54

I was thinking recently about password security. My goal is to have mostly random passwords, that are different for each site. But you also should be able to remember them (or re-generate them) without the help of any notes or the like. If I use really random passwords (generated by a password-generator), I can remember only a few. Many fewer than the number of web accounts I have. Simpler passwords often are easier to guess.

I thought that a compromise might be some easy to learn rules and some secret master-password, to generate a password from the name of the site. Say you have a password for ebay and amazon. This method should generate two different passwords, for 'ebay' and 'amazon'. But I should also be able to do the process in my head, without support from software or even paper and pencil. Commonly used passwords I will remember directly. But ones seldom used, and forgotten, could be reconstructed with such a method. Does anyone know about such a method?

EDIT: The thing I ask for should improve security, by making different passwords for each site/machine/program, but also keep all of them memorable. A password-safe is nice, but you are even more likely to forget the site passwords, and if you lose your store or it is damaged you have a problem. Also ALL the passwords can be compromised at once! And in the end, my local password-safe is not at hand, if I'm at the machine of a friend.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
Mnementh
  • 793
  • 6
  • 13
  • Very similar to this [question](http://security.stackexchange.com/questions/662/what-is-your-way-to-create-good-passwords-that-can-actually-be-remembered). – sdanelson Dec 19 '10 at 17:39
  • 2
    No, that is a method to generate one password. But using the same password all the time is no option, and different password even generated with one the referenced methods are very hard to remember. Do you remember a password on a website, you didn't visit the last two years? – Mnementh Dec 19 '10 at 17:50
  • The technique described by [Yann Esposito](http://yannesposito.com/Scratch/en/blog/Password-Management/) and John would work great, if only there were [a hash function that one can compute without a computer?](http://crypto.stackexchange.com/questions/765/is-there-a-simple-hash-function-that-one-can-compute-without-a-computer). – David Cary Aug 10 '12 at 17:29
  • You've got all your facts about a password safe **wrong**. 1) The point of a password safe is to *not* remember your passwords at all. Passwords easy to remember are bad passwords 2) You *always* make backups in other physical devices and/or something like google drive/dropbox etc. 3) Not, the *only* **very strong** password you have to remember is for the password safe and it must be strong enough to be unbreakable. Also password safes use such a big number of rounds for hashing that brute forcing is incredibly slow (e.g. 1 password per second instead of billions..) – Bakuriu Aug 23 '16 at 11:48
  • 4) You do not keep all your passwords in a single password safe. For example I have two of them, one for generic stuff, and an other for banking etc. 5) You always go around with a Live CD on your USB key so when you are at your friends house you boot your OS and access your accounts from there... much safer than accessing them via an untrusted OS (they can still have an hardware keylogger...). You can also just keep the password manager on the key and use it from there without booting your own OS, but is less secure. – Bakuriu Aug 23 '16 at 11:50

11 Answers11

18

Intriguing question. Here's a new, hopefully better, brainstorm. Caveat emptor.

Generate two good tough random passwords that you commit to memory.

Take the letters of the site name in sequence. If the letter is a vowel, use the corresponding letter from the first password. Else, if it's a consonant, use the corresponding letter from the second password.

E.g. suppose your passwords are (from apg) hicIrfyic9 and FritwoivAuv0. For the site stackexchange, the first two letters are a consonant, so you use the "Fr" from the second password. Next is a vowel, so you use "c" from the first password. Keep going and you get "FrctwfivA9".

If you really are worried about someone finding several of your passwords and figuring out the pattern, you could add some method to rotate each of the passwords circularly first or something, or shift them thru the alphabet, or whatever, but it is easily possible to get too paranoid and confused....

You would be able to code this up on your regular machines for convenience, having it prompt you for the underlying passwords, but still be able to use it on kiosks, more slowly, from memory. I'm not convinced this general idea is worth the hassle, but perhaps for some circumstances.

AleksanderCH
  • 721
  • 4
  • 11
  • 23
nealmcb
  • 20,693
  • 6
  • 71
  • 117
  • 1
    One good thing about this method is that it looks completely random, so unless someone had you as their specific target it would be very unlikely to be cracked. – AnnanFay Nov 30 '12 at 16:31
  • 1
    (Two secrets, switched by vowel/consonant) A) Not very leak resistant. When a site leaks the password, on average about half your secret is revealed. After a few leaks the remaining secret may be so small an attacker might try a brute force on not yet leaked sites. B) Rotating the site name before, or the password after, will add some protection, in case of 'one' leak. After a 'second' leak, the amount of rotation is known, and the half life of your secret is the same as without rotation. – David Andersson Aug 29 '16 at 01:00
11

I have a two sided answer to this -

You can do this, and a commonly stated method includes a section based on the website and a section based on time. You can make a password like blahblahebay2010 and this would probably be recoverable if you thought about it in a couple of years time. Does what you want.

However I would not advise it - you should not use a system which means your password can be worked out. Okay, you may not be a big target - but maybe someone will want to break your passwords...so if there is an algorithm you use based on the website then you dramatically lower the strength of the password. Instead, use something like Password Safe to store all your passwords (which can be very long, complex, unmemorable etc) and just remember the one strong password to protect them.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Normal password generators use also an algorithm to generate the password. Can such a generation method not be made more secure, through inclusion of some secret/master-password that bases the generation? I don't think master-password + site-specific + year is enough, but wouldn't some sort of hash-function on the combination of the three work? – Mnementh Dec 19 '10 at 19:07
  • @Mnementh It's more around the complexity level you can do in your head in order to remember it a year or two later. You just couldn't use anything near as complex as the password generator tools. With tools like Password Safe in existence it just makes a lot of sense to avoid the risk of never being able to remember your password and losing access in years to come. – Rory Alsop Dec 19 '10 at 21:34
  • That's why I ask for a method to reproduce the password. I can forget the password, but have a method to get it back. :-) – Mnementh Dec 19 '10 at 21:51
11

If you just want different passwords for the various sites, then just append the site name to a common "base" password. E.g. you remember the base "7g93hrew9" and then your passwords will be 7g93hrew9ebay, 7g93hrew9amazon,...

Of course this is not satisfactory. This example is meant to show what you actually want: you do not want "different" passwords, you want passwords such that knowing several of them does not allow guessing the password for another site. Cryptographically, you want your password generator to be a pseudorandom function which takes as input the site name, and outputs the site-specific password.

There is some empirical evidence that it is not feasible to build a PRF which a human can (reasonably) compute in his head. Indeed, if you look at cryptographic hash functions, the very fast ones (MD4, MD5...) have been broken, the less fast (SHA-1) has been somewhat weakened, and the strong ones (SHA-256) are slower. Looking at the number of elementary operations, you can see a kind of cut-off around 1000 ops for hashing a small block. A similar cutoff is observed in the SHA-3 competition. It looks like there is a minimum amount of work that must be performed to achieve security, and that amount is at least a few hundreds of operations, which is too much for an average human brain.

Therefore I fear that there is no good answer to your question.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
10

use a tabula recta which combines a simple algorithm that only use know with a physical token that only you have to make passwords as long as you want.

Yaur
  • 561
  • 4
  • 6
2

From a "wetware" perspective, here's an interesting book you may like to read:

The Memory Book

It's one of the classic books on memory training. I've read it a few times now, and find the techniques to be very effective. It stands to reason that if you can train your memory to a sufficient level, you can use whatever passwords you'd like without difficulty. (This, at least, seems to work for me.)

The book includes a chapter on memorizing random strings of characters (or at least, the version on my shelf does), so it could be very helpful.

Also, personally I find the NATO phonetic alphabet helpful as well. For some reason, I just find "Alpha" easier to remember than "A" (for example).

I hope that's helpful.

Chris Allen Lane
  • 1,037
  • 1
  • 10
  • 13
2

Why execute an algorithm to derive site-specific passwords in your head, or remember all passwords, when you can use a simple javascript to do that?

This is off-topic if you really want to compute stuff in your head, but I'll propose it anyway:

For my passwords I use a customised javascript similar to the one available here: http://www.supergenpass.com

The general idea is that you create a webpage with a script or use the mobile version of the page above - not the bookmarklet (see discussion below).

The script would accept two parameters: a master password and the url of a website (in the case of the bookrmarklet it gets the url automatically).

Then it performs some crypto computations based on those parameters (basically creates and hash, eg base64-md5, on the concatination of the master password and the url, and does that 10x times or as many times you want) and outputs a site-specific, high-entropy, long password which you copy and paste in your form field.

You don't even need to see it or ever remember your passwords, and they are not stored anywhere like in a password safe, instead they are generated in-time. You just remember your master password and you are done.

I don't even know what password I use for each site, and I'm quite happy with that.

john
  • 10,998
  • 1
  • 36
  • 43
  • 2
    Note this discussion of how much security you actaually get from supergenpass: http://akibjorklund.com/2009/supergenpass-is-not-that-secure – nealmcb May 22 '11 at 23:01
  • I'm aware of the page you mention, but hey, I didn't say I use supergenpass, I use my own version, usually without a bookmarklet. But the theoretical risk is very small: One has to target specifically supergenpass to gather anything, also noscript mitigates most of the theoretical attacks because bookmarklet code is trusted. – john May 22 '11 at 23:09
  • @john, I don't see why your version would be fundamentally better; seems like it will still be vulnerable to the same attacks. Sounds like you are relying upon security through obscurity. Maybe you won't get attacked, because no one will care about you, so maybe this is perfectly fine for your own use -- but I wouldn't recommend it to others as a great solution. – D.W. May 23 '11 at 00:17
  • @D.W. Yes I agree that it's security through obscurity if you use bookmarklets, that's why I don't use them. The point of my answer was that you can do something smart without relying on remembering passwords or schemes, just calculating in-time. I will edit the answer to remove references to bookmarklets. – john May 23 '11 at 00:25
  • @D.W. Edited the answer, hope it's better now. I still believe it's a great solution to the everyday password usage problem, if you create the password on a separate page and copy-paste it. – john May 23 '11 at 00:29
  • It is said that a Chrome supergenpass extension addresses the problem noted by akibjorlklund. I see three Chrome extensions for it. Not clear which is best, and how secure the ones that store the master password during the session are. Suggestions? – nealmcb May 23 '11 at 05:17
1

I don't recommend doing something like this but for kicks and giggles here is one method.

Password = Concatenate((C - length(y) - length(x)), PascalCase(x), repeat(".", (length(y) % 2)+1))

Where:

C = number constant > 3 digits
y = the significant text of the url for the site
x = word you associate with the site

Example:

C = 1234
y = security.stackexchange
x = obscurity

Password = Concatenate((1234 - 22 - 9), "Obscurity", ".")

Password = 1203Obscurity.

Obvious weakness is that you have to remember a word that you would associate with the site. And before anyone comments on it in my example I am not saying that security.se is obscure. I am pointing out that Obscurity != Security. And no I don't use this for my passwords.

sdanelson
  • 1,287
  • 10
  • 21
1

In 2014 Manuel Blum presented an algorithm that can be computed in the mind and that is suitable for generating passwords. http://scilogs.spektrum.de/hlf/mental-cryptography-and-good-passwords (Mental cryptography and good passwords)

Description: Your secret is a mapping from letters to digits, and a mapping from digits to digits. It is important they are quite "random". An initial effort is required to learn these mappings by heart, but then, generating a password only involves modulo 10 arithmetic.

Excerpt:

Call your mapping of letters to digits f. You might have, for example, f(a) = 8, f(b) = 3, f(c) = 7, etc. Since there are more letters than digits, some letters will be mapped to the same digit.

Let g be the function that sends each digit to the next one in your permutation. So if your permutation was 0298736514 then g(0) = 2, g(2) = 9, g(9) = 8, etc.

Now here is how you use the method to generate passwords.

  1. Convert the name of your account to a sequence of n letters.

  2. Turn this sequence of letters into a sequence of digits using your map f. Call this sequence of digits a0a1a2…an.

  3. Compute b1, the first digit of your password, by adding a1 and an, taking the last digit, and applying the permutation g. In symbols, b1 = g( (a1 + an) mod 10 ).

  4. Compute the subsequent digits by bj = g( (bj-1 + aj) mod 10 ).

See comment by Gnurf on the linked page for some disadvantages with this method, and most other methods.

1

There are some good answers here, but as a general rule, if you can think of an algorithm to do it in your head, chances are that the algorithm is already a part of existing exploit toolsets. :-)

0

this can be a bit hard to do in your mind if youre not used to bin chart values but can be fixed for that intent name of site converted to binary then sum each "1" example Site: facebook Bin: 01100110 01100001 01100011 01100101 01100010 01101111 01101111 01101011 sum: 43442665 the trick is what comes after, like swapping pairs with vocals and so on, fac4b66k, or if you well know hex then just convert each letter to hex (66 61 63 65 62 6f 6f 6b) and use it with some salt you dont need to convert everything, just a part to use as swap or base from some pass

  • A) The initial step, counting bits, would result in letters being mapped to a digit between 3 and 6. Only four different values. And most letters, about 2/3 of them, would be mapped to one of only two values (4 and 5). Not much randomness left. Easily brute forced. B) Adding a salt, if in clear, or if mangled in a constant way, does not help if a site have leaked your password. An attacker could then easily guess your passwords on all other sites. – David Andersson Aug 23 '16 at 02:48
0

You could use one weak password encrypted using the site URL as a PSK. You could duplicate the encryption easily, but any attackers would have a very hard time getting your password, because they would have to first crack however the login encrypts your password and then bruteforce the PSK of the encryption they would get once they had decrypted. It would take an incredibly long time.

KnightOfNi
  • 2,267
  • 3
  • 19
  • 23