A week or so ago, I received an email from Facebook with something quite out of the ordinary: my Facebook account had been accessed from an unknown location. I have encountered this message in the past, of course, but I was usually on vacation, so I was well aware that such a message would be likely to rear its head. However, when I went through Facebook’s authentication process to re-enable my account, I learned that my account was apparently accessed by someone in Hungary. Uh-oh.
Now I’m not one of those people who uses the name of their pet as their one and only password for everything. The password I was using was a good 12 characters long, consisting of a pseudo-random assortment of numbers, letters, and symbols, mixing case in parts. I did not ever think that someone would manage to crack it.
After the incident, I hurried all across the Web, checking my various other online accounts to make sure they weren’t compromised as well. For the record, whoever accessed my Facebook account didn’t appear to do anything with it, so perhaps it was just a freak occurrence. Nevertheless, I was concerned. Rightfully so, of course. My online identity is huge, spanning across multiple social networks with a plethora of eyes staring at me, to other sites and apps I use on a day-to-day basis for important tasks and information (my Google account used the same password, as did my GitHub account).
Thankfully, a friend told me about a neat little tool called PasswordMaker. The concept is simple: one password to rule them all. You hand PasswordMaker one master password along with various other parameters (like a URL or password length), and it will generate a complex and — most important — unique password for the site you are currently visiting. You get all the benefits of a simple “common English” password (ease of remembering and typing) in addition to the benefits of a highly secure permutation of alphanumeric characters and symbols. This means you can generate a password 20 characters long from a phrase half the length. Best of all, your master password is never handed out to anyone; it is yours and yours alone.
But the question might arise: How is this method better than using (as Chris put it) “FourRandomWordsTogether?” The advantages of that particular password scheme are explained in this xkcd comic. As for that method versus PasswordMaker, I asked my friend to explain (he is a bit more hip on password security), and he did just that:
Considering an alphanumeric set to choose from, there are 62 possibilities. That means that the entropy is log2(62), which is about 5.95 bits of entropy. Multiply that by eight characters, and you have 47.6 bits of entropy, which is more than xkcd’s method. If you were to use 12 characters, there would be 71.4 bits of entropy. That means a 12 character alphanumeric password takes 203436034 times longer to crack than 4 random words, but even an eight-character alphanumeric password takes eight times longer to crack than four random words.
Needless to say, that convinced me. You might want to read up on a bit of information theory if you really want to fully comprehend that explanation, but based on what I already know, it makes perfect sense to me.
That said, hopefully you will consider PasswordMaker as an alternative to whatever method you are currently using. And for Tux’s sake, please don’t attempt to use any of the four most commonly used passwords to secure your valuable online identity.
Check out the PasswordMaker website for more information on this invaluable tool.