Passwords: One Ring to Rule Them All

Have you ever heard of ‘Identity Theft’? (No? Where have you been the last few years – playing Evercrack or something?)
 
Using one password for everything is definitely a Bad Idea. So is writing that one password down on a post-it note and sticking that to your computer. If you want to see a security expert start ranting and tearing his hair out, write “ksH3wN$7Jjs6” on a post-it note and stick it on your computer in a prominent position. Then invite your local security expert over to your cube for a chat, sit back and wait for the fireworks 🙂
 
The alternative to the single password isn’t a particularly great idea either: maintaining a list of passwords isn’t a lot of fun (nor is it very much more secure than using a single password). The fun really starts when you lose the list…
 
All the security advice tips I’ve ever read say: “use strong passwords, a different one for each service you need to password-protect – and don’t write them down!” But when I look for advice on how to manage all those passwords: nothing. Nada. Zip. Zilch.
 
What’s needed is a means of creating a strong password that you won’t forget, and which adapts itself to the service it provides access to, in a way that is easy to remember.
 
Here’s my solution to this conundrum.
 
Step 1: generate a strong password.
 
Step 2: learn that password. But, if you’re having trouble learning it – don’t panic: write it down on a post-it note and stick it on your computer.
 
Wait, what? Didn’t we just say that using a single password was a Bad Idea? With both the Capital-B AND the Capital-I? And didn’t we say that the post-it note would cause security experts to lose hair?
 
Hold your horses, we’re not quite done yet.
 
Step 3: Mix up ‘123’, once. It doesn’t matter how you mix it up. It doesn’t really even matter if you end up with a result that’s ‘123’, either. You might get ‘312’, or ‘132’, or ‘231’. Doesn’t matter. What DOES matter is that once you’ve got a result, you fix that result in your memory. Make sure you won’t forget it, ever.
 
What was that? You’ve got the kind of brain that has trouble remembering a 4-digit PIN? Butbutbut… this is only three digits we’re talking about here, not four… ah, what the heck, write it down on your post-it note too.
 
Now we come to the canny bit. (Well, I think it’s canny, anyway.)
 
Step 4: when you need a new password, take the first three letters from the service you need the password for, rearrange them according to your ‘mixed-up 123’, and then use those three letters in front of your committed-to-memory-never-to-be-forgotten password (the one that’s on your post-it note).
 
Et voila, new password, complete with built-in unforgettability and extra security. Because even if someone does read your post-it note – that ISN’T the password.
 
Example Time
 
Your post-it note reads: gOOD-pASSWORD!1 312
 
You want a password for your hotmail account. So, first you take a look at ‘312’.
 
The ‘312’ means ‘take the 3rd letter, then the 1st letter, then the 2nd letter of ‘hotmail’. Result: ‘tho‘. Put this in front of your strong password ‘gOOD-pASSWORD!1’, to make ‘thogOOD-pASSWORD!1′. Easy 🙂
 
hotmail: thogOOD-pASSWORD!1
egg: geggOOD-pASSWORD!1
eBay: aeBgOOD-pASSWORD!1
slashdot: aslgOOD-pASSWORD!1
 
Should I? Ah, I suppose I’d better say it. The one thing you DON’T want to do is to make a list like this on your post-it note. Definite no-no territory, that would take you straight back to square one. Do not pass ‘go’, do not collect £200 (in fact give £200 to someone else).
 
But do it in your head and you’re fine.
 
Oh, and the sooner you can commit your strong password and your ‘mixed-up 123′ to memory and throw away your post-it note, the better. Because if someone should twig that you’re using this system to generate your passwords, you’re back at that good ol’ square one again.
 
Now then, where was I? Oh yes… although you could use ‘gOOD-pASSWORD!1’ as your strong password, making up your own is obviously far better. Something like ‘ksH3wN$7Jjs6’, for instance.
 
Example Time Again
 
Your post-it note reads: ksH3wN$7Jjs6 312
 
You want a password for your hotmail account. So, first you take a look at ‘312’. This says to you ‘take the third letter, then the first letter, then the second letter of ‘hotmail’. Result: ‘tho’. Put this in front of your strong password ‘ksH3wN$7Jjs6’, to make ‘thoksH3wN$7Jjs6’.
 
hotmail: thoksH3wN$7Jjs6
egg: gegksH3wN$7Jjs6
eBay: aeBksH3wN$7Jjs6
slashdot: aslksH3wN$7Jjs6
 
Even if your ‘strong password’ is something obscure (like “ksH3wN$7Jjs6”), I guarantee that you’ll soon be able to remember it without difficulty. Before long, you’ll have entered it so many times it will be impossible for you to forget it. The human brain’s a clever thing. Much smarter than these new-fangled computer thingies. Really.
 
And when that day does come, you can throw your post-it note away; and the next time your security expert drops in for a chat, he won’t lose any more hair.
 
Well, OK, I grant you that it’s entirely possible that he’ll already be bald by then.

 

Postscript 
 
Why three characters for the ‘mixup’ part? Well, my original version of this technique simply took the first four characters (not three) of the service name and put them in front of the ‘strong password’. But when I tried it out I found that eBay considers that any password (no matter how long it is!) beginning with ‘ebay’ is ‘invalid’, and wouldn’t let me use it. You could just use the first character of the service name if you want, and forget about the ‘mixup’ step altogether – especially if you can remember the ‘strong password’ part from the word ‘go’. If you feel the need to write down your password somewhere, using the ‘mixup’ makes it harder for someone to figure out what you’re up to.
 
As for putting the ‘service name’ part of the final password before the ‘strong password’ part, I have a good reason for suggesting this. It is possible for someone who is able to look over your shoulder on a regular basis to – eventually – steal your password. How? Pretty simple really. If I can see that you’re about to enter a password (pretty obvious on some systems), I can watch for your first keypress. Just the first one. Next time I see you entering a password, if I see you hit the same key again – I try to see what the next one you hit is… and so on. The technique I’ve outlined above means that the ‘final password’ starts with different keys each time – so this foils any such snooping.
 
One final note. No security system is totally foolproof, no matter what the marketing blurb may say. If you’re the kind that talks in your sleep or has a tendency to get involved with suspicious ladies of the night armed with hypodermic syringes – all bets are off. In theory at least, if everyone started to use a technique such as this (or a similar one), then those who would crack on-line passwords might, given time, be able to farm enough passwords from enough sites to do a comparison that would spot the technique.
 
Password-protection systems are inherently clunky, and (let’s face it) insecure: I don’t think that it will be too long before a better system comes along. Now, if only I could be the one to design it… hmm….
 
[update: see https://pendantry.wordpress.com/2007/04/19/passwords-two-rings-to-rule-them-all-d/ for a minor addition to the ‘One Ring’.]
Advertisements

About pendantry

Phlyarologist (part-time) and pendant. Campaigner for action against anthropogenic global warming (AGW) and injustice in all its forms. Humanist, atheist, notoftenpist. Wannabe poet, writer and astronaut.
This entry was posted in Computers and Internet and tagged , , , , , . Bookmark the permalink.

11 Responses to Passwords: One Ring to Rule Them All

  1. Pingback: Passwords: storing passwords | Wibble

  2. jjoelc says:

    This is very similar to the system I use… I start with a simple to remember phrase. For example “This is my example password for Pedantry”. Then make an acronym out of it… “timepw4p”… At this point, I think the pattern should be obvious… This is my example password for google = timepw4g… this is my example password for yahoo = timepw4y and so on. Some easy ways to mix it up a little are using more than one character of the site you are logging into (goo for google, for example), “H@x0r!z!nG” the acronym (T!m3pW4go0 instead of timepw4goo)… The idea is always the same: It is a pattern that is easy for YOU to remember, it is different for each website you need a password for, and it is not likely to be part of any dictionary based attacks…

    • pendantry says:

      Yes, I realised from reading Troy Hunt’s blog and FilterJoe’s Guide to Using Passwords Without Distraction a few months back that what I had thought was a clever, unique idea had been independently thought-up by a number of other people. I ain’t as smart as I like to think I am 😉 Spookily, one of them (PasswordMaker) even used the same theme as me: ‘one password to rule them all’. Once it’s time to railroad, you lay track, build trains and dream about being an engine driver when you grow up.

      I like your algorithm — far superior to mine, mainly because it’s easier to explain!

  3. pvz says:

    This is not a very secure system, because it fails one of the major criteria for a secure system – the system must remain secure against attack even if the algorithm used to secure the system is publically known. In your case we can assume that it is publically known, because you published it on your website.

    Let’s say you have an account on a website which stores websites in plaintext (an inadvisable, but fairly widespread practice). Let’s call this imaginary website “Hawker”. And that an attacker finds your username and your plaintext password as awhcrEcha5eFeWR.

    Well then. The attacker would scan the password database after strong-looking passwords that happen to begin with a jumble of the letters “Haw” in Hawker. Your “awh” would stick out as a sore thumb. Your attacker would know that you use 231 as your mixup, and crEcha5eFeWR as your “strong password suffix”.

    It would then be a simple matter of figuring out that your Twitter password is witcrEcha5eFeWR.

    Using a password manager (I prefer KeePass myself) is a far better choice, since a computer is a lot better at generating and storing random passwords than a piece of paper or your brain will ever be. Assuming of course you can commit to memory one strong master password.

    • pendantry says:

      Oh, don’t get me wrong, I agree with you.

      I’ve switched over to using a password manager myself (complete with strong master password which is a PITA to enter each time but them’s the breaks). When I thought up this wizard wheeze in 2007, the concept of online banking was little more than a wet dream in some bwanker’s imagination. Usability, portability, ease of implementation and access (all of which are features of the ‘One Ring’) trumped security. Then.

      Today, I consider:
      1) the relatively recent spate of break-ins and theft of private data from numerous high-profile sites that one would have thought should have had both the clout and the nouse to protect themselves better;
      2) the excellent arguments given by people like FilterJoe and Troy Hunt;
      3) the increasing suspicion that if organised crime doesn’t already run the banking system (let’s face it, even if that’s not the case the ones who determine money supply in such a way as to deliver themselves huge profits at no risk because their systems are too big to fail — can you say ‘credit crunch’ and ‘massive taxpayer bailout’ and ‘almost immediate resumption of old bad practices’ — are not really the kind of people I would consider possessing high moral fibre) then it might well do soon.

      1+2+3 together said to me that a little more effort for more security is a good investment. But, having said that, I do still maintain that if anyone is still using the same password for all their online activity* then, unless they’re adept software users, the ‘one ring’ offers a massive step change in security without overly restricting ease of use.

      *Not a big if, at all. There must be hundreds of thousands of such people. Possibly millions.

      • pvz says:

        > I’ve switched over to using a password manager myself

        Glad to hear you’ve come to your senses. 🙂

        > When I thought up this wizard wheeze in 2007, the concept
        > of online banking was little more than a wet dream in some
        > bwanker’s imagination.

        Interesting, what country do you live in? Because, speaking for myself, I’ve had an online bank account since around 2002 or so. That also happens to be when I moved out and started paying my own bills.

        > I do still maintain that if anyone is still using the same password
        > for all their online activity* then, unless they’re adept softare users,
        > the ‘one ring’ offers a massive step change in security without overly
        > restricting ease of use.

        I’m sorry, I can’t agree. It might be true now, when most people just use the same password on each site. But *if* your method ends up becoming widespread, you can bet the bad guys will write a program in about 10 minutes that ends up scanning passwords for substrings of site names inside passwords (and no, substituting similar-looking symbols and digits for numbers won’t make a weak password any stronger, this is a well known trick and is part of any modern dictionary-based cracker) and attempting to predict what passwords to use on other sites.

        In that case of your algorithm, as stated, adding that particular variation just means trying one more password for every account that does happen to match that pattern. It’s not a big burden on anyone wanting to take over accounts.

        In other words, this method only “kinda” works if you keep it to yourself and don’t tell anyone else about it. But that cat has been out of the bag for years now.

      • pvz says:

        One more point I was going to make, but I forgot to make in my other post:

        Your blog post is written as if this is actually a viable way to secure your accounts. If this encourages people to use a simple system like you use rather than a password manager, this could mean that you’re promoting an idea that is actually harmful to security, by instilling a sense of false security.

        I suggest you put a note at the top of your post saying this post is for historical purposes or whatever and that if you no longer advocate this method, you say so.

        • pendantry says:

          Such a note as you suggest is not needed: this is a viable alternative. Each user’s needs depend entirely upon the individual’s habits and requirements — though I grant you that in most instances the user is not qualified to make the decision on which solution is appropriate, due to lack of knowledge and understanding of the field. It’s a perfectly adequate solution, for instance, for a casual ‘Net user who is careful about how much personal information is exposed, as it has numerous usability advantages over more complex solutions.

          I have not so much ‘come to my senses’ as you put it as reevaluated my own needs and decided that my needs warrant the extra hassle (and it is a lot of hassle, compared with the simplicity of the ‘one ring’) of a password safe.

          Your argument that at some point some crooks will reengineer their hacking methods to incorporate all their new knowledge about the various means people use to obfuscate matters is entirely valid; however, it applies just as much to stronger solutions such as password safes. As time goes on, even these will yield to more sophisticated attacks powered by quantum computing, or the generation after that (which will probably come a smidgeon in time before the Singularity). Anyone who tries to tell you otherwise is selling snake oil. All this does is underscore the fact that using passwords is an entirely inappropriate solution to the problem of securing access to a computer system. Always has been, always will be. Something better was always required, and will before too long become essential. To quote myself: “the security paradigm itself is fatally flawed by the unreasonable expectation that every computer user will make the effort to become knowledgeable in the field.”

  4. Pingback: Passwords – how secure is my password? | Wibble

  5. With newer technlogies (like LastPass), it is actually easier to manage many passwords (as long as you are talking web 2.0 tech.)

I'd love to hear what your views are!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s