Password Branching creates multiple passwords from a single seed password. This technique is useful in situations where you must remember many passwords, such as logins to multiple Web sites. Say, for example, you regularly purchase songs from the iTunes Music Store, and you also have an online email account with Yahoo. It would be unwise to make both passwords the same, because a security incident with one vendor would lead to exposing your personal information from both vendors. The average person has to remember passwords to dozens of e-commerce and other sites, as well as passwords at work and sometimes for home computers as well. That same average person has a short term memory that can recall only nine passwords, and then only if they are simple. Simple passwords that are easy to recall are often just as simple to guess or crack.

There are many solutions to this common problem of having to remember so many passwords. Many IT organizations incorporate a Single Sign On (SSO) system, whereby the user only has to login to one system, and all other systems coordinate to verify the login. Another solution is using a Public Key Infrastructure (PKI) and issuing each user a "certificate." The certificate is usually stored on a smart card or as an encrypted file, and any system can verify your identity from a third party using the certificate that you send them.

But what about systems that are (supposed to be) disparate, and systems that do not support PKI for reasons of cost and complexity? That is where a system like Password Branching can help. The idea is simple; you choose a seed password as the base for all your passwords. It should be difficult to guess (I provide a basic strength assessment form) and that is the only password you need to remember. For each site or service you use a name. For example, for the music store you could use "Music," and for your online email account you could use "proton.me," or you can use whatever your bookmark in your Web browser is such as "http://www.audible.com" or "http://www.amazon.com." The idea is that the name should be so obvious that you should not have to remember it. As long as each place you need a password for has a different name, it is nearly guaranteed that each name will get a unique password. Entering the seed password and the name on the form I have provided for you will use what is called a " biomorphic algorithm" (simpler than its name implies) and generate a password for you.

The first question on your mind after using the branching password generator is likely to be "why is the user interface so freaky?" Well, it's boring, first of all, so that it may be easily saved to a local file. The cut and pasting of the seemingly invisible password is to keep the person looking over your shoulder from easily seeing the result for any significant period of time. And the reason the seed password is cleared after a time of no activity is to keep users from accidentally walking away from the form while their seed password is still entered. I think the interface a bit awkward as well, and I welcome comments on making it better.

As far as the underlying algorithm, it is essentially a pseudo-random number generator. The algorithm is one of many biomorphic algorithms of my own design. Biomorphic algorithms are simple algorithms that are chaotic (a small change in initial conditions yields a large change in the result) and that feed back upon themselves. Pure biomorphic algorithms usually incorporate something about the system's initial state to create diversity among multiple systems, so that attacks on one system to not necessarily work on other, seemingly identical systems. The entropy for the algorithm in this case come from the seed password's characters multiplied by their position. Admittedly, that's not a lot to work with, and in fact the resulting passwords may have less entropy than the seed. A good seed, however, should still provide enough to make the resulting passwords almost as difficult to guess as the seed. The proof is left to the interested reader.