2012-02-07

Algorithmic passwords


What?! Why?
Usually we use a string for a password that we memorize it. Making a random string does help if someone tries to read while you're typing or in case of someone tries to guess it. Besides... It's pretty much useless. As shown, longer passwords are more secure, yet easy to read (steal). My old password was 11 symbols long and easy to memorize. I thought it was good and rather hard to breach. I haven't thought of other problem. What if your password would be lost because of the website, not you? Sure some may say - use few passwords! Yet again if top tear password would be breach, it could be tried for as important things and... Fuck! Or if your email password is breached most of the websites allows recovery of password using simple email form... Shit happens bro!


What's the cure?
Instead of memorizing string, memorize an algorithm. If you're familiar with MD5 you may know about salting. MD5 takes a value and returns unique for that value string. Salting adds extra characters to a final string in predetermined way (not exactly, it's just a example). This makes same string have different value of MD5 than it would get in another machine so thus making brute force cracking a lot harder when salt is unknown. The final result of such algorithm is always a unique password for each service and no additional memorizing required. Its easier than it sounds.


Samples
I suggest to take a peace of paper and write down a series of test cases:
foo
bar
foobar
se7en
localhost
123654
a
google.com
apps.facebook.com
Now write down salt you might use. For example birth date last numbers and first letters of your favorite poem:
1950-01-15 => 015
Roses are red Violets are blue => RarVab
Now come up with an algorithm. In this example lets say we will take a number of letters inside service name (apps.facebook.com => facebook) then we add last number from salt.
After this we will take first 3 letters from salt and first capitalized letter from domain.
Then we will write first and second number from our salt and if service has even number of letters we write capitalized last letter else non-capitalized second to last.
Now we end up with last three letters from salt.


Now look what kind of passwords we get:
foo => 35RarF01oVab
bar => 35RarB01aVab
foobar => 65RarF01RVab
se7en => 55RarS01eVab
localhost => 95RarL01sVab
123654 => 65Rar1014Vab
a => 15RarA01aVab
google.com => 65RarG01EVab
apps.facebook.com => 85RarF01KVab
But what if I forget?!
Chose salt that you won't forget. Also you may use some sort of written formula. For example in this case <C><Snl><Ss1><C1><Snf2><eCl/sl><Ssl>. If someone would read this for a moment he will definitely wont get WTF is that or especially what it means to you. While you would just read it in such manner:
<C> - count of letters in service name
<Snl> - salt number last character
<Ss1> - Salt string first part
<C1> - capitalized first letter od servce name
<Snf2> - salt number first 2 numbers
<eCl/sl> - if even then capitalized last letter or else second to last letter
<Ssl> - salt string last part
This looks so hard...
After writing these tests I already memorized it. Sure password entering will take to get used to, but after a while you will start to solve this algorithm in a split of a second just like you did multiplication table in school. Just remember - double password fields is your best friends! Yes for this you do need a certain mindset but if you still reading this you probably got it. Just remember this is only an example. Algorithm might be anything you like. Take your current password and trow in some characters from service and this will help a ton in automated attack scenario witch is the most common.


Why the hell you need this?
I raised this question all the time I thought about using algorithm instead of string. Today I got a letter with title: "ACTION REQUIRED - Password issue on djangopackages.com". Here main point of this email:
ACTION REQUIRED - If you use the same password on djangopackages.com as you use on other sites, you should change all of your passwords. 
[Full disclosure:  We were alerted that some account information was publicly exposed. There have been no reported incidents of passwords being stolen. We have corrected this error, but as a precautionary measure are moving to OAUTH, so that we don't store your password at all.]
No I'm not mad about this on djangopackages, It might happened to anyone. At least they got the dignity to inform its users unlikely some huge companies, moreover it forced me to use algorithmic passwords.


Notes
Image source: http://xkcd.com/936/