gistfile1.md

The pattern hash trick

How to have a unique password for every website but only memorize one thing

Update: Thanks to HN commenter, this exists! I should note, however, that it's much more secure to leave the SHA-1 hashing to the app but do your formula editing in your head where hackers can't get to (yet).

Update: Here's how to do it from a Unix command line: echo -n twitter.com0 | sha1sum | awk '{print substr($1, 1, 10)}'

This works on mac: echo -n twitter.com0 | /usr/bin/openssl sha1 | awk '{print substr($1, 1, 10)}'

tl;dr

1. Memorize a formula to change any string, like "add a zero at the end"
2. Apply the formula to the site, e.g. "twitter.com0"
3. The first 10 characters of the returned SHA-1 hash is your password.

Problem

Memorizing a password for each website is optimal for security but totally unrealistic. Password managers exist but require trusting a third party and still hinges on a single password for all logins.

Solution

Don't memorize many passwords, memorize one formula. The formula describes how to manipulate the host site's name.

We could say our pattern is just to add a zero at the end.

So twitter.com becomes twitter.com0 and gmail.com becomes gmail.com0

Stopping here might be risky. If someone gets one of these passwords, they might Easily catch on to what you're doing for all of them.

The next step is to generate a SHA-1 hash from the string. This sounds crazy technical but it's as simple as pasting the string in a text box And hitting enter. Free SHA-1 hash generators are all over the place. Use the Google but use them offline.

Behold, a unique password

Pasting in twitter.com0 into http://www.sha1-online.com/ (preferrably, you'd use an offline tool) we get

f715207db8 542d08c6106d9ce67cf2cac3086d34

Take the first 10 digits of that, and there is your password.

Use strong patterns

Of course, simply appending a 0 to the end of the url probably isn't a strong enough of a pattern. You may want to enter bits of your birthday, social security number, address of first home, etc.

A more intense example

One way you might do this (which takes a lot more brainpower) is as follows:

1. Take the first letter of the url

   f acebook.com

   y ahoo.com

2. Find the next letter in the alphabet, in this case, "g" and "z"

3. Recall the NATO phonetic alphabet name for it (you know, alpha, bravo, charlie...in this case "Golf" and "Zulu")

4. Use the second letter of that word, (g o lf and z u lu)

5. Insert that at the end

   facebook.como

   yahoo.comu

6. Add 9 as the second number

   f9acebook.como

   y9ahoo.comu

7. Generate hash

   12f3b803ec4c5f816e7107835759ab3667d42e4b

   8d9571a7ce6e1db79eff1535a81de5ab0fa3d484

8. Trim to 10 digits and capitalize the first letter to appear

   12F3b803ec

   8D9571a7ce

Doesn't this mean that you need to have the code that scrambles the site name and the SHAs it for you to hand whenever you need your password though? The you have the issue of how to get this onto every device you use without making it available to h4x0rz, no? Am I missing something? :)

You would but the only thing you would need that you couldn't do yourself is a SHA-1 generator. These are pretty easy to find. Any conceivable device or operating system will have it. You could even do it from the command line.

As far as getting it onto every device, the only thing you're distributing to your devices is the SHA-1 generator itself. You'd really only need to get it on the device you carry with you. I have a SHA-1 generator on my phone that works offline.

If there's concern over the integrity of the SHA-1 generator's author, I would finish it off with another memorized formula. Like

1. Add a 3 as the third letter (tw3itter.com)
2. SHA-1 (2c06be53ca266358dd124c511bb3ff9dbb556fac)
3. Use the first ten chars and promote the first letter by two increments (2e06be53ca)

I think you're talking about a script that would do the formula part automatically for you. If you have to input the site name and reveal your formula to the script you're now relinquishing all the information needed to get to your password.

If instead, you just keep the formula in your head and never write it down, the password and forumulae can't be accessed by hackers.