Unhackable Passwords Guide
#1
Hardened Passwords
I'm going to go ahead and say that the title is obviously BS. "Unhackable" is like saying "perfect" humans. The title is clickbait and you got bamboozled. This post is about making a password manager even more secure. Nowadays we have so many passwords that trying to remember them all is infeasible. Password managers are a great solution, but they do have shortcomings. The obvious one is that if a keylogger were to sniff out your master password or an exploit for the password manager found, all your passwords are compromised. So how do you mitigate this?
 
I got this idea from a Black Hills InfoSec blog post that you can read here: https://www.blackhillsinfosec.com/the-pa...d-manager/. So it's not a 100% original idea. I highly encourage you to read the blog post, but I'll give you the rundown. The idea is to have a paper password manager. You write down your passwords on a little notebook or other paper. This protects it from digital attacks and as long as your have it with you, you're set. But the issue is similar to regular password managers. If someone finds the password manager notebook you're screwed. The solution is to have a "key." This key is like a password. For example it could be something like "Tuesday@Idea!Manage21." It has to be memorable though. You NEVER write this down anywhere or store it anywhere except in your mind. Now, when making a password for a website or other account you generate a password like normal (seperate from the key). Now we have a key and the new password. When giving the new account your password, you give it like this: <key><password>. In this case: Tuesday@Idea!Manage21d#FF!Ajt32LJ^PH3CQvw. You can see the key at the front and the generated password after it. DO NOT write down this entire thing in the password manager. Only the generated password part. The same goes for all your other accounts. Generate a password, combine the key and password, sign up, write down the password. When you log in, just enter the key (from your memory) and then the password from the password manager.
 
This is same concept can be applied to digital password managers. You store the password in the password manger. What you're effectively doing is limiting the value that the individual passwords have to an attacker. They pretty much have half a password. You could have an absolutely terrible key, but it would confuse the hell out of any attacker that got a hold of your passwords. I don't recommend having a bad key, but it would likely be fine. The attacker might assume all the passwords are just bad for some reason. After all, none of the passwords will work unless you also know the key. You could even switch up the format or use multiple keys (although you want to keep the complexity low if possible).
- <key><password>
- <password><key>
- <key><password><key>
- <key1><password><key2>
- <key><key><password>
Let me know what you think in the replies below. Is this just a terrible idea, have any ideas on what could make it better, comments, etc? Hope you enjoyed reading.
Reply
#2
I have been doing this for a couple of years, but I don't apply this for passwords I use regularly. I memorized those with phrases.
I can have long passwords which have a meaning and that way it is easy to remember.

Using paper password managers are in the end not that bad of an idea, nobody will break to your house and start looking in your notebooks. And if they do if you have your own method of writing them somewhat cryptographically they will just see gibberish.

This and using 2 factor authentication makes your account very secure in my opinion.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Guide to General Hacking NO-OP 19 44,255 05-31-2020, 05:25 AM
Last Post: Rudra9909
  Using browsers cache to get passwords enmafia2 9 9,364 09-05-2018, 10:56 AM
Last Post: TheD0ctor
  OSCP: From Zero to Hero (Rough Study Guide) Insider 1 3,421 09-02-2018, 12:20 AM
Last Post: ViewSource
  Penetration Tester's Survival Guide Cypher 2 8,175 04-08-2018, 09:50 AM
Last Post: Skygo