Better Security, Harry Potter Style

We all know we shouldn’t use 1234 as our password. But we often don’t do the absolute best practice when it comes to passwords. After all, you should have some obscure strange password that is unique for every site. But we all have lots of passwords, so most of us use $pock2020 or something like that. If you know I’m a Star Trek fan, that wouldn’t be super hard to guess. [Phani] writes about a technique called Horcruxing — a term taken from the literary realm of Harry Potter that allowed Voldemort to preserve life by splitting it into multiple parts, all of which were required to bring an end to his villany. [Phani’s] process promises to offer better security than using a single password, without the problems associated with having hundreds of random passwords.

Most people these days use some form of password manager. That’s great because the manager can create 48 character passwords of random words or symbols and even you don’t know the password. Of course, you do know the master password or, at least, you better. So if anyone ever compromised that password, they’d have all your passwords at their fingers. Horcruxing makes sure that the password manager doesn’t know the entire password, just the hard parts of it.

Here’s how it works. Suppose you decide your personal horcrux string will be HamNCheese. That’s easy to remember and spell. It isn’t a great password all by itself. However, the idea is to never store that string in your password manager. Instead, you store a unique prefix and you have to add the horcrux.

If the password manager, for example, creates a password of 4337feeb90210, then you’d set the actual password to be 4337feeb90210HamNCheese. This means you’d have to set the password manager to not auto-submit the login form, of course. Once it filled in its part, you’ll have to add the extra string. Now if someone compromises your password manager, it doesn’t help them unless they also know your horcrux which, obviously, you should keep super secret.

This doesn’t help if someone phishes your password from you or otherwise intercepts it using, say, a keystroke logger. But it does seem like it has some value of preventing your password database from being a useful target. You’ll probably have to figure the best way to configure not only to prevent automatic submission but also to stop the password manager from helpfully trying to update your password every time you enter the horcrux, but that’s a small thing.

[Phani] doesn’t mention it, but it reminded us of the problem with security questions, too. It is reasonably easy to research people and find things like their mother’s maiden name or where they went to high school. The best solution is to have a made-up identity that you use to answer those questions. So your mother’s maiden name might be Pfffft and your older brother’s middle name might be MiddleName. The problem, of course, is keeping all that straight. Maybe you can store it in your password manager.

We’ve talked about odd ways to generate passwords before. If you can not lose a hardware device, that’s another solution.