Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]

keygrinderlogo   Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]The golden rule when it comes to securing your online accounts is to never use the same password more than once. Even if you are guilty of breaking this rule for throwaway accounts, you should at the very least never use your most important passwords more than once.

But what if you could use just the one password everywhere, without having to sign up for a password management service or pay subscription fees? That’s exactly what KeyGrinder lets you do, and it’s completely free to use online and via the iPhone app.

If you have trouble remembering passwords but are concerned about storing the keys to your online life, you might want to try it out.

How It Works

KeyGrinder works using a very simple principle, and that is one already widely used to store passwords securely – hashing. In fact, KeyGrinder uses the same technique used by Stanford University project PwdHash which was designed to create theft-resistant passwords. The idea fuses the convenience of an easy to remember password with the security of using very strong, completely unique passwords.

test gmail kg   Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]

When you use KeyGrinder to generate passwords, it takes your input (e.g. “password”) and the address of the website you are visiting (e.g. “google.com”). By converting your password into a domain-specific hash of both your input and the website you are trying to access, each and every password for every domain you visit will be entirely unique. Because these passwords are hashes, they’re also a strong combination of upper case, lower case and numbers and thus are naturally stronger than most memorable passwords.

pwdhash live com   Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]

KeyGrinder is virtually identical to PwdHash, and both services generate the same passwords when given the same input credentials. Because certain websites have entirely different sub-domains for handling separate functions i.e. mail.google.com and drive.google.com, KeyGrinder uses only the “name.com” part of the domain, which means you won’t have to remember each and every domain and sub-domain you use.

In fact, all of the following domain variations generated the same secure password: “mail.google.com”, “www.google.com”, “m.google.com”, “http://mail.google.com/” “mail.google.com/d”. Note how the “http://”, “www.” and anything after the top-level domain (in this case “.com”) is ignored.

keygrinder live com   Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]

The length of each password will vary depending on the input password you supply, so for “mail.google.com” using “password” generates: GEGW8EGRbW. However, if you use “mypasswordisaverylongpassword” then you’ll get: CYbbtuHIZ24PVt0qHwMFXAAAAA. At no point will the generated password exceed 26 characters.

From Your iPhone & Browser

Having access to services like KeyGrinder or PwdHash on the web is handy, but when it comes to mobile usage accessing a website isn’t always the most convenient of operations. For this, there is the official KeyGrinder app, which used to cost $0.99 but now appears to be completely free. It offers identical functionality to the website, except from the convenience of a touch interface.

kg iphone1   Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]

What’s more, KeyGrinder for iOS will remember the URLs you have used, so you can simply enter your master password and choose from your frequent sites before generating your hash and copying the password to your clipboard. You can then paste the hash into the service you need to login.

kg iphone2   Safely Use The Same Password Everywhere with KeyGrinder [Web & iOS]

That’s pretty much it. Keep your online profiles completely safe, all the while using the same single password and your clipboard from a web browser or iOS device. Oh, and one of the best things about using a cryptographic solution like this for recalling passwords is the fact that they won’t be stored anywhere. For PwdHash there are Chrome and Firefox extensions available from the official site, and KeyGrinder’s homepage features a choice of bookmarklets which you can drag into the bookmarks bar.

Download: KeyGrinder for iOS @ AppStore

Conclusion

Remember – no password is infallible, sites get hacked and credentials leaked. If you use the same password in more than one location then you’re already playing with fire, and KeyGrinder might just be the free solution you’ve been looking for. You should still never ever reveal, write down or store your master password in plaintext. If you’re planning on using PwdHash or KeyGrinder, then it’s probably a good idea not to advertise this fact too publicly either.

What do you use to keep your online identities safe? Do you like the idea of KeyGrinder or do you use another service to safely store your keys? Let us know in the comments, below.

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

20 Comments -

0 votes

Scott

What about special characters (#, $, %, etc.) ? And why a 26 character maximum ?

I would much prefer just letting LastPass generate looooong (80+ character) passwords with special characters. That way I don’t have to remember anything except my LP password. ;-)

3 votes

Richard Steven Hack

Correct me if I’m wrong here, but let’s look at this closely.

I use a constant password, say, “herewegototown” and that gets mixed with “gmail.com” using a FIXED hash algorithm (which presumably is a KNOWN algorithm since unknown algorithms are by definition insecure.)

I then use the SAME fixed password which gets mixed with “livemail.com” (or whatever Microsoft is calling itself these days) used the SAME FIXED algorithm.

This means any hacker who knows the KNOWN algorithm, plus the target site, has only to guess your original constant password. He can then do the same thing for every other target site. He only has to guess ONE variable, your original constant password. Everything else in the resulting password is based on fixed variables.

And everyone knows we suck at picking those original constant passwords, right?

How is this different from simply using one constant password? Everything about this situation is fixed: your password, the target site, the algorithm. The only thing that changes is the RESULTING password for each site.

This is not secure. It’s no more secure than the initial password you choose to use.

The ONLY way to be secure is to generate a password which is completely different for each site and which does NOT take into account the name of the site or any other information which could be known to or guessed by a hacker.

0 votes

Lisa Santika Onggrid

Yeah. The only workaround is to use different word entirely for the site’s name, so if it’s google.com you can use myawesomedomain.com instead, to avoid easy guess. If you still use that lame password for the account, it’s still useless. Perhaps someone could enlighten us to why this is more secure than ordinary method?

1 votes

Tim Brookes

It’s better than using an ordinary password in that every generated password is unique, so if one falls the whole lot doesn’t fall. It’s only useless if a hacker knows your original password (keyloggers yes) and the algorithm used to get to that password. As far as I’m aware, that algorithm has not been made public, and so there is little chance of deciphering a password from the hash.

No password is crack-proof, even randomly generated LastPass/1Password efforts. You could argue that if someone got your LastPass or other password manager credentials then they would have access to every password you have. KeyGrinder isn’t perfect, but for a lot of users who it adds a whole extra layer of security that simple

1 votes

Tim Brookes

What you said is largely true, but it relies on:

The hacker knowing your original password.
The algorithm OR the fact that you’re using this service.

The algorithm is not public, so that’s a no-no. You should also probably keep any cryptographic services you’re using quiet, else that’s akin to telling a prospective burglar the model and location of your home alarm system.

It’s not infallible, but then no password is. KeyGrinder generates unique hashes, which means if one site falls the rest of your accounts do not. I know that there are a huge percentage of people using the same password everywhere, and this adds another layer of security for those people.

0 votes

Hari

Security by obscurity is never good, it would be only a matter of time before someone reverse engineers the algorithm to generate a rainbow table lookup of all the hashes. Besides, how would you change your password using this method? You either to change your master password or the domain, and since the domain remains the same, you have to change your password, and guess what, you no longer have a matter password and back to square one of remembering multiple passwords, and even harder problem than the original. LastPass is much better!

2 votes

ReadandShare

I am not getting it either. Say my master password is “IThinkIAmSoSmart!!”. Anyone or any keylogger that gets hold of this singular password can then try it on any number of popular website accounts — and bingo — they’re in!

From a security viewpoint, how’s this adding anything versus just using “IThinkIAmSoSmart” directly on all my web accounts?

1 votes

Tim Brookes

I understand what you’re saying entirely – it doesn’t work if the thief knows you’re using this service and your master password. But think of it from a “X site got hacked point of view” – if a hacker gets into a database of users and finds your password, it’s entirely unique and thus not going to lead to more of your profiles going under.

That’s how it’s better than using a single password on all of your web accounts.

0 votes

ReadandShare

That is true. Thanks.

0 votes

Aaron Chung

I agree with Richard. That’s exactly what I thought. It would be safer for the password to be totally random rather than actually being related.

1 votes

Chris Hoffman

The problem with these types of solution is that, if a site becomes compromised and leaks your password, you can’t change your password for just that website without going through the trouble to change it everywhere.

If you use LastPass (or another password manager, but I use LastPass), you can just generate a new random password for each that website.

0 votes

Chris Hoffman

Yikes, sorry for the typos. Wish we had an edit feature!

0 votes

Tim Brookes

True, but then what if a thief finds your LastPass master key?

0 votes

ReadandShare

Some websites force you to change your password every x months. I just cannot imagine that the only way to change a password for one website is to change the PwdHash master password — because that will mean changing passwords for ALL my other websites?? There has to be some kind of ‘manual override’ — although each one will mean additional memorizing… until we are back to using a password manager again?

1 votes

Tim Brookes

Yeah, it’s not perfect. You could always use a couple of passwords, which even if you did write down (i.e. in passwords.txt) would still be indecipherable because they’d be hashed in the end anyway.

I’d argue that KeyGrinder is a serious contender for the password manager/Last Pass throne. I like the idea of an autocompleting password service, but to me the idea of all my identities stored behind a single “master” password (or in a file, with a password like KeyPass) is concerning to say the least.

1 votes

Alan Wade

I have used LastPass for a long while now and nothing I have read here makes me want to change that.
Like Chris, I am more happier with the randomly generated passwords for all my security needs.

0 votes

Alexander

I like lastpass better than this, and it think this can get confusing sometimes :/

1 votes

Keith Smith

There’s some good discussion here, particularly about the constant use of a single password being a weak point. So, how about simply modifying your standard password for each site you use by adding letters around it, for example let’s say my password is sameoldpassword and I could modify it by adding FB for Facebook to Make FBsameoldpassword or FsameoldpasswordB or similar. I am sure that there was a previous MakeUseOf article on this previously.

Again, just another layer for those who use the same password over again.

One question I do have is, to use this service you are inputting your password for it to be hashed so are you sure that it is not being stored on the server …?

2 votes

Tim Brookes

Thanks for contributing, and you’re right – there’s some great points being raised.

Two points:

1) Using a password surrounded by letters like FB for Facebook, TW for Twitter etc is a dangerous technique. Those passwords are in no way unique – they’re slight variations on the same key/phrase. If you intend to hash it afterwards (using KeyGrinder or other similar tool) then it makes sense, yes. But if you’re just going to use “mypasswordFB” for one and “mypasswordTW” for another, what happens when a site you frequent (LikedIn last year, the entire Gawker comments system the year before that) gets hacked and your passwords are leaked. It doesn’t take a genius to work out “mypassword” is your main key and you’re suffixing/prefixing initials or names onto it.

It is more secure than using a single password everywhere – just not that secure in the grand scheme of things.

2) Regarding KeyPass/storing: Even if it was being stored on the server it wouldn’t matter because your username is never required or entered. If a thief has a long list of passwords and hashes, he still then has to guess the usernames which is probably not going to happen.

0 votes

Keith Smith

Thanks Tim, thoroughly agree with point 1) and point 2) is good, hadn’t thought of that.