Using The Double Blind Password Security Method



March 2020, by Craig Tamlin



Passwords are the bane of our life. The average user is said to have over 30 passwords, and information or knowledge workers can have over 150, or even up to 300 unique logins and passwords, for all the systems that run their life at home and at work.


We are so often told of the best password practices, such as:

  1. Don't use the same passwords on multiple accounts
  2. Change passwords regularly
  3. Make passwords long, complex and hard to guess or hack

Yep, got all that, but where does that leave the poor user who cannot ever remember any passwords once a litany of rules apply?


Yes, we want the best security practice, but ouch!, passwords are such a pain.





Well, the answer is here. Along with a browser-based password manager such as is built into Chrome, you can have an ideal experience that approximates the best-possible-practice for password management - for free.


While password managers take the automation and flexibility up a notch, with the right practices there is no need to buy a password manager application. Also, relying solely on a password manager isn't foolproof as they have been hacked over recent years just like other companies.


Google's Chrome browser provides all you need, but supplemented with some extra ingenuity to enhance even the best that Google has to offer!


We all know that, in a busy life with so many logins: banking, TripAdvisor, email accounts, school portals, and many more of us have business applications and portals that we must manage that, if we were really serious, we would never ever have a chance to remember all passwords.


So we then write them down.


And if we are not careful, wherever they are stored, in an Office document or in a password manager, there is the risk they can be used by anyone hacking into our system.


Most web sites are designed with the password field not to be "autocompleted", but the password managers "helpfully autocomplete" them anyway in an effort to make our life easier. And this is an open door for a hacker.



So here is the answer: The Double Blind Password Management System



This is where there is no one single and complete copy of the password that is kept. It comprises two parts:

  1. Chrome's built in password manager helps to suggest and store a strong 15-character password.
  2. You then supplement it with a suffix that is stronger and adds site-specific information to further obfuscate the password.

Should anyone somehow gain access to your system, then they will not be able to simply use your bookmarks and autocomplete to get access to the systems of your life as stored in the password manager. Each time you login, you manually add the suffix only known to you.



What Suffix?



I would suggest no more than 4-6 characters that use some kind of system that only you know. For example it could be:

  1. A digit, 2 characters that represent the site or page you are on, then a symbol
  2. The first 3 characters of the site URL, then a symbol and a digit
  3. A symbol followed by some 4-character code that represents the web site
  4. Etc

You get to decide what the suffix should be, never write it down and do not tell anyone.



Here's a Worked Example



Let's say you wish to apply this to your account login for an online retailer. For this example, we are going to choose Australian liquor retailer, Dan Murphy's. Let's look at how you might register for the first time.


After adding your details, right click into the password field. The pop-up menu will give you an option to suggest a password:





The pop-up now shows a password that Google has chosen for your site. Google's passwords are completely unique.





Next, click the password, and this is added to the registration page:





Click into the password field and append your special suffix.





If Google tries to get helpful and asks to remember this longer edited password, of course do not take this option.


Logging on


When it comes time to later log on to the portal, Google does its magic and autocompletes your user name and 15-character password. You simply supplement this with your personal suffix - that is not stored anywhere and that only you know.





Again, if Google tries to get helpful and asks to remember this longer edited password, do not take this option.


If the site, Google or you mess things up, you can use the Google Password Manager at passwords.google.com to edit the passwords under its control.





And because Google remembers and syncs all of your content, if you are out and about and need to login to your Dan Murphy portal you follow the same login process as for the desktop site:








And if you don't use Google, then you can use this concept and adopt it to your preferred technology set. Maybe that's when you need to purchase a password management system.