A Study of Password Security, Part 2

For the majority of users, Part 1 should satisfy all your password needs, so start there if you haven’t read it already.

But what if your password manager doesn’t have a password generator built in? Or you are an Advanced User™ and like having control of your life no matter how complicated things get. Or perhaps you were scarred when your GitLab project suddenly disappeared and don’t trust software to remember your data if something fails. With your own password generation algorithm, you can make and salvage passwords even if your password manager fails.

Algorithms and Blues

Cryptography is the art of making or breaking codes[citation: uggc://jjj.qvpgvbanel.pbz]. An algorithm is the method or process used to generate that code—or password, in this case.

Passphrases are probably the best form of password. Unfortunately most sites are frankly too lazy aren’t willing to implement a system that supports them, and there is no universally agreed upon standard among sites on the internet for passwords. For our algorithm to apply (almost) universally, if has to conform to the most restrictive password requirements.

With that in mind, this algorithm needs to produce an obscure result through a memorable method. Here is a good set of goals for the ‘obscure result’:

  • Each site’s password must be unique
  • Password length of at least 12 characters (but not more: this appears to still be the upper bound for password length in a number of sites *cough cough* USAA.com *cough cough*)
  • Includes numbers, letters (upper and lowercase), and at least one symbol (but the symbol can’t be too creative or many sites reject it)
  • If any passwords are compromised (through data breach or other means), it should still be prohibitively difficult to figure out another password without the algorithm, even if the source of the breach is known.  In other words, if someone gets your Reddit password (and knows it is from Reddit), they shouldn’t be able to easily guess your Amazon password.

 

Before we dive in to this, two things:

Do not use this algorithm verbatim. Anyone can read this article, and any algorithm that is explicit and public is easy to reverse. Modify things. Get creative—find ways to make it even more memorable and appealing for the way your mind works.

This will not be a rigorous algorithm. For all my crypto friends out there, the method demonstrated is pretty simple, and a password manager would use a better and much more advanced algorithm. Be aware of the tradeoffs of one method versus another: you are sacrificing password complexity for control. That said, this method is reasonably secure and has the advantage of being memorable(ish). An acceptable cryptographic algorithm that is implemented is better than a superb one that is not.

A Sample Algorithm

The easiest way to make a unique password for each site is to use the site name itself as the starting point. The first two digits we start with will be the number of characters in the site’s name (the websitename part of www.websitename.com). If the site name is a short one we’ll put a zero in the ten’s place (i.e. google would equal ’06’). Next, write down the first two letters of the site’s name and the last two of the domain (.com, .net, .org etc).

websitename.com = 11weom

This is short, and pretty obvious. Let’s take each character and use its flanking numbers or letters (taking the adjacent letters or numbers for each). Wrap ‘a’ with ‘z’ and ‘0’ with ‘1’ (ie the letters flanking an ‘a’ are ‘z & b’, and you turn a ‘0’ into a ‘9 & 1’, not ‘9 & 10’). This doubles our character count as a bonus.

11weom = 02, 02, vx, df, np, ln

This is a good foundation for our password, and already 12 digits long. It is difficult to reverse engineer at a glance, but I don’t like how the numbers and letters are grouped. Let’s distribute the numeric characters into the first four odd digits, mark where the numbers stop with an ‘!’ symbol, and capitalize any letters in the remaining odd digits.

0202vxdfnpln = 0v2x0d2!FnPlN

To top it off let’s swap the first and last character (some sites don’t like passwords that start with a number).

0v2x0d2!FnPlN = Nv2x0d2!FnPl0

Looks pretty good! But how to remember the process? Ideally you will use it often enough that you can memorize it (especially if you reset a lot of passwords the first few days of using the password manager), but having a trick to remember it would be helpful. Mnemonics are a great way to remember processes, so here is one for this algorithm: length, first two, last two, flanking numbers are very odd! After which oddly capital. The last is first and the first last.

Here are a few passwords based on this algorithm:

Website

Step 1

Step 2

Password

websitename.com

11weom

0202vxdfnpln

Nv2x0d2!FnPl0

wctc.edu

04wcdu

9135vxbdcetv

Vv1x3b5!DcEt9

facebook.com

08faom

9179egzbnpln

Ne1g7z9!BnPl9

google.com

06goom

9157fhnpnpln

Nf1h5n7!PnPl9

wctc-cce.org

08wcrg

9179vxbdqsfh

Hv1x7b9!DqSf9

Remember to develop your own process: this is just a publicly available example. The more complicated the process the better, so long as you can remember it.

Advance warning: by sticking with a fairly limited standard, this algorithm should work for the vast majority of sites, but there are a few exceptions that seem to obstinately enforce bad passwords. 10-character maximums (Highmark Blue Cross/Blue Shield)? No symbols permitted (McAfee), or limited character sets (Fidelity)? Your algorithm may not be able to accommodate these few special cases, and will have to be tweaked.

Lastly, some parting thoughts: there are very smart people who create algorithms for a living, many of whom work for companies that make password managers. If your password manager has a build in generator, it will almost certainly make stronger passwords than you (or I) am capable of coming up with.  If you don’t fall into one of the use cases listed at the start of this article, use the tools that come with your password manager!

And remember; all the password security in the world does you no good if you tell the password (or algorithm) to someone.

Randall Munroe of xkcd.com spots the weakest link in password security.

 


Lucas Gallagher is a WCTC student who cracks hashes, ethically hacks, and wears strange hats.