j.42dh is online
You probably know the problem: you have dozens of accounts all around the web, and it is difficult to remember all the username/password combinations. If you only use one browser you can use the built-in password manager. But if you use multiple browsers and/or multiple computers it becomes difficult, and so I keep some sheets full with username/password combinations on my desk (I know, every security officer would slap me for that *g*).
There exists a solution for that problem: OpenID. But unfortunately, it is not that wide-spread yet. And so I wrote a little application, j.42dh, which allows you to access your username/password combinations with your OpenID. If you have any qualms about using such a service, which I can understand as theoretically I will get access to all your accounts, you can also download the application and install it on your own server.
Your feedback is welcome :)
Everybody will trust you, I think so
I definitely wouldn’t trust anyone or any service for that. Maybe only if i could install the program on my own system *and* it’s opensource (like yours :-) ) but even then i rather have everything in my head (a good trick for this below). I know i’m both a bit paranoid and i’m a controlfreak :p
But here is a tip that gives you a unique password (and username, if you want that) for each service or website (let’s call this “app”) without the need for having to remember all the combinations.
The trick is integrating one or more unique aspects of the app into your password (and possibly username). For this app this would be for example cakebaker,42dh.com,42dh or anything based on that (letters in reversed order, only first letter, letters shifted, letters replaced by numbers (leetspeak)…)
Then you just combine that part with a static part, which contains some uppercase+lowercase letters, numbers and preferably at least one other character (like % or !)
This way you can create a deterministic (for each app there is only one possible password) method for “calculating” passwords for an app.
To give a really simple example i could say a password for logging in on this site would be 42dhD13t3r! (first part based on the domain name, second is static, but easily rememberable since it’s my name in leetspeak with an exclamation mark behind it)
You could offcourse improve this example a great deal. Since quite some passwords are transmitted or even stored in plaintext, you don’t want possible hackers to understand your trick, that would allow them to log into every account you have. That’s why you shouldn’t just take “42dh” but perform some operations on it, for example taking the first and 3rd character of the domain name, shifting the first 2 to the left and the 3rd 2 to the right, so you would become 2fD13t3r!. Still not perfect, but you can be creative from here. another trick is using these 2 characters for replacing characters in the static part (replace all 2’s and f’s by a !, or replace all 2’s by f’s, etc etc)
For username you could use a constant username or do something similar like with passwords, when an app want’s an email adress as account name i usually make it @mydomain.com and just use a catch-all.
@Dieter: Thanks for your explanations.
A very similar approach was used in a company I worked for accessing all servers as administrator. They used the computer name plus a “secret” character sequence. That worked fine in such a controlled environment, but I am a bit skeptical if it will work on the internet, with all the different rules used for user names and passwords. I try to use the same user name everywhere, but that’s just impossible, in some applications my user name is already used, in others it must have a certain minimal length, in others I am forced to use a certain user name… Similar for passwords. With all the exceptions I am back at the original problem ;-)
I see.. well i guess i have an original nickname as it’s never taken ^^
Concerning passwords, that’s why i recommend using at least 1 number, uppercase character, lowercase character and “special” character (like %). Password length limitations, if any, are usually: “at least 8 characters”, in very rare cases a max length is specified (12 or so). So with a password between 8 and 10 or so characters and a mix of types of characters like described above, i never encountered problems :)