After reading this article, I went and changed all of my passwords. I usually read security articles like this and skim over them…feeling a bit bummed that it happened, but not really taking it seriously. This one was bad. Take these few highlighted quotes from the early part of the article:
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.
But this is more interesting, as he explains the path that led to the hacking.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
What ends up being revealed from this article is that this was a social engineering attack. It wasn’t really a “technical” vulnerability… it was how the customer support representatives let up information that allowed others to recover sensitive information on another site. But what struck me the most as the biggest problem (and illuminated in that first quote), was that all of the accounts were tightly coupled.
Before I read this article, I basically had two passwords. I would guess that many of you reading this also have a small number of passwords that you use on every site. I had one “secure” password that I would use on a small number of sites I trusted, and a “insecure” password I would use on sites I was skeptical of. This is not a very good strategy. The problem here is essentially very similar to that in the article–all of my accounts are tied together. If one insecure site was hacked, then my password for most sites on the internet was released. If one of my secure sites was hacked, then my password for all of my important sites was leaked. Either way, not a very good scenario.
Security vs. Convenience
The essential tradeoff at stake here is security versus convenience. One one side of the spectrum is the most convenient, which is having one simple password that you use for everything, and this is the most insecure. On the other end of the spectrum is using a password manager like 1Password… but then you don’t even know any of your passwords, and you can’t log in on a computer that isn’t your own without a browser extension or a clunky iPhone app.
I tried a password manager for a bit, but it was too inconvenient for me. I am looking for a balance between security and convenience–the convenience I want is to be able to know my own passwords! I remember I had a password manager storing my password for my bank, and I wasn’t able to log in from my phone.
Here is a new way to manage your passwords, and this is what I am doing now. I am using rule-based passwords. Rule-based passwords mean every site has a unique and “strong” password, but that it is extremely unlikely for one leaked password to compromise all of your passwords. Yes, a hacker could in theory try and figure out your rule, but this is extremely unlikely considering you can have any rule you want, and that most password leaking would operate on a scale where it is not time-effective for a hacker to try to look at each password individually.
Essentially, my online presence is orders of magnitude more secure since all of my passwords are different. In my opinion, this is better and effectively as secure as having 30 character passwords I don’t know. (The weak point right now is Gmail, and I am using two-factor authentication for that.)
How to Make A Rule Based Password
1. Pick some base word. It doesn’t have to be an english word; it could be an acronym.
2. Add several numbers (help satisfy password rules)
3. Construct a rule based on the site name. It could be something like the 2nd and 4th letter of the site name. The last letter and the number of letters… anything as weird as you would like. A more confusing rule is not helping you that much… the biggest gain is having any way to separate your passwords. Use these letters in caps.
For example, lets say my word was “eraser” and my numbers were “931” and my rule was 2nd and 4th letter. Then my Facebook password would be
My Twitter password could be:
I’m telling you… this scheme is better than the two passwords you are using on every site. And I’m telling you… it’s way more convenient than a password manager. That paranoia is not helping you very much.
So that is my recommendation on how to improve your passwords. Have other ideas? Let me know in the comments. What other ways can you have strong passwords that you can remember?
8 thoughts on “Why You Should Use Rule-Based Passwords”
I’ve been using rule-based passwords for ages and they are awesome. I sometimes visit a site where I happen to have made a login years ago (and maybe even don’t remember), but still I can log in with a unique password.
However, I do recommend against putting the variable letter in caps and at the end of the word. Now, if I have your Facebook password, it takes me at most 26×26=676 guesses to have your Twitter password, no matter how complex your formula is. The variable part should be hidden inside the password, more like eRawtsEr931, where eRa__sEr931 is constant.
Sure, that’s true–but only if you are using a rule with 2 uppercase characters. You could use 3, or mix them up like you suggest, or do any number of things based on the name. Another idea (take the next letter… so F->G). Essentially, you are still making it a massive ordeal to try and crack your password… and are way less vulnerable than before. The rule above was just a simple example.
How do you handle situations where a website requires a new pwd every few months?
This hasn’t happened to me at all yet… but I know there are some sites like this. One method is to have some rule for the time component as well. Maybe you take the year and modify it.
I used rule-based passwords like this for a while, but this didn’t feel particularly secure. I’ve switched to using 1Password for all but a few services, which generates random passwords and handles them pretty well. This way, even if someone gets access to a bunch of my passwords, they can’t get the rest unless they get access to 1Password or my email account (which is 2-factor).
I was a bit worried at first about trusting 1Password not to lose or corrupt the data, but then I realized that all my accounts are tied to the same email for reset.
Yeah… I tried 1Password… but it was wayyy too much of a hassle for me. Say you want to log into an account at a friends house… but your phone died…. you don’t even know your own passwords. Then you have to go through a clunky process to pull it up. When I watch some friends pull up 1Password on their phone just for a basic login (and it takes a pretty long time), it’s kind of funny.
Like I mentioned, the tradeoff is one between security and convenience… there are methods that are even more secure than passwords… and even more of a hassle. All in all, for me, the 1Password approach was way too paranoid.
Hii Sorry to asking this
im trying to use your Facebook Ranking but the links not working
its broken can you pls fix it 🙂
im waiting so long, i mean form last year |can plss plss plsss 🙂
This is awesome man. I have been using a rule-based system for year without knowing that’s what it’s called. It’s a very different version of a rule-based system, which I’ll explain in person 🙂