Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]

Ads by Google

use same password everywhereThe golden rule when it comes to securing your online accounts is to never use the same password more than once. Even if you are guilty of breaking this rule for throwaway accounts, you should at the very least never use your most important passwords more than once.

But what if you could use just the one password everywhere, without having to sign up for a password management service or pay subscription fees? That’s exactly what KeyGrinder lets you do, and it’s completely free to use online and via the iPhone app.

If you have trouble remembering passwords but are concerned about storing the keys to your online life, you might want to try it out.

How It Works

KeyGrinder works using a very simple principle, and that is one already widely used to store passwords securely – hashing. In fact, KeyGrinder uses the same technique used by Stanford University project PwdHash which was designed to create theft-resistant passwords. The idea fuses the convenience of an easy to remember password with the security of using very strong, completely unique passwords.

use same password everywhere

When you use KeyGrinder to generate passwords, it takes your input (e.g. “password”) and the address of the website you are visiting (e.g. “google.com”). By converting your password into a domain-specific hash of both your input and the website you are trying to access, each and every password for every domain you visit will be entirely unique. Because these passwords are hashes, they’re also a strong combination of upper case, lower case and numbers and thus are naturally stronger than most memorable passwords.

use same password everything

Ads by Google

KeyGrinder is virtually identical to PwdHash, and both services generate the same passwords when given the same input credentials. Because certain websites have entirely different sub-domains for handling separate functions i.e. mail.google.com and drive.google.com, KeyGrinder uses only the “name.com” part of the domain, which means you won’t have to remember each and every domain and sub-domain you use.

In fact, all of the following domain variations generated the same secure password: “mail.google.com”, “www.google.com”, “m.google.com”, “http://mail.google.com/” “mail.google.com/d”. Note how the “http://”, “www.” and anything after the top-level domain (in this case “.com”) is ignored.

use same password everything

The length of each password will vary depending on the input password you supply, so for “mail.google.com” using “password” generates: GEGW8EGRbW. However, if you use “mypasswordisaverylongpassword” then you’ll get: CYbbtuHIZ24PVt0qHwMFXAAAAA. At no point will the generated password exceed 26 characters.

From Your iPhone & Browser

Having access to services like KeyGrinder or PwdHash on the web is handy, but when it comes to mobile usage accessing a website isn’t always the most convenient of operations. For this, there is the official KeyGrinder app, which used to cost $0.99 but now appears to be completely free. It offers identical functionality to the website, except from the convenience of a touch interface.

use same password everything

What’s more, KeyGrinder for iOS will remember the URLs you have used, so you can simply enter your master password and choose from your frequent sites before generating your hash and copying the password to your clipboard. You can then paste the hash into the service you need to login.

use same password everywhere

That’s pretty much it. Keep your online profiles completely safe, all the while using the same single password and your clipboard from a web browser or iOS device. Oh, and one of the best things about using a cryptographic solution like this for recalling passwords is the fact that they won’t be stored anywhere. For PwdHash there are Chrome and Firefox extensions available from the official site, and KeyGrinder’s homepage features a choice of bookmarklets which you can drag into the bookmarks bar.

Download: KeyGrinder for iOS @ AppStore

Conclusion

Remember – no password is infallible, sites get hacked and credentials leaked. If you use the same password in more than one location then you’re already playing with fire, and KeyGrinder might just be the free solution you’ve been looking for. You should still never ever reveal, write down or store your master password in plaintext. If you’re planning on using PwdHash or KeyGrinder, then it’s probably a good idea not to advertise this fact too publicly either.

What do you use to keep your online identities safe? Do you like the idea of KeyGrinder or do you use another service to safely store your keys? Let us know in the comments, below.

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Awesome iPhone Apps
Awesome iPhone Apps
9 Members
Smartphone Photography
Smartphone Photography
20 Members
iPhone Games You Should Try
iPhone Games You Should Try
8 Members
Essential iOS Tips
Essential iOS Tips
7 Members
Jailbreaking iOS
Jailbreaking iOS
6 Members
Ads by Google
Comments (20)
  • Keith Smith

    There’s some good discussion here, particularly about the constant use of a single password being a weak point. So, how about simply modifying your standard password for each site you use by adding letters around it, for example let’s say my password is sameoldpassword and I could modify it by adding FB for Facebook to Make FBsameoldpassword or FsameoldpasswordB or similar. I am sure that there was a previous MakeUseOf article on this previously.

    Again, just another layer for those who use the same password over again.

    One question I do have is, to use this service you are inputting your password for it to be hashed so are you sure that it is not being stored on the server …?

    • Tim Brookes

      Thanks for contributing, and you’re right – there’s some great points being raised.

      Two points:

      1) Using a password surrounded by letters like FB for Facebook, TW for Twitter etc is a dangerous technique. Those passwords are in no way unique – they’re slight variations on the same key/phrase. If you intend to hash it afterwards (using KeyGrinder or other similar tool) then it makes sense, yes. But if you’re just going to use “mypasswordFB” for one and “mypasswordTW” for another, what happens when a site you frequent (LikedIn last year, the entire Gawker comments system the year before that) gets hacked and your passwords are leaked. It doesn’t take a genius to work out “mypassword” is your main key and you’re suffixing/prefixing initials or names onto it.

      It is more secure than using a single password everywhere – just not that secure in the grand scheme of things.

      2) Regarding KeyPass/storing: Even if it was being stored on the server it wouldn’t matter because your username is never required or entered. If a thief has a long list of passwords and hashes, he still then has to guess the usernames which is probably not going to happen.

    • Keith Smith

      Thanks Tim, thoroughly agree with point 1) and point 2) is good, hadn’t thought of that.

  • Alexander

    I like lastpass better than this, and it think this can get confusing sometimes :/

  • Alan Wade

    I have used LastPass for a long while now and nothing I have read here makes me want to change that.
    Like Chris, I am more happier with the randomly generated passwords for all my security needs.

  • Chris Hoffman

    The problem with these types of solution is that, if a site becomes compromised and leaks your password, you can’t change your password for just that website without going through the trouble to change it everywhere.

    If you use LastPass (or another password manager, but I use LastPass), you can just generate a new random password for each that website.

    • Chris Hoffman

      Yikes, sorry for the typos. Wish we had an edit feature!

    • Tim Brookes

      True, but then what if a thief finds your LastPass master key?

    • ReadandShare

      Some websites force you to change your password every x months. I just cannot imagine that the only way to change a password for one website is to change the PwdHash master password — because that will mean changing passwords for ALL my other websites?? There has to be some kind of ‘manual override’ — although each one will mean additional memorizing… until we are back to using a password manager again?

    • Tim Brookes

      Yeah, it’s not perfect. You could always use a couple of passwords, which even if you did write down (i.e. in passwords.txt) would still be indecipherable because they’d be hashed in the end anyway.

      I’d argue that KeyGrinder is a serious contender for the password manager/Last Pass throne. I like the idea of an autocompleting password service, but to me the idea of all my identities stored behind a single “master” password (or in a file, with a password like KeyPass) is concerning to say the least.

  • Anonymous

    I agree with Richard. That’s exactly what I thought. It would be safer for the password to be totally random rather than actually being related.

Load 10 more
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.