Friday, December 30, 2011

Creating Passwords Using Seed Mapping

Rod Coleman

Passwords are a pain.

Security requirements are becoming more complex just as we need more passwords for new apps, challenging our ability to remember them all.

Here are the requirements for a reasonably secure password:
1. Contain at least 8 characters.
2. Contain upper case letters.
3. Contain lower case letters.
4. Contain numbers.
5. Contain special characters.
6. Appear to be random.
7. Be different for each application.

8. Be easy to remember. 
Unfortunately the first seven requirements make the last almost impossible.  Many just give up and use personal information or typical words which are easily cracked.  Yes, there are software tools to help out, but they mostly add cost, complexity and management.

Fortunately there's a simple trick I've been using for years, and it's good enough to stop the average hacker.  Plus, it costs nothing at all to use.  The trick is, don't REMEMBER your passwords - DERIVE them.  Here's a simple example using a two phase algorithm - seed selection, and keyboard mapping.  It will pseudo-randomize any password.

Start with a seed that's in front of you as you log on to the site, for instance Microsoft.  A simple seed would be the first four letters "micr".  There.  You're halfway done.

Now simply expand this seed onto the keyboard in a visually consistent way.  Let's use the two keys above the seed key for this example.  "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$".  No, don't try to memorize this mess, just watch your fingers as they move.  

See the pattern?  The visual pattern is the trick.  This password meets the all the standard criteria, yet you don't have to memorize it - just look at the name, then map it visually with your personal method.

Notice I capitalized the first character and had to shift to get the "*" and "$" because I ran out of room moving up the keyboard.  That's one way of including special characters and caps.  If you don't want special characters, wrap to the bottom of the keyboard instead.

The beauty is, memory was not a factor.  It's simply visual.  It's best to not even think about what keys you're hitting - just hit the two above your seed character.  I honestly have no idea what my passwords are, I just know the pattern that produces them.

It's easy once you define a method.  For the above approach:
Gmail would produce "T5juq18*"
Yahoo would produce "6^q1y69("
FaceBook would produce "R4q1de3#"

Again, no memorizing.  OK, go ahead and use my example method if you like.  It's better than using your dog's name.  And you won't need to read any further.  But remember you'll have the same passwords as every other person who happens to read this blog and goes to the same sites you do.

Or...  You can quickly customize.

Just invent your own method (algorithm).  There are literally millions of ways of doing it.  Here are a few aspects to keep in mind while you think about it:

First, the seed - it should be at least four characters which will produce nearly a half a million unique passwords.  Two characters will only create 676 unique passwords - not enough.  A three character seed is on the border.  And I don't suggest using more than a seven character seed because you'll either be creating very long passwords, or have poor distribution in the mapping phase as described below.  

Since the objective here is to leave the mob behind, it might be best if you mix up your seed a bit.  How about a backward flip - "iamg" for Gmail.  Or better yet, replace the "g" with your dog's middle initial.  Or yours.  It doesn't matter much as long as it's an easy method to remember.  Personalizing with an initial or two will also make your passwords different from most others who visit your sites.  After all, Microsoft or Hotmail will be a common starting point for many.

How about taking every other letter then step back? Gmail could become "gami".  Or ignore the first letter and get "mial".  You get the idea, there are a lot of ways of doing this - make yours unique.  I've only discussed a couple of aspects of seed generation as examples.  It's best to come up with something I haven't even talked about.  Just be consistent so your method is easy to use.

Now as to the keyboard mapping phase.  Our first example was OK, but did you notice how "q1" occurred three times in the last three examples?  That's because each seed contained the letter "a", which is a common letter.  Also these simple examples only have a fair distribution over the key-map.  To produce a good pseudo-random number you need a good distribution across the random field.  The keyboard itself makes for a decent random field, as long as you span it well.  For instance, "mmiiccrr" for Microsoft stays close to (and IS) your seed.  That's poor distribution.

In contrast, an expansion of three or four going up will always capture a number, and often a special character.  Or if you go down instead, then wrap back up, it's almost as good (but no special characters).  Three up will get a number two thirds of the time, and a special character one third of the time.  See how you can control how many and what types of characters are likely to end up in your password?

There are obviously lots of ways of getting similarly distributed results.  Go up for the first seed character, down for the second, capitalize the third and shift the forth to possibly add a special character.  Or expand the first seed character once, the second twice, the third three times, etc.  You choose - that's the beauty.  No one but you knows your method.

Or ignore the first character, right one and three up.  Or one up, two left.  Or skip a couple.  The objective of distribution is to break up patterns of common letters (a, i, e) by applying different directions to different seed letters. This key map phase is where you can really express your unique nature.  Try diagonals.  Or leaps. There is no right or wrong method, just some are better than others.  Scramble your seed.  Scramble your map.  But in a way that's visual to you.

One challenge you'll face are sites that require you to change passwords every few months.  An easy (if less secure) solution is simply to add a number starting with 1 to the end (or beginning).  Increment the number each time you have to change passwords.  In a few tries you'll get it, and have plenty of time before you have to use 1 again.  Or add the last digit of the year to your seed and shift it after June 30th.  Do what works for you.

It's a good idea to have a  backup method for when you encounter other conflicts (such as some sites not allowing special characters).  If your password doesn't work, try your simpler method B.

Also, don't use your method for any password you have to share with anyone else, or they might guess your trick and put all your other passwords at risk.  This is another good reason for a more simple method B or C for shared passwords.

Finally, don't make your method TOO complex.  There's a point of diminishing return.  Other capture or social cracking will make a "perfect" method irrelevant anyway.  Video cameras are common and getting smaller, so even a perfect password can be stolen.  If you're still concerned, add Iris Scan and go multi-factor.  But for most, pseudo-random is good enough.  And FAR better than your dog's name.

By the way, Seed Mapping is just one approach that happens to give a fairly good result.  There are many other methods.  Be creative.

Now go change all your passwords so you can burn that cheat-sheet in your desk drawer.

And let me know how Seed Mapping works for you.

Rod Coleman
General Manager
Sierra Computer Group

1 comment:

  1. Unfortunatelly, complicated on multi language environment (qwerty/qwertz/azerty/...)