How to track your passwords securely

The majority of my daily activity is online. Banking, reading, research, communication, entertainment, work, and so on. At first it was rather easy to manage my online accounts. I only had a handful I used and I would only use one of four passwords. But then I started managing my clients web accounts like database, emails, etc. I continued to research competitors of my own projects; so I added more accounts. These new accounts needed user names and my most common one, my first name, was taken more and more.

The list grew much larger and more complex than I had expected.

The Question

How do I track all of these passwords and accounts?

There was only one solution.

I needed to go low-tech. I decided to use a paper list.

But what if someone found my list of passwords? It no longer was only personal information. Now it included the privacy of other people and their businesses. What could I do to secure my passwords and still have them easily available to me? I obfuscated.

Example: Try taking something that is completely familiar to you and alter it in a way you understand. Perhaps a word like ‘love’. We could quickly obfuscate it by translating it to another language. ‘Love’ in German is ‘liebe’. Tell someone your bank account number. Then tell them pin number is ‘liebe’. They could try all day and never get in. That’s because you know that it is really ‘love’. You could go further by converting ‘love’ to ‘5683’ using a standard telephone pad.

Now do you see the security? The chances of someone cracking the code is very slim. It would be easier to social engineer a bank teller over the phone than to figure out what your pin number really is.

Now a real life example. What follows is my login information for my del.icio.us account.

deliciouso/brxndxnx/yber

Now put on a black hat and pretend to be a malicious hacker. From the above, you might assume the first word means the service provider or title of the login information. If you knew my name, you could assume that ‘brxndxnx’ is my login. Then you could assume the last word is the password.

So now you are at delicious.com. You would never get in to my account because the ‘x’ in the user name is actually a simplified salt character in place of the real character. You might eventually figure it out, but more than likely you would be blocked for too many failed attempts. Also, the password is only 4 characters of an 11 character alpha-numeric password.

To take it further, you could also mix up the order of each word for each entry. But you could recognize the pattern yourself quite easily.

I am just starting to use this method in practice. I’ll  probably end up making changes to it as I use it. When I do, I’ll post them on the blog.

Author’s Notes (Dec 12, 2010)

I currently use  text file instead of paper. I’ve found it works  just fine. This idea still works great since the medium used to write down the obfuscated passwords doesn’t matter. This is really just a method to track your passwords in a secure way.

Leave a Comment