Tuesday, January 29, 2008

In today’s
world, passwords are a necessity online. As such, anyone who goes
online has to come up with one or more passwords they can come up
with on command. The problem is, it’s hard to remember lots of
passwords. To compensate for that, most people either create very
short passwords, or reuse the same password everywhere, or both in
many cases.


The problem with
this is that once a password is stolen by someone, if you’ve
used it anywhere else that person has access to all of your accounts.
So, some people just come up with a bunch of different passwords.
While a good idea, most people have trouble remembering a lot of
passwords, so they end up with very, very short passwords when they
try this, or they forget them. This just isn’t a good thing,
since the most common way of getting password is brute forcing/social
engineering. Brute forcing is the process of just trying every
possible password until they get the right one. In this case, the
easiest way to secure this is to make long passwords. But this brings
us back to the first point; it is very difficult to remember a long
password.


The
solution that many have come up with for this is to create what are
called passphrases. Instead of creating, say, ll23ji, the password
will have some kind of meaning. Let’s say my favorite movie is
300. To create a passphrase, I would use a quote from the movie that
I won’t easily forget. For example, I would use
Th1s_i5_5p4r7a!1. In this case, I’ve replaced some of the i’s
with 1’s, the s’s with 5’s, and the t with a 7,
which is commonly referred to as 1337, or leet, speech. This is very
effective, as I’ve created a 16 character alpha-numeric
passphrase that is easy to remember. To demonstrate, with the 6
character password I used earlier, there are 9,474,296,896 possible
combinations, still quite a number of combinations to try, but
possible to do in a few hours by a computer. The 16 character, on the
other hand, has 401,906,756,202,069,927,458,308,096, which takes an
immensely longer amount of time to try. This creates a passphrase
which is almost impossible amount of combinations, so it won’t
be broken by brute force.


The problem with
this is that if you know enough about me it wouldn’t be
terribly difficult to guess that as a possible password, especially
if you know that I love the movie 300. In addition, it would be
fairly difficult to remember a large number of these quotes, so I
will probably end up re-using them a number of different places,
opening up the possibility of me losing all of my accounts if I lose
one of them.


To solve all of
this, you need to be able to create long, easily recall-able
passwords that are unique to every place you use it. This sounds like
a very daunting problem, since so many people have trouble just
remembering a few, medium length passwords. The solution that many
security experts have suggested is creating a “personal
algorithm” to create a unique password for each website you
visit. This, like creating individual passwords, seems extremely
complicated and not worth the security. It really isn’t. Here’s
a very simple set up that I came up with, that makes a fairly simple
password that is relatively easy to re-create whenever needed. This
is specifically for people who want to save their passwords on one
computer, but be able to recreate them as needed. While it isn’t
terribly difficult to generate the password, it does require some
setup, specifically writing out a little bit. It’s not so bad,
but it requires you to either carry around a sheet of paper with your
matrix, saving your password on you main computer (which requires a
good storage method, with good encryption), or just get damn good at
generating these things every time. With a little bit of practice it
is very easy, and short to do, but it still takes a couple of minutes
to generate the character matrix, and then about another minute to
generate the password.


So, are you
interested in becoming a walking cryptographic algorithm? Here’s
a fairly simple way to generate the matrix, and come up with your own
algorithm.






Step
1.


Find
your username and website. The entire point of your matrix is to
create a unique password based on the website you are visiting. So,
you need to at least somewhat base the matrix off of the website.
It’s a bad idea to just use the name of the website, since then
you only have a couple of possible characters to try, making it far,
far easier to break your password. Since the entire point of this is
to make cryptographically security passwords, you need some kind of a
salt to go with this. A salt is a string that will
always be the same, so it makes the password longer, but since the
salt is only known to you, it’s the same as if you had a really
long password.


Example:


Website: Google.com


Username: Skolor


Salt: !@#$%^&*()
(all the shift+number buttons, in order). Feel free to


Step
2.


Now that you know
what you’re going to be using to create the data in the matrix,
you’ve actually got to create your matrix. First off, you need
to come up with some kind of way of placing all the characters from
that data into your matrix. So, let’s set up something very
simple. For this, we’re going to input the data in a simple
method, there are 10 characters in google.com. So, we’re going
to put one character in every 10 cells, and loop around. Let’s
look at what our matrix needs to be. To create our matrix, we’re
going to make it a 4xX matrix, where X is a number based off of the
total size of the keyspace (All the stuff you found in step 1). There
are 10 characters in Google.com, and 6 characters in my username
(skolor). With 16 characters in the Namespace, lets include the first
4 of the salt, so we’ve got an extra row. This makes a 4X5
matrix:











































































































































We
now need to put our data into this matrix. Since we’ve decided
we’re going to put it in based on how many characters there are
in website name, we start putting characters in like this:






































G


































































































Then,
we put the next character in 10 cells away:






































G







































o


























































































G



O



































O






































What we did was count through all the cell, horizontally,
looping around when we hit the end. Let’s put the next
character in. Well, there’s a problem. We need to put it into
the same box as the G. In this case, let’s put it into the next
cell to the right. This makes:
























If
you keep doing this, you’ll notice a simple pattern, it repeats
nicely so that generating the matrix becomes fairly fast. We’ll
put in first the website, then my username, and then fill in with
salt until the table is full. Here’s the final result:






































G



o



l



.



o



s



o



o



!



#



o



g



e



c



m



k



l



r



@



$


















This
is a very simple cipher, and yet it creates a fairly incomprehensible
matrix, and just prepared it to generate a password for you.






Step
3.


Now
we need to come up with our password itself. Staying simple, we’re
going to generate our password by choosing every 6th
character vertically, because there are 6 characters in my username.
Since that makes a very short password, we’re also going to
then do a second pass horizontally, starting at the bottom right and
heading to the top left. This generates:






































G



o



l



.



o



s



o



o



!



#



o



g



e



c



m



k



l



r



@



$


















Oogm!l


Only
6 characters. Let’s extend it some more, and we’ll do
diagonal passes too. We’ll start with G, go through the oo,
then !sl, and so on. This gives us


Oogm!llc@


Only
9 characters, but that’s a password no one is ever going to
guess, and it will take quite a while to brute force it.














Step
4.


Make
this your own. Come up with your own processes. Don’t just use
raw numbers from the website/username, maybe you subtract 2 from
both. Maybe the username is used to generate your matrix and the
website to select characters. Combine both together to make a number
for either portion. Play with looping, and orders. Make this your
own, so that you create something unique that no one will guess.


Other
possibilities to consider:


Make
a 6x6 matrix of the alphabet+numbers. Just create an algorithm based
off of website that pulls the password out of that. An example would
be stepping ½ the number of characters in the web address
down, starting with the third letter of the address.


Randomize
a 6x6 matrix of the alphabet+numbers and carry it around with you,
doing the same as the other examples.


Create
complex salts. My salt is my old password, plus 5-10 special
characters.


Makes
your selection complex, it doesn’t just have to be linear.
Maybe you move 1 cell down, and then move x to the right, where x is
the number of characters in the web address/4, rounded up.