Last updated on May 27, 2018
It is often hard to manage different passwords across many accounts: Complicated passwords, including handcrafted ones and those generated by a random password generator, are hard to memorize, but simple passwords are often not safe. A cloud password manager such as LastPass is not a safe option either: cloud password managers often suffer from various security issues. Besides that, it is not cool to expose your passwords to a cloud password manager company. With checksums, the management can be easily done by ourselves, while still maintaining “good” passwords.
Checksums are small-size strings which can be computed from other strings by specific checksum algorithms. Using the most popular checksum algorithms, such as MD5, SHA-1, etc. the checksums usually look very different from the original string, and changing even a single bit of the original string usually leads to very different checksums. For example, the MD5 checksums of the two similar words “bird” and “birds” are completely different (you can use this website to compute the checksum of a string, or use the md5sum or sha1sum command line utility if you are on GNU/Linux or Max OS X):
Here the basic strategy to manage passwords is to have the password for each account to follow the “prefix+checksum” scheme. The prefix is the same across all accounts and is similar to the usual passwords, e.g., it can be one of your current passwords — this is what you need to memorize. The checksum part is unique for each account: it can be part of the MD5/SHA-1/SHA-2 checksum of something related to the host, such as the domain of the website, or the name of the company which hosts the account, etc. In this way, only one global prefix is needed to memorize which brings easy management, and the checksum part of each account is unique which brings security. For example, as shown in the figure below, for your account at quitter.se, you can use the MD5 checksum of the string “quitter.se”, which is 00b34f415b15dbea2e9d0611d2cc90f8. Then, with a prefix such as my-password, follow the “prefix+checksum” scheme, the password for quitter.se would be my-password00b34f415b15dbea2e9d0611d2cc90f8. If only part of the checksum is used, e.g., the first 10 characters of the checksum, then the password is my-password00b34f415b.