Saturday, September 20, 2014

The Magic Password Box

In a previous post I mentioned that an advantage of secret languages is that encryption happens within the human mind, beyond the reach of keyloggers, malware and packet sniffers.

The security of the human mind is also acknowledged in one of the most common exhortations regarding passwords: Don't write it down! Memorize it!

But memorizing passwords becomes increasingly difficult as we need more of them, and they must be more complex, and each must be different from the others. Many people have started to keep passwords in text documents, while more security-conscious people are starting to use applications like Password Safe. But what if someone gets access to your document, or there is an unrecognized vulnerability with your password storage application?

I'm in the same boat as everyone else. Once upon a time I used to generate passwords by looking around, concatenating two unrelated nouns representing things in my environment, and changing some of the letters to numbers and punctuation marks. Eventually I wrote an application to store my passwords in an encrypted text file, and that gave me the freedom to start generating passwords randomly.

Currently I probably only remember a tenth or fewer of my passwords. If my encrypted text file were lost, my passwords would be lost along with them.

Now I am experimenting with an idea that I call the Magic Password Box. The principle is relatively simple, but the affect on the security of my passwords is profound. Here is how it works:

  • I create one long password, over 100 alphabetic characters, in the form of a nonsense limerick
  • For each environment in which I need to use a password, I create a short mnemonic, like "gmail", "amazon" or "creditcard"
  • For passwords that do not require frequent updates, I compute the password as a function of SHA256(limerick + mnemonic)
  • For passwords that require updates every 90 days, I compute the password as a function of SHA256(limerick + mnemonic + quarter + year)
I'm already using a random number generator to create passwords, so replacing that with a hash isn't a huge change for me. The big change is this: I never need to store a password again, and all of my passwords can now rely on the security of my memory. If my laptop is struck by lightning, I can still get my passwords. (Perhaps I need a backup in case my brain fails to reproduce the limerick, though!)

There are some mundane considerations around how to write the code for the password calculator so that (for example) it won't leak my root password, and it can generate passwords that conform to different password policies. But there are also some interesting possibilities, such as having the calculator send the password to the system clipboard so I never even see it or type it, hiding it from prying eyes and keyloggers.

No comments:

Post a Comment