Recently there has been a renewed discussion about password security. The latest surge of interest was caused by a comment from Microsoft's Jesper Johansson, who recommended that people actually write down their various passwords. I think there might be a better way, though.
We all require a large number of passwords on a daily basis, and for obvious reasons are not supposed to use the same password for everything. Therefore, we need to remember a large number of strong passwords.
Writing passwords on a piece of paper has long been frowned upon, and many corporate security policies explicitly prohibit this practice. But according to Mr. Johansson, it is better to have complex and strong passwords than simple and weak ones. Since complex and secure passwords normally are difficult to remember, people need to write them down. If we prohibit them from writing them down then people will not use them, and revert back to the simple ones. And simple passwords are vulnerable to dictionary attacks. In his latest blog entry, even Bruce Schneier chimes in with support for this idea. He recommends we keep this list of passwords in our wallet.
This makes the wallet a single point of failure, of course. Personally, I think the situation can be improved, without using paper.
I use unique passwords for all sites and accounts, and yet, I never need to write them down, and I don't even need to remember them. All I remember is a hash function. When I need to log in somewhere, I take the name of the site I am logging in, apply my hash function and get a unique identifier, which I use as a password.
Here is an example to illustrate this:
Let's say you are a PayPal user, and want to log into your account. The name of the site is 'paypal.com'. Let's take an extremely simple hash function as an example:
Take the site-name, extract the first, last and middle letter, count the number of letters in the name, capitalize the last letter if the number is even, and append that to a special filler string "rD7eI".
'paypal.com' consists of 10 characters, with the middle (in integer arithmetic) being 5. So, the three letters are 'p', 'a', and 'm'. The overall number of characters is even, and thus we capitalize the last letter: 'M'. What we get then for 'paypal.com' is this password: rD7eIpaM
Now this is pretty random looking.
What did I have to remember to arrive at this password? My hash function, which may contain one or more of those random looking filler strings. But that is all.
The secret is the hash function, and it is the only secret that needs to be remembered. To make this a secure system, though, the hash function should be a bit more complex. Otherwise, if one of your many passwords is compromised, an attacker may be able to reverse engineer your hash function. Realistically, this is only a risk if the attacker manages to compromise several of your passwords, though.
With a little bit of thought, it should be possible for most of us to come up with a personal hash function, which produces very random looking results.
Juergen Brendel
CTO
Esphion Ltd.
Good idea. Hopefully some more sites will use hash functions to allow joe user to just print out a matrix that passwords can be generated from.
Posted by: PassGen | November 21, 2005 at 04:45 PM