
Ask HN: Using a simple password, base64 encrypted for websites login? - federicoponzi
I was wondering, can it be a good idea to take the website name (es facebook), encrypt to base64&#x2F;base128 (or whatever hashing method and then use it as my password to that service?
======
dozzie
No. Do yourself a favour and invest in a password manager and have random
password for each website.

Also, Base64 is neither _encryption_ nor _hashing_.

~~~
federicoponzi
Hi and thanks for the comment! I don't actually use this method to choose
passwords, I was just wondering if it could have been a good idea and if not
why. Of course base64 is not encryption but I meant that an hasing method (say
md5/sha1) of the website name should work as a password. If not, why? :)

~~~
pwg
> ... I was just wondering if it could have been a good idea and if not why.

No, it is not a good idea. And here is why: the website name is known to
everyone so it is not a secret. Therefore, your base64/base128 _encoding_
(base64/base128 is not a hash) is also not a secret, anyone can base64 the
website name and get the identical string of characters that you use as your
password. Therefore, your passwords would also not be secrets known only to
you.

For a password to be effective, it needs to be known only to you (and
obviously known at least once to the site you log into, but they can store a
proper hash so they also do not know your actual password either). And it
needs to be very hard to guess by an attacker.

Your scheme fails both. What would be your password would be known to anyone
who base64 encodes the website name. And because of this it would be trivial
to guess by an attacker.

Now, lest you counter argue that an attacker will not know _if_ you are using
base64, the reason why that falls is that base64 (and base128) are trivial to
compute, so attackers will just add the base64 and base128 encoding of the
website name to their password dump cracking tools, and the moment a password
dump occurs, your password will be found as fast as they find users that use
"password1" as their password.

~~~
federicoponzi
The sitename was just an example! The point is to choose a password easier to
remember and get in some way (using for example an encoding/hash function) a
more longer random string

~~~
pwg
What you use as an example input is not the point. Your entire scheme is
insecure. It is a fully deterministic scheme from input to output, and
reversible as well given your suggestion of base64/base128. Passwords should
be randomly generated strings of bytes with no deterministic aspect to them at
all.

Just use a password manager (i.e.,
[https://github.com/zdia/gorilla/wiki](https://github.com/zdia/gorilla/wiki))
where you can generate random, uncorrelated, unique passwords for each site.
Then, using the manager, you don't have to remember the individual unique
passwords, it performs that function (remembering) for you. All you need to
remember then is your master password to unlock the manager.

Once you've begun using a password manager, you'll quickly wonder why you
didn't start using it sooner.

