URL as a Master Password

menantic
menantic
Community Member

Apologies if this has been addressed.

So I was thinking of a way for people to store a copy of their STRONG master password in electronic form on their computer (for forgetful people that want to be able to cut and paste) and thought that URLs would be a fairly easy way to do that.

Obviously www.google.com is not very strong but -

is not likely to be brute forced anytime soon (btw is there a maximum master password length?), especially if you add a simple salt i.e. URL + Dictionary Word. Furthermore, something like:

www.imadeupthiswebsite.Mobi/January41972isthebest

would be pretty easy to remember.

The beauty to me is that you probably have hundreds if not thousands of URLs stored on your computer, in your email, and in your browser bookmarks.

One of these passwords would be extremely difficult to crack from brute force perspective, and it would take an incredibly dedicated hacker with access to your computer and email to try every URL on your email/computer, especially if your using a simple salt with the URL.

Furthermore, having a url in an email or bookmark, isn't obviously a password where as most people quickly recognize "Obv!ous1234" as one.

I suppose one could argue that this is really just a security through obscurity scheme, but only as it relates to where you are keeping your backup of your master password.

Any thoughts? Is this a completely asinine idea?

Comments

  • khad
    khad
    1Password Alumni
    edited March 2014

    This is an interesting idea, but the main flaw I see is that your Master Password should never be anywhere but in your head. You should certainly not be copying and pasting it from anywhere else. At the most we recommend writing a new one down on a piece of paper and storing it safely until you have memorized it. Then destroy the piece of paper. It should be something you are able to type by hand, and I don't think a URL like https://encrypted.google.com/#output=search&sclient=psy-ab&q=rangers+score&oq=rangers+score&gs_l=hp.3..0l10.1130.3248.1.3956.13.11.0.0.0.0.700.3174.4-3j2j1.6.0...0.0...1c.1.11.hp.ND8ADbzb98A&bav=on.2,or.r_qf.&bvm=bv.45921128,d.eWU&fp=4e58087652d67de3&biw=1050&bih=726 is something anyone would want to type by hand even if they were able to memorize it. :)

    Can you imagine inputting that on an iOS keyboard? That would be a nightmare. And if you stored it somewhere you could access it to copy and paste it, then your 1Password data would only be as secure as the location in which you are storing the Master Password. Probably not a Good Thing™.

    We see time and time again that people really want to come up with a clever "trick" that no one else has thought of, but all of these tricks don't really hold up very well for one reason or another. It can be hard for some of us who think we are especially clever — myself included — but ultimately it is best to "surrender your pride and roll the die" using Diceware as we have long recommended:

    Toward Better Master Passwords

    Of course, it is your data, so you are ultimately the only one who can decide exactly what you are comfortable doing. We would just never recommend using a system that required copying/pasting a Master Password.

    If we can be of further assistance, please let us know. We are always here to help!

This discussion has been closed.