Home > best practices > Password Reconstructors

Password Reconstructors

Disclaimer: This post is inspired by emails exchanged between myself and Dr. Mark Gardner (Virginia Tech). The term “password reconstructor” has been coined by him. The software mentioned below is developed by Richard B. Tilley.

Most of us are familiar with the best practices of choosing our passwords. When following these best practices — such as not using the same password for different websites; using alphabets, numbers and symbols — it is impractical to memorize all our passwords. Subsequently we use password managers such as Lastpass, 1Password, KeePass, or similar software. Now, with the news of the heartbleed bug everyone has been forced to change their passwords. This change of all the passwords has not been fun for me.

After discussion with several colleagues, I realized that I can do away with the problem of managing my passwords. There is something called a “password reconstructor”, where you are not required to remember, store or manage hundreds of passwords; you do need to remember one phrase though. But that is not a challenge for us, after all we’ve been memorizing passwords that look like Egyptian hieroglyphs.

So what are these password reconstructors? and how do they work?

The idea is that you use a secret phrase or a master password along with labels to generate your passwords. The phrase would act as your secret key and the label would indicate the purpose of the password. For example, you may use the phrase “intelligence is imagination” and the label “bank” to generate a password for your bank account. Similarly, you would use the same phrase with the label “amazon” to generate the password for your amazon account.

As the password constructors use cryptographic hash algorithms, the smallest of differences in the phrase or label would result in substantially different passwords. For example, below are two passwords generated by slightly different labels.

phrase:intelligence is imagination; label:bank; password:JBB1H4O1G0Nur3.H0k
phrase:intelligence is imagination; label:Bank; password:p5ZMIXL1OuHaIZ.H0k

Note that I used the same phrase, but I changed the first alphabet of the label — the first uses “b”, while the second uses “B”. The passwords generated are altogether different.

These passwords were generated by software available here. It does not generate passwords with symbols or punctuation. Therefore the author chose to add a four-letter suffix “.H0k”. This allows the password to be compliant with the requirements of websites that ask for at least one character from the upper and lower case, numbers and punctuation.

So there you go. We do not need to store any password. We do not need to painstakingly think of a combination of words with weird characters, later to be prompted that the password provided does not meet the website’s requirements. All we need is one secret phrase, and a label to obtain a strong password.

The software developed by Brad is available for OSX, Linux and Windows. The source code is available too.

I am grateful to Mark for bringing this software to my attention and thankful to Brad for publicly sharing the software and the code. I’ve setup a copy of the Javascript version here.

Categories: best practices
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: