Password - easy to remember hard to guess
Results 1 to 2 of 2

Thread: Password - easy to remember hard to guess

  1. #1
    Flash M0nkey
    Join Date
    Sep 2001
    Posts
    3,447

    Lightbulb Password - easy to remember hard to guess

    Most people know about the main problem with complex passwords. If you make something too complex to remember people start writing it down which defeats the purpose of having a secure password.

    So alot of people have taken to using common words and replacing letters in a simple pattern such as p4ssw0rd etc
    This provides very little extra protection as most modern bruteforce attacks will take these kinds of simple transformations into account and test for them as well.

    Then I had an idea for a method which would allow a person to use a really simple to remember password - even something as basic as there Name, but while still having a pretty secure password.

    By using a javascript bookmarklet which performs a transformation on a text string you could enter the word you wanted to use into the bookmarklet and it would generate a secure password for you.

    One example:

    Code:
    var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    
    function encode64(input) {
       var output = "";
       var chr1, chr2, chr3;
       var enc1, enc2, enc3, enc4;
       var i = 0;
    
       do {
          chr1 = input.charCodeAt(i++);
          chr2 = input.charCodeAt(i++);
          chr3 = input.charCodeAt(i++);
    
          enc1 = chr1 >> 2;
          enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
          enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
          enc4 = chr3 & 63;
    
          if (isNaN(chr2)) {
             enc3 = enc4 = 64;
          } else if (isNaN(chr3)) {
             enc4 = 64;
          }
    
          output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + 
             keyStr.charAt(enc3) + keyStr.charAt(enc4);
       } while (i < input.length);
       
       return output;
    }
    
    document.body.innerHTML= "<textarea>"+ encode64(prompt("Enter word to encode")) +"</textarea>";
    This simple code uses base64 conversion to generate what appears to be a random string from a normal word. Making for a password which is going to take a very long time to brute force - but the user does not need to remember it. They simply enter their easy to remember password into the prompt and then the bookmarklet does all the work.

    This same code as a bookmarklet

    Code:
    javascript:var keyStr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";function encode64(input){var output="";var chr1,chr2,chr3;var enc1,enc2,enc3,enc4;var i=0;do {chr1=input.charCodeAt(i++);chr2=input.charCodeAt(i++);chr3=input.charCodeAt(i++);enc1=chr1>>2;enc2=((chr1&3)<<4)|(chr2>>4);enc3=((chr2&15)<<2)|(chr3>>6);enc4=chr3&63;if(isNaN(chr2)){enc3=enc4=64;}else if(isNaN(chr3)){enc4=64;}output=output+keyStr.charAt(enc1)+keyStr.charAt(enc2)+keyStr.charAt(enc3)+keyStr.charAt(enc4);}while(i<input.length);return output;}document.body.innerHTML="<textarea>"+encode64(prompt("Enter word to encode"))+"</textarea>";
    The transformation does not have to be done with base64 - thats just an example. You could use anything like md5, sha1 or something unique that you designed yourself.

    Thoughts, comments?

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    It's a fairly cool idea.... I see a few problems and benefits..

    1) People accessing your computer... You could tell them your "password" for site X and it wouldn't be detrimental to you... (benefit)... However if this method became a popular way of protecting passwords and creating difficult passwords As more people used it they'd understand what you were doing and that would be a problem.... either way you shouldn't be giving your password out but I could see that thought running through peoples heads..

    Now a couple of problems I see..

    You're away from your computer.. or your computer dies (as my PC just did)... You suddently can't access your sites unless you setup the same bookmarklet..

    Even though the password is more complex that's being sent. I don't see it making it more difficult... In fact I'd see it lowering security...

    As a malicious person I know of this script... so now when I perform a dictionary attack, I run it four times... once with the words unaltered, once with them as base64, once with them md5'd and once with them sha-1'd... That's significantly less time than a "random" complex password brute force...

    So I don't think you're really increasing the complexity of the password... it's actually more harmful to the user in the end.. they feel secure using a simple password.. but it's just as easy for the badguys to get in...

    There's also the problem that when, for example, I design a database... I seldom make the password field 128 or 256/512 characters long... which would make MD5 and SHA-1 useless......


    However I'll also share my complex but easy to remember password style...

    websites... but never the website you're logging into..

    so my account for CNN may be username: htregz password: http://www.google.ca/codesearch

    My login for the computers at work might be username: htregz password: http://www.antionline.com/newreply.php

    Sometimes I'll drop the page and just use http://www.computerdefense.org.

    I think these make great passwords.... they're long... complex (yet only : / and . unless you use a site with a - or a number)... and because we're internet-based people these days they are quick and easy to type and remember.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •