Friday, December 30, 2011

Creating Passwords Using Seed Mapping

Rod Coleman

Passwords are a pain.

Security requirements are becoming more complex just as we need more passwords for new apps, challenging our ability to remember them all.

Here are the requirements for a reasonably secure password:
1. Contain at least 8 characters.
2. Contain upper case letters.
3. Contain lower case letters.
4. Contain numbers.
5. Contain special characters.
6. Appear to be random.
7. Be different for each application.

8. Be easy to remember. 
Unfortunately the first seven requirements make the last almost impossible.  Many just give up and use personal information or typical words which are easily cracked.  Yes, there are software tools to help out, but they mostly add cost, complexity and management.

Fortunately there's a simple trick I've been using for years, and it's good enough to stop the average hacker.  Plus, it costs nothing at all to use.  The trick is, don't REMEMBER your passwords - DERIVE them.  Here's a simple example using a two phase algorithm - seed selection, and keyboard mapping.  It will pseudo-randomize any password.

Start with a seed that's in front of you as you log on to the site, for instance Microsoft.  A simple seed would be the first four letters "micr".  There.  You're halfway done.

Now simply expand this seed onto the keyboard in a visually consistent way.  Let's use the two keys above the seed key for this example.  "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$".  No, don't try to memorize this mess, just watch your fingers as they move.  

See the pattern?  The visual pattern is the trick.  This password meets the all the standard criteria, yet you don't have to memorize it - just look at the name, then map it visually with your personal method.

Notice I capitalized the first character and had to shift to get the "*" and "$" because I ran out of room moving up the keyboard.  That's one way of including special characters and caps.  If you don't want special characters, wrap to the bottom of the keyboard instead.

The beauty is, memory was not a factor.  It's simply visual.  It's best to not even think about what keys you're hitting - just hit the two above your seed character.  I honestly have no idea what my passwords are, I just know the pattern that produces them.

It's easy once you define a method.  For the above approach:
Gmail would produce "T5juq18*"
Yahoo would produce "6^q1y69("
FaceBook would produce "R4q1de3#"

Again, no memorizing.  OK, go ahead and use my example method if you like.  It's better than using your dog's name.  And you won't need to read any further.  But remember you'll have the same passwords as every other person who happens to read this blog and goes to the same sites you do.

Or...  You can quickly customize.

Just invent your own method (algorithm).  There are literally millions of ways of doing it.  Here are a few aspects to keep in mind while you think about it:

First, the seed - it should be at least four characters which will produce nearly a half a million unique passwords.  Two characters will only create 676 unique passwords - not enough.  A three character seed is on the border.  And I don't suggest using more than a seven character seed because you'll either be creating very long passwords, or have poor distribution in the mapping phase as described below.  

Since the objective here is to leave the mob behind, it might be best if you mix up your seed a bit.  How about a backward flip - "iamg" for Gmail.  Or better yet, replace the "g" with your dog's middle initial.  Or yours.  It doesn't matter much as long as it's an easy method to remember.  Personalizing with an initial or two will also make your passwords different from most others who visit your sites.  After all, Microsoft or Hotmail will be a common starting point for many.

How about taking every other letter then step back? Gmail could become "gami".  Or ignore the first letter and get "mial".  You get the idea, there are a lot of ways of doing this - make yours unique.  I've only discussed a couple of aspects of seed generation as examples.  It's best to come up with something I haven't even talked about.  Just be consistent so your method is easy to use.

Now as to the keyboard mapping phase.  Our first example was OK, but did you notice how "q1" occurred three times in the last three examples?  That's because each seed contained the letter "a", which is a common letter.  Also these simple examples only have a fair distribution over the key-map.  To produce a good pseudo-random number you need a good distribution across the random field.  The keyboard itself makes for a decent random field, as long as you span it well.  For instance, "mmiiccrr" for Microsoft stays close to (and IS) your seed.  That's poor distribution.

In contrast, an expansion of three or four going up will always capture a number, and often a special character.  Or if you go down instead, then wrap back up, it's almost as good (but no special characters).  Three up will get a number two thirds of the time, and a special character one third of the time.  See how you can control how many and what types of characters are likely to end up in your password?

There are obviously lots of ways of getting similarly distributed results.  Go up for the first seed character, down for the second, capitalize the third and shift the forth to possibly add a special character.  Or expand the first seed character once, the second twice, the third three times, etc.  You choose - that's the beauty.  No one but you knows your method.

Or ignore the first character, right one and three up.  Or one up, two left.  Or skip a couple.  The objective of distribution is to break up patterns of common letters (a, i, e) by applying different directions to different seed letters. This key map phase is where you can really express your unique nature.  Try diagonals.  Or leaps. There is no right or wrong method, just some are better than others.  Scramble your seed.  Scramble your map.  But in a way that's visual to you.

One challenge you'll face are sites that require you to change passwords every few months.  An easy (if less secure) solution is simply to add a number starting with 1 to the end (or beginning).  Increment the number each time you have to change passwords.  In a few tries you'll get it, and have plenty of time before you have to use 1 again.  Or add the last digit of the year to your seed and shift it after June 30th.  Do what works for you.

It's a good idea to have a  backup method for when you encounter other conflicts (such as some sites not allowing special characters).  If your password doesn't work, try your simpler method B.

Also, don't use your method for any password you have to share with anyone else, or they might guess your trick and put all your other passwords at risk.  This is another good reason for a more simple method B or C for shared passwords.

Finally, don't make your method TOO complex.  There's a point of diminishing return.  Other capture or social cracking will make a "perfect" method irrelevant anyway.  Video cameras are common and getting smaller, so even a perfect password can be stolen.  If you're still concerned, add Iris Scan and go multi-factor.  But for most, pseudo-random is good enough.  And FAR better than your dog's name.

By the way, Seed Mapping is just one approach that happens to give a fairly good result.  There are many other methods.  Be creative.

Now go change all your passwords so you can burn that cheat-sheet in your desk drawer.

And let me know how Seed Mapping works for you.

Rod Coleman
General Manager
Sierra Computer Group

Tuesday, December 13, 2011

Zero Access Infection

Recently I encountered a threat that infected a client's computer.    The Client noticed that their Antivirus Program intervened and requested a reboot of the computer to finish the remediation.   Upon Rebooting the user was unable to log on.   Worse yet she had no mouse or keyboard.    Fearing the worst the user pushed the power button to shut down the computer; which responded normally and gracefully shutdown the computer.    Next she tried to get into Safe Mode by pressing f8.   Windows booted into safe mode but again no keyboard or mouse inputs it seemed.

I was able to verify the customers complaint.   Only I noted that system was still alive and I was able to PING it, which to me meant that it was still working.  I remotely accessed the machines registry and enabled remote access to the machine.    When attempting to connect remotely I discovered I did not have the local administrators account password.    After rebooting the computer with a bootable Password Recovery CD I recovered the four letter local administrator password in only 9 seconds.  

Using the recovered password I was able to remotely connect to the computer and was able to determine that the installed and updated Antivirus Software had clobbered the Windows XP PS/2 Driver (i8042prt.sys) used for both PS/2 keyboard and PS/2 Mouse Input.  

I booted from the Windows XP CD and using the repair console manually replaced the i8042prt.sys driver, however I was still unable to have the system use a PS/2 Keyboard or Mouse.    I found an unused USB Keyboard and began to work on the system running some additional virus removal tools.    One of the tools had identified an infection known as Zero Access.    After the tool completed the removal steps the system still did not work with the PS/2 Keyboard and Mouse but did work with the USB Keyboard.

I decided to run a repair install of windows to correct the issue.   The repair install soon reached the point in the setup process where it booted from the hard drive, and disturbingly again I had no PS/2 Mouse and no PS/2 keyboard access.    After a little research  and on a hunch, I aborted the repair install (knowing that it would resume upon reboot) and tried a decidedly different tactic.  

Most of the variants of the Zero Access Rootkit will infect the Master Boot Record of the hard drive which causes the machine to load part of the rootkit while the machine is still vulnerable and unprotected from viruses.    I booted the Windows Recovery Console from the CD and had windows replace the MBR and Boot Sector.

Next I crossed my fingers let windows reboot.  Next Windows setup continued the repair install and voila I now had access via the PS/2 Keyboard and PS/2 Mouse again and the Machine was fully remediated.

The Client was upset that the anti-virus program had disabled their computer, when they should have realized this was a fortunate circuit breaker.  Their real concern should have been that their system and all their activity was almost exposed to some unknown source.    Without the anti-virus program disabling this computer, every single input to the computer would be collected and redirected...and probably not for the forces of good.

Remain vigilant.

Dave Hendricks
System Engineer
Sierra Computer Group