Hacker News new | ask | show | jobs
by Mondialisation 1577 days ago
What about using a recurring pattern for your passwords by using an encryption from an information of your choice from the service you use, which you then tweak a little and add to a static base password.

That way only you know how to pull that information to generate your password, it's always unique, and even in the worst case scenario where multiple of your passwords get leaked, it'd still be extremely unlikely for someone to make any sense of it in order to figure out all of your unique passwords relying on that method.

You should use your imagination here but for an example of what that would look like, let's say you want a password for amazon.com

Step 1 - Hash ''amazon'' or any variation based on their name that you can reproduce for other services

You can use md2, md5, sha256, doesn't really matter what you chose, you could even create your own. Let's say we use sha256, you're given the following:

  cbc62794911ff31b2864ecd3dbbbee7ebcb7ea41c5a42e2cba377f3cfdb42811
Step 2 - Decide what your pattern will be

A simple example could be to pick whatever character is at index 3, 5, 12 and 16 once from the beginning of the hash and once from the end, which gives you 8 characters. Then you just make those your unique key for your amazon.com password, in our case:

  c2fb847b
All you have to remember is the hash you used and 4 letters, in this example. But as I mentioned, you could be imaginative.

Step 3 - Get a base password that ressembles whatever results you get from your hashing method

This will be the password you will have to remember, nothing new here. Example in our case:

  m188ct3q
Step 4 - Fusion both

Again you can implement this however you like based on how secure you want it to be relative to how likely you are to remember this and how time consuming it is to apply in practice, you'd be fine by simply joining them next to one another:

  c2fb847bm188ct3q
Thoughts?
1 comments
NavinF 1570 days ago
> Thoughts?

Honestly, I hate it.

Why select a few chars of the hash instead of using something like hash(argon2(password) + domain)

Anyway FIDO tokens and WebAuthn are the future. They do a better version of this in addition to eliminating phishing, replay attacks, etc.

link