Future Tense: The Universal Password

Posted 07/20/2011 at 5:17pm | by David Gerrold

23

Comments

Print

Back in my college days, one of my instructors had worked for the CIA for a few years and occasionally shared interesting bits of spycraft. For instance, if you have to break into a safe, don’t bother with the door, turn it over and go in through the floor. That’s usually the weakest part.

But in one of his other discussions of security, he made a fascinating point. Absolute security is impossible. Security, of any kind, is a function of how much time and energy and money you are willing to spend. Whatever you’re trying to protect, whether it’s nuclear secrets, the Hope diamond, or that stash of magazines you don’t want your mom to find, you can only achieve security by making it too expensive or too time-consuming for the other guy to crack.

With computers, total security can be achieved with absolute isolation, but if you use your computer for communication of any kind through the internet, then you depend on password security everywhere. While you have little control over how well various online communities and companies protect your password, you do have a great deal of control over the passwords you use.

If you’re a target and if the password for your bank account or your PayPal account can be broken with only a few days of computation, then it’s cost-effective for a mal-intentioned hacker to make the attempt. If your password requires several years of computation, it’s probably not worth it. If your password is so long and so complex that it would take centuries to crack, then you have achieved a practical level of security.

One fear about passwords is that quantum computers will be able to perform hundreds of years of calculations in a very short time, making it possible to crack even the most convoluted password. But even without quantum computing, it’s already possible to rent hundreds or thousands of virtual processors in the Cloud, creating an online super-computer capable of hellaflops.

The perfect password system would be one where the password is different every time the account is accessed. If the client and the server could both compute the same password at the same time—something based on a mutable keyword, somehow processed by the date and the time—then even a virtual super-computer would be unlikely to crack it because the password and the formula for computing it would be different every time.

During WWII, one-time codes were used to transmit information among spies—but you needed the code book. One way around this was for both the sender and the receiver to use a commonly available book and reference individual words by page, line, and word number. In Ken Follett’s 1980 novel, The Key To Rebecca, the hero needed to discover the source book for the enemy codes. (Rebecca, by Daphne Du Maurier. Hence the title.) The strength of such a code is obvious. The flaw is equally obvious. Once the book is known, the code is broken.

The problem with the above-hypothesized “perfect password system” is that the formula for generating the ever-changing password becomes the primary target for hackers. That particular piece of software and whatever parameters have been fed into it becomes the key—and now the key must be protected as rigorously as the data it locks.

Suppose such software existed, and suppose you needed to enter two separate keywords, which would allow the software to generate a set of parameters necessary for that connection. (The server would also know your keywords so it could generate the same parameters when it received a client request.) But again, the flaw here is that your keywords are the most vulnerable part of the process. Most people are sloppy about protecting their passwords, or they choose passwords that are too simple or just simply obvious.

There are some excellent programs for managing passwords. (LastPass and KeePass have been well reviewed.) You only have to remember one password, the software does the rest. But what if you’re logging on from someone else’s computer or from a public terminal? What if you don’t want to risk using your personal key to all of your passwords on a system that might be vulnerable and that could have an unknown key-logger installed on it?

Other articles about passwords have mentioned the most common mistakes that people make and it’s worth repeating.

Don’t use the same password everywhere. Don’t use your pets’ names and don’t use your childrens’ names. Don’t use anything that is commonly associated with your life. (Haven’t all those terrible television shows taught you anything?) That’s always the hacker’s first guess. Don’t use birthdays either. Or anything guessable. (And this is why none of my passwords include ‘chtorr,’ ‘tribble,’ ‘martian,’ or ‘sleestak.’)

My buddy, That Pesky Dan Goodman is a security freak. He doesn’t trust software, he keeps all of his passwords in his head. He has a formula for generating a specific password for every site that requires one. He generates a password based on the site name and a specific formula for transforming that site name into a password.

According to Pesky, there are only 62 characters to work with A-Z, a-z, and 0-9. While many sites allow the use of punctuation characters, not all do, and the formula has to be universal.

Now, assuming that you stick with alphanumeric characters, then a cracking program only has to go through 62 tries for each letter. If your password is only six letters long, most computers can compute 62^6 combinations in a reasonable time, a few days at most. A reasonably good password-cracking program will often try commonly used words first. If your password is 24 characters long, is a combination of upper and lower case and numbers, has no recognizable words, then 62^24 iterations is way beyond cost-effective for hackers. It could take years, and if you change your password at any time during that process, the cracker has to start over.

So here’s how Pesky does it.

Make up a word. Something so illogical it cannot be found in any dictionary: ‘gzorkle,’ ‘blorrrd,’ ‘gocklestonger.’ The longer the better. (Do not use supercalifragilisticexpialidocious. Too obvious.) Now, capitalize a couple letters in your made-up word. If you want, add some garbage-text to either the front or back or both: ‘blorrrd’ becomes ‘bLorrrD’ becomes ‘bLorrrDX.’

bLorrrdX’ is easy enough to type. So now you could sign up for Amazon with ‘bLorrrDXAmazon’ and Facebook with ‘bLorrrDXFaceBook.’ But the vulnerability there is still obvious. Anyone knowing your masterkey still knows all of your passwords.

So you want to transform that by a specific formula, a formula that only you know. Peskydang gives this example. Add the last three letters of the sitename to your keyword—or the first three, or the first two and last two. The idea is to extract enough letters from the site name to create a site-specific password. Whatever you choose, be consistent everywhere: ‘bLorrrDXzon’ and ‘bLorrrDXook.’ If that’s still too obvious, you can transform the suffix into the next letter of the alphabet. ‘bLorrDXapo’ and ‘bLorrrDXppl.’

Now generate a number. In this example, Pesky suggests generates a four digit number: the number of letters in the site name, followed by the number of letters in the site name plus (or minus) the number of vowels in the site name: ‘bLorrrDXapo0603’ and ‘bLorrrDXppl0804.’ Another way is to subtract the shorter word from the longer and generate a number that way. There are lots of different ways to generate numbers based on the keyword and the sitename. The result is a set of site-specific passwords that are not guessable and not easily crackable—but not too hard to compute in your own head or too hard to type.

If you’re lazy, you don’t even need your own keyword. You can do a transformation on the site name: DropBox, Facebook, Amazon can become 73XooBox, 84KoceBook, and 63Noazon. If that’s still too obvious, shift some letters up or down: 8XoopAnw3, 9KoceBppl2, and 7NoaApo3.

Using a universal formula for each website might strike you as too much work, that was my first reaction, but after thinking about it for a day or two, I realized what Pesky was up to. This is a relatively easy way to create and remember site-specific passwords that are not immediately obvious.

Pesky uses a different formula than the ones outlined here, but the principle is the same. If you create a universal formula for every site you visit, then your passwords never have to be written down or trusted to any piece of software. All you have to do is remember the formula you created. Even if one password gets discovered by a hacker or a keylogger, it will not give him access to any of your other passwords. And if your formula is clever enough, he’ll need access to at least two of your passwords before he has any chance of figuring out the formula. The numbers you generate add a whole other level of complexity.

Obviously, are many different formulas you can generate using the site name, a keyword, and a numerical calculation. Not all of them have to be as complex as the one outlined above. Or if you’re a real security freak, you can get even more complicated.

The real question is not what password system you use—but how secure do you want your online accounts and your personal data to be? Is it worth the extra time and trouble to keep your private information out of the hands of hackers?

What do you think?

—————

David Gerrold is a Hugo and Nebula award-winning author. He has written more than 50 books, including "The Man Who Folded Himself" and "When HARLIE Was One," as well as hundreds of short stories and articles. His autobiographical story "The Martian Child" was the basis of the 2007 movie starring John Cusack and Amanda Peet. He has also written for television, including episodes of Star Trek, Babylon 5, Twilight Zone, and Land Of The Lost. He is best known for creating tribbles, sleestaks, and Chtorrans. In his spare time, he redesigns his website, www.gerrold.com