The trouble with the password system described below is, what happens if you forget your calculator? That, in fact, is just what I did today and as a result could not enter several of my accounts.
But as I was out driving last night a wunderbar idea hit me. Select a license plate at random and then vary it a bit. The plate is easily remembered but, if not a vanity plate, presents an effectively random string.
In New Jersey, where I've been biding my time of late, the plates are six characters of the form XJG 23P, or, that is, LLLNNL, where L stands for letter and N for numeral.
Just in case an adversary might run all U.S. plates with six characters, we alter the string by adding a number or letter, making one substitution and tossing a coin to decide whether to transpose the two elements above. That is, we might write 23P XKG M or XKG 23P M or, we can place the M as the first or second element.
Even if the adversary discerns the order, as in LLLNNL(L or N), the number of combinations is (26^4 x 100 x 36)/6 = about 274 million. If the order is unknown, the adversary must contend with 36^7 = about 78 billion possibilities.
So, in order to combat identity theft, internet hacking and unwarranted government snooping, we should encourage Americans and indeed everyone to adopt this excellent password technique.
Sunday, April 6, 2008
Saturday, April 5, 2008
Passwords: the weakest security link
I've been laboring under the delusion that passwords composed of words and numbers are relatively effective. Adding numbers to passphrases was recommended in order to defeat the dictionary search algorithm. But, upon reflection, I thought of a variant algorithm to tease out probable words in passphrases.
It goes like this:
Step 1. Search all words, common names and short phrases of length L, which is the length of the passphrase, if known. Even if not known, the maximum password length normally is known, and L can be set to Lmax
Step 2. If Step 1 fails, begin at character 1 and search all words of length L-1 and check all 10 numerals for the last space.
Step 3. If that fails, do the same for L-2, checking all 100 two-digit numbers for the last two spaces.
If need be, proceed to perhaps L-n = 3 (a three-letter word) and check the number combinations to the right, a not unreasonable computer task for six numerals (a million possibilities).
Then reverse the process, checking numbers of m digits followed by words of length n, where m+n = L.
If need be, check all possibilities such as
xx(dictionary word of length L-5)xxx
That is, we check all 100 numbers followed by all dictionary words followed by all 1000 numbers. Here, the number of possibilities rises to 5 x 1010 or 10 billion, which is a bit much. But, that's estimating 500,000 English words. The set of most common words is perhaps 5,000, yielding 500 million combinations. This may be doable, but still, if you must use a word-number combination in your password: break it up! That is, jack77351 is much more vulnerable that 77jack351. In the former case, there are 50 million possibilities. In the latter, 500 million.
Then there are the very long passphrases, such as those recommended by Hushmail.com. The idea is that, with 47 character keys, and 47n goes way beyond computing power for n > about 10.
However, long passphrases may be susceptible to statistical methods. First, we do a regression analysis to separate the dummies from the words and also to separate the random component(s) from the words. We then run a frequency analysis on the word component(s) and voila!, the remainder follows swiftly.
But who can remember long randomly generated strings, which are the best passwords? Well, what about the next best thing? Pseudorandom strings generated by your pocket scientific calculator (but beware, there are pseudorandom techniques that are no good).
That is, it may be better to remember a specific function or two rather than some phrase.
A shorter Yahoo password:
3.7(7.33/7) yields a decimal extension: 26851482. And we can always toss in some non-numerals, as in: b26851482n
A longer Hushmail password:
7.1(171/7 union 3.5(533/5)
we write as +]6423310989950748'+
A bit of "false" symmetry with the plus signs might slow some kind of numeral hunt.
The numerical symmetries in the functions are meant as memory aides. Yet I doubt they would show up very easily.
It goes like this:
Step 1. Search all words, common names and short phrases of length L, which is the length of the passphrase, if known. Even if not known, the maximum password length normally is known, and L can be set to Lmax
Step 2. If Step 1 fails, begin at character 1 and search all words of length L-1 and check all 10 numerals for the last space.
Step 3. If that fails, do the same for L-2, checking all 100 two-digit numbers for the last two spaces.
If need be, proceed to perhaps L-n = 3 (a three-letter word) and check the number combinations to the right, a not unreasonable computer task for six numerals (a million possibilities).
Then reverse the process, checking numbers of m digits followed by words of length n, where m+n = L.
If need be, check all possibilities such as
xx(dictionary word of length L-5)xxx
That is, we check all 100 numbers followed by all dictionary words followed by all 1000 numbers. Here, the number of possibilities rises to 5 x 1010 or 10 billion, which is a bit much. But, that's estimating 500,000 English words. The set of most common words is perhaps 5,000, yielding 500 million combinations. This may be doable, but still, if you must use a word-number combination in your password: break it up! That is, jack77351 is much more vulnerable that 77jack351. In the former case, there are 50 million possibilities. In the latter, 500 million.
Then there are the very long passphrases, such as those recommended by Hushmail.com. The idea is that, with 47 character keys, and 47n goes way beyond computing power for n > about 10.
However, long passphrases may be susceptible to statistical methods. First, we do a regression analysis to separate the dummies from the words and also to separate the random component(s) from the words. We then run a frequency analysis on the word component(s) and voila!, the remainder follows swiftly.
But who can remember long randomly generated strings, which are the best passwords? Well, what about the next best thing? Pseudorandom strings generated by your pocket scientific calculator (but beware, there are pseudorandom techniques that are no good).
That is, it may be better to remember a specific function or two rather than some phrase.
A shorter Yahoo password:
3.7(7.33/7) yields a decimal extension: 26851482. And we can always toss in some non-numerals, as in: b26851482n
A longer Hushmail password:
7.1(171/7 union 3.5(533/5)
we write as +]6423310989950748'+
A bit of "false" symmetry with the plus signs might slow some kind of numeral hunt.
The numerical symmetries in the functions are meant as memory aides. Yet I doubt they would show up very easily.
Subscribe to:
Posts (Atom)