The Usage Of Complex Algorithms For Password GenerationPosted by Shawn Boles in Development, Tips and Tricks
Passwords are difficult. On the first hand, you want to create a password that uncrackable by anyone, lest they be teenage hackers or CSI experts with magical hacking tools. On the other hand, the password has be rememberable by you yourself, lest only teenage hakcers and CSI experts with magical hacking tools are able to access your data.
So, how do you make passwords?
One of the more secure ways are to use a random letter generator, like random.org, to build random strings, pick one, and memorize it. It’s pretty secure (random.org uses real random noise to produce it’s random numbers)and with seven random alphanumeric characters, the password search space is about 2.2 trillion combinations! But are you really going to remember “QRSr0Fu” or “W96TUON” two weeks from now? (My generated set had “myELlRK” which I might be able to remember…) If you type your password every hour or so, you might remember this by muscle memory pretty quick. Just in time to have to change it, I bet.
Another way is to take a word or phrase, turn some letters into |33+sp34k, and you get something more random, but much more rememberable. So, for example, “minivan” becomes “m1n1v4n!” and “washington” becomes “w4sh1ngt0n!?!” These are actually quite rememberable; the use of non-standard characters disallows the use of rainbow tables and dictionary attacks, so they’re much less suseptable to cracking. However, what happens when you forget the “!”, or that “Washington” gets “?!?” or that you did NOT turn “t” into “+”? You could end up going through a few cycles trying to “guess” your own password. Again, if you use it all the time, you’ll learn by muscle memory. And this lets you come up with some cool passwords, like “c4p+41nK1rk”. How can you beat that?
My favorite way, however, lets you write your password down in plain sight. I tend to cycle through passwords, and if you’re anything like me you have two online banking passwords, four credit card or loan company passwords, a work domain password, 6 email passwords, a home log in password, etc, etc, etc. If you take the easy way out and use the same password everywhere, you end up making kittens and security experts cry. If, however, you have a completely separate randomized combination for each account, your brain will get stuck in an infinite loop. Using this method, you get to write down your passwords and tack them to the wall. Or put ‘em on a sticky note. In plain sight. Email them to yourself without a care. It uses a special type of encryption to keep your password safe. Not AES or DES or TEA or other TLAs. I call this “Hippocampy Encryption” (named in honor of the part of the brain that does memory type activities).
The key is to write down a set of clues that will tell you (but only you) what your password is. You can add symbols to help you remember what kind of encoding to use for your password. Here’s a password I just made up right now as an example:
Shawn's rival ^
shout your home team
Because everything on this note is simply a hint for your specific brain to recall a password, it’s specific to you. Hints don’t even have to have anything to do with the subject. The hint “Red October” could tell you the word “fortworth”, whereas for me, I’d be trying “R4M1US”, “M1SSL3S”, “jackryan”, “TomClancy”, etc. You can string three or four hints together for a password. Note, these create long passwords, and your coworkers may start to believe that you have a superhuman capacity for memorizing long strings of randomized data. Do not do anything to dissuade them from this belief. And, because the hints point to common words and numbers already lodged in your grey matter, you may be suprised just how fast you type in that 20 character long password. Compared to my speed on 7 character random strings, it’s blazing.
And due to the pattern matching ability of your brain, remembering the passwords are easy. Lets say you’ve written your clue on the back of one of your business cards, so you have it handy if you need it. After a few days, just SEEING a business card will bring your new password to the front of your mind. After a while, you’ll stop needing your hint sheet, as you’ll just remember the password. And when it comes time to change your password, shred your card and your postit, post a new one (in a different color if you can, helps the brain), and give yourself a few days. Unlike scrawling your random digits on a paper or card, even if somebody stole your “Hippocampically Encoded” card, they would have to REALLY know you (or be a really good guesser) to get the password. Even with your card, you’ve reduced them to brute searching. And if your card/note turns up missing, it takes about 30 seconds to whip up a new hint sheet. Not only is your attacker brute forcing your hint sheet, but it’s the wrong hint sheet anyway!
So… have you guessed my password above? It’s GARYkemp!1071Max. ‘Course, you’d only know that if you knew that I played Pokemon and left my rival’s name at default, that I decided that “^” meant “Make it all uppercase”, that my home team is the Kemp High School (and that I was talking high school football), that by “Shout” I meant “give it an exclamation point”, but that the whole word should be lower case (because the hint is), that Esirpretne is “Enterprise” backwards, and that I meant to make the serial numbers backwards (but not the NCC part), and that by Sam (a very common name) I meant “Give me the name of Sam’s partner in that incredibly funny cartoon by Steve Purcell, Sam and Max: Freelance Police.” The period is just decoration. If you did guess it, contact the NSA. I hear they’re hiring people like you.