set / encoding you are using, 1 character can be anything from 8 bits through to 32 bits.
 
ecoleman said:
Bits and characters are not comparible. In ASCII it takes 8 bits to store 1 character. Therefore 8 characters = 64 bits. If using something like UTF-8 encoding it can be anything from 8 to 32 bits to store a single character.

64 characters != 64 bits
Click to expand...

So a 64 bit hash DOESN'T produce 64 characters and a 256 bit hash doesn't produce 256 characters?

These days in the context of computers (and passwords) 64 bits means 2^64 which is the whole basis of cryptography.

Sorry, can't be bothered arguing this non point any more.

THE END (as far as I'm concerned).
 
Last edited:
petersmart said:
So a 64 bit hash DOESN'T produce 64 characters and a 256 bit hash doesn't produce 256 characters?

These days in the context of computers (and passwords) 64 bits means 2^64 which is the whole basis of cryptography.

Sorry, can't be bothered arguing this non point any more.

THE END (as far as I'm concerned).
Click to expand...
I know you've decided not to read this but for others who may be interested...

First of all there is no single 'hash' function - it's just a process that repeatedly and consistently turns an input into an output. SHA-256 is an example of a common one.
The particular function is design to take an input and converting it into a 256 bit value.
That 256 bit value is the same as a 32 bytes, and using hexadecimal notation, each byte can be represented by 2 characters of text (00 through to FF), thus the 256 bit output is represented by 64 characters of text when using Hexadecimal notation.

Edited to correct ...
2^64 does mean exactly what is says - that's 64 bit. What's wrong in your assertion is how that relates to characters on a password.

In reality 'your 64 bit' (sic) password is actually 256 bit, so I'm not sure why you would try to re-invent the terminology to suite an argument when the counter puts you in a stronger position
 
Last edited:
This doesn't make things much more secure for a lot of users. They will still be using the same simple password and it will just generate a great big string of text (and the same string of text) every time. So fred, wordpass, 1234, 1945, 314159, etc can be put into the system and used by the hackers. This is no more secure than a simple substitution cypher if your underlying password is simple.
 
petersmart said:
So Windows 64 bit is really only 8 bits? - WOW - looks like Microsoft REALLY screwed up:

https://support.microsoft.com/en-gb/help/15056/windows-7-32-64-bit-faq

.
Click to expand...

No, Microsoft understand what bits are - binary digits that can only have one of two values. You need multiple bits to store a character (e.g. 7 bits in the classic ASCII code, which may be stored in an 8-bit byte). A SHA-256 hash contain 256 bits of data, as the name suggests. It is represented by 64 characters, each of which is a hexadecimal numeral - i.e., it has 16 possible values, or 4 bits of data. 64 * 4 = 256.
 
petersmart said:
If you can remember them from muscle memory then I would say you either have a prodigious memory or they're not safe enough.
.
Click to expand...
They're secure enough and memorable via muscle memory and a technique of my own. The only time it throws me is when a website doesn't accept symbols in the password :p

Haven't been compromised, yet!

No doubt your passwords listed above is safer, but it has too many points of failures for my liking.
 
Wow massive overkill..

A password is only as secure as the system you're signing in to. That gets compromised and your 64bit key is worth jack.

As I said in the Instagram post, length is to some degree irrelevant it's more important to use different pass per site for when one is compromised.
 
Last edited:
Retune said:
No, Microsoft understand what bits are - binary digits that can only have one of two values. You need multiple bits to store a character (e.g. 7 bits in the classic ASCII code, which may be stored in an 8-bit byte). A SHA-256 hash contain 256 bits of data, as the name suggests. It is represented by 64 characters, each of which is a hexadecimal numeral - i.e., it has 16 possible values, or 4 bits of data. 64 * 4 = 256.
Click to expand...

NO - a 64 bit hash actually represents 16^64 possible combinations NOT 64^4.

Which is why SHA256 is used in a great deal of cryptography - including the bitcoin blockchain.
.
 
petersmart said:
NO - a 64 bit hash actually represents 16^64 possible combinations NOT 64^4.

Which is why SHA256 is used in a great deal of cryptography - including the bitcoin blockchain.
.
Click to expand...
I didn't mention combinations. Why do you think SHA-256, which produces 64 character hashes, is called SHA-256?
 
petersmart said:
So a 64 bit hash DOESN'T produce 64 characters and a 256 bit hash doesn't produce 256 characters?
Click to expand...
Correct.

A 64 bit hash produces 64 bits, and a 256 bit hash produces 256 bits. As has already been explained to you, a bit is not a character. A bit is a binary digit and a character typically requires 8 bits, or one byte (using the ASCII character set; more, using the much larger Unicode character set), to store it.

However, the process you described in your opening post is not a 64 bit hashing function. It is a 256 bit hashing function. There's a clue in the name: SHA-256.

petersmart said:
Firstly install the SHA256 generator....

I love Gerbils will produce the following 64 bit hash:

d413e8450b19f873e72d9829b7f4d48469b62986fb0e47f7c8047e2a90e96d10
Click to expand...

The hash you have pasted there is 64 hexadecimal characters. Hex is commonly used as a convenient way of writing binary outputs, using 4 bits for each hex character, because all the characters (0..9, a..f) are easily recognised and remembered.

I love Gerbils will actually produce the following 256 bit hash

11010100000100111110100001000101000010110001100111111000011100111110011100101101100110000010100110110111111101001101010010000100011010011011011010100110000110111110110000111001000111111101111100100000000100011111100010101010010000111010010110110100010000

which has the following 64 character hexadecimal representation

d413e8450b19f873e72d9829b7f4d48469b62986fb0e47f7c8047e2a90e96d10
 
Last edited:
neil_g said:
Wow massive overkill..

A password is only as secure as the system you're signing in to. That gets compromised and your 64bit key is worth jack.

As I said in the Instagram post, length is to some degree irrelevant it's more important to use different pass per site for when one is compromised.
Click to expand...

Length is irrelevant - really?

A few years ago when a website was hacked and millions of accounts stolen a researcher got the database and, using an ASIC machine cracked 5% of the accounts within 30 SECONDS!

Tey were the accounts with the easiest passwords - a month later he had cracked 95% (!) of all accounts and only those with the longest passwords remained uncracked.

So length certainly matters and so does a unique PW on every different site.

Which is what my way allows anyone to do and get the maximum length allowed on a site.

The only way it could be made more secure is to use ASCII characters (256 characters) instead of HEX (16 characters) because then a 64 bit PW would have 256^64 possible combinations instead of 16^64.

But as it stands it can be used by anyone who wants to and as I have said I have used this method for years to generate loads of unique PWs.

So I am quite happy to go on using it until Squirrel becomes widespread, when all these discussions will be moot and a truly uncrackable PW system will be widespread:

https://www.grc.com/sqrl/sqrl.htm

https://en.wikipedia.org/wiki/SQRL
.
.
 
I have enjoyed this thread, but it's a little 'deep' for my small brain :confused:

I have my own way of building passwords, for example, if my pass word for this site was 'Talk Photography', which it isn't.

I would change characters like so 'T41kPh0T0gR4phY'

Relatively easy to recall, and some of my pass words are 10 words in length.
 
StewartR said:
Correct.

A 64 bit has produces 64 bits, and a 256 bit hash produces 256 bits. As has already been explained to you, a bit is not a character. A bit is a binary digit and a character typically requires 8 bits, or one byte (using the ASCII character set; more, using the much larger Unicode character set), to store it.

However, the process you described in your opening post is not a 64 bit hashing function. It is a 256 bit hashing function. There's a clue in the name: SHA-256.



The hash you have pasted there is 256 hexadecimal characters. Hex is commonly used as a convenient way of writing binary outputs, using 4 bits for each hex character, because all the characters (0..9, a..f) are easily re ignused and remembered.

I lover Gerbils will actually produce the following 256 bit hash

11010100000100111110100001000101000010110001100111111000011100111110011100101101100110000010100110110111111101001101010010000100011010011011011010100110000110111110110000111001000111111101111100100000000100011111100010101010010000111010010110110100010000

which has the following 64 character hexadecimal representation

d413e8450b19f873e72d9829b7f4d48469b62986fb0e47f7c8047e2a90e96d10
Click to expand...

You are all correct and I was wrong - due to a misunderstanding of the 256 in SHA256.

MEA CULPA.

It does indeed produce 256 digital bits or 32 bytes of 8 bits.

My apologies to you all and I am suitably humbled - but not for long :) since my knowledge has now been increased due to you all.

But my PW method is still the best I have found for producing unique passwords quickly.

Thank you all.
.
 
Last edited:
Erty said:
This doesn't make things much more secure for a lot of users. They will still be using the same simple password and it will just generate a great big string of text (and the same string of text) every time. So fred, wordpass, 1234, 1945, 314159, etc can be put into the system and used by the hackers. This is no more secure than a simple substitution cypher if your underlying password is simple.
Click to expand...
It's not quite as bad as that, because the password is 'salted' by concatenation with another string (otherwise, you could just pull out simple passwords using sites like crackstation which has pre-computed SHA-256 hashes for over a billion simple or previously used passwords). However, the salt in petersmart's scheme is simply derived from the website name or email address, and is easy to guess for a target site since the scheme has now been publicly described. He also suggests using a 'simple, short' original plain text password ('token'), which is bad advice. The problem is that a lot of simple, short passwords (in combination with the obvious salt) can potentially be tested in a reasonable time ( https://thycotic.force.com/support/s/article/Calculating-Password-Complexity ). If a motivated attacker knew about this scheme, had access to a single hashed password (e.g. from a compromised site), and the original plain text password 'token' was weak enough to find in a reasonable time by an offline brute force or dictionary search that included the obvious salt, then that would compromise all the user's other hashed passwords, since the plain text 'token' is being re-used. However, mass site hacks will concentrate on the low-hanging fruit, the people who used exactly the same password and email address on multiple sites, rather than unusual schemes like this. So petersmart's accounts will hopefully remain unhacked, though he shouldn't mention this scheme on a crypto forum, where people will be very mean about it.
 
Retune said:
It's not quite as bad as that, because the password is 'salted' by concatenation with another string (otherwise, you could just pull out simple passwords using sites like crackstation which has pre-computed SHA-256 hashes for over a billion simple or previously used passwords). However, the salt in petersmart's scheme is simply derived from the website name or email address, and is easy to guess for a target site since the scheme has now been publicly described. He also suggests using a 'simple, short' original plain text password ('token'), which is bad advice. The problem is that a lot of simple, short passwords (in combination with the obvious salt) can potentially be tested in a reasonable time ( https://thycotic.force.com/support/s/article/Calculating-Password-Complexity ). If a motivated attacker knew about this scheme, had access to a single hashed password (e.g. from a compromised site), and the original plain text password 'token' was weak enough to find in a reasonable time by an offline brute force or dictionary search that included the obvious salt, then that would compromise all the user's other hashed passwords, since the plain text 'token' is being re-used. However, mass site hacks will concentrate on the low-hanging fruit, the people who used exactly the same password and email address on multiple sites, rather than unusual schemes like this. So petersmart's accounts will hopefully remain unhacked, though he shouldn't mention this scheme on a crypto forum, where people will be very mean about it.
Click to expand...

Any cracker would then have to test for every combination used regarding the token, e-mails and the site name and then test each and every hash produced - an enormous task whichever way they go.

In fact probably more time consuming than just brute forcing the hash.

And, don't forget, Bitcoin miners have to build HUGE superfast machines to try to achieve the same result - not to crack my PWs but to come up with a hash with a certain number of zeros at the front.

So I think I'm still secure.
.
 
Last edited:
You must log in or register to reply here.
Back
Top