Chances are you have logins on a dozen different web sites too. You can't remember a dozen unique passwords so you come up with something along the lines of "IL!keP1e" that meets all the usual requirements - it's 8 characters long and contains all the different character types. You use it on the all web sites you sign up on. Everything is great until one of those sites gets hacked and suddenly these l33t h@x0rz have a username and password they can try everywhere else.
So you protect yourself by changing it up a little. Instead of "IL!keP1e" you use "IL!keP1e-Facebook" and "IL!keP1e-ChaseBank". It feels like you did something but really you're no better off.
As we've seen all too often in the news, a lot of web sites do a poor job protecting your password. On many sites it's sitting unencrypted in a database just waiting to be dumped onto an site with a lot of Zs in the URL.
Here's a quick tip - if a web site has any weird restrictions around legal characters or a short maximum password length, chances are they're storing your password unencrypted. Competent sites store a hashed version of your password which renders these restrictions moot. At the end of the day though, you have no idea how any site is storing your password so the safest course of action is to use a different complex password for each of them.
NARPassword is a program to generate a non-random password based on a personal pass phrase and password name. Here are some examples of the passwords it produces.
Why am I qualified to write an application like this anyway? I did do a whole bunch of graduate work in computer security. I won't be a blowhard and claim to be an expert but I'm not a complete dunce either. I'm confident enough that this works that I use it for every web site password.
Benefits
- Small changes to either the pass phrase or password name result in radically different passwords.
- If a password is compromised the hacker would not be able to reverse-engineer your pass phrase or other passwords.
- Generated passwords should not be vulnerable to dictionary attacks. I can't say "won't" because I don't have any rules in place to prevent this algorithm from generating words. So if you pick an 8 character password with only uppercase and lowercase letters it's entirely possible, but statistically unlikely, this will generate something like "PasSwORd".
- For passwords up to a length of 64 there are no repeat characters.
- Multi-platform - the Windows and Java versions produce identical output.
- This application can create a false sense of security. If your name is Joe and your pass phrase is "Joe" it won't be all that difficult for someone to unlock all your passwords. Now if your pass phrase is "Joe likes salami", and you're not named Joe and hate salami, then you're in better shape. Think of your pass phrase as being a "master password", you really don't want to use something that's easy for others to figure out.
- Two completely different pass phrase and password name combinations could theoretically produce the same password. This is especially true for short passwords. I'm sure I messed up the math but using 8 characters passwords there are only 7,985,250,000 unique combinations this application can produce. For 128 character passwords there are only roughly 2.9e+113 unique combinations this application can produce. That might sound like an incredible amount but there are far more potential pass phrase/password name combinations.
- This program is free software under the terms of the GNU General Public License as published by the Free Software Foundation; version 2. This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details.
