Caleb Cushing's Blog

Making secure recoverable Passwords (Part 2)

This has been prompted by Dave Jacoby’s post on generating passwords and the fact that I’ve learned a new trick since my my first article in 2008; which you should read first (it’s a prereq).

Some might point out that using a hex digest limits the characters that will be generated too much, do this then.


echo -n “date” | sum | base64

So let’s say you have to change your password every month. Pick a day, let’s say the second Tuesday of the month. Since your memory sucks write this down “Pipes on second Tuesday @ 5:08!“. Sounds like an event reminder right? Here’s your actual password algorithm for this month. First you want to has the ‘second Tuesday of the month’.

echo -n “2010/07/12” | sha1sum | base64

which outputs

NTFhMTY4NmJkNWQyZmIzNWJlZTlmYmQxYzEwN2FjNGE1MjUyYjI1OCAgLQo=

So what was the rest of that reminder for? Now you’re going to make it as good as random, take the first 8 characters ‘NTFhMTY4’ and insert a pipe ‘|’ at the 5th character, resulting in ‘NTFh|MTY4’. Now you have a ‘good as random, but recoverable’ 9 character password.

Given if you work with really clever people they might be able to figure it out if they know you use this kind of process. But I’m sure having read this article and my previous one you’ll come up with something even better, but just as reproducible.

UPDATE:

I do not believe that anyone can seriously prove (after having read both articles) that you could crack this with anything less than a brute force attack. Because I’ve suggested inserting 1 or more characters into the final outcome, chances are those are anything in the 94 printable characters of ASCII. Yes you might limit the end possibilities but after seeing passwords that most people have… this makes you a hard enough target that no one is going to bother. Basically all assumptions that using this is bad revolves around someone knowing exactly what you do (so in reality it’s probably only bad for me).

I should also note that my personal system encrypts passwords with a salted sha512 and I’m having trouble find a password cracking tool that can even try to brute force that.

UPDATE:

oh and just in case you forgot… no one is trying to brute force your password. Remeber this XKCD


Share

comments powered by Disqus