Efforts to understand, improve, or do less harm to the world around me.


Saturday, June 12, 2010

The problem of hard passwords

Have you ever been assigned a password that you couldn't possibly remember, then required to write it down somewhere or come up with one equally weird?  How is someone supposed to remember "n0A2aw3f"?  How are you not supposed to write something like that down?  Enter Password Card, a tool to provide an opportunity to easily use passwords that would be almost impossible to guess.

(Below: example "card")

Just pick a character and a color for a password of any length.  If the card is lost, it looks like random characters (above), so you're safe.

Why gibberish passwords?

You may wonder why organizations require this when ATMs only require simple 4-number PIN passwords.  The reason this is secure is because ATM machines will only allow you to try around 4 times before locking your account.  Frequently other passwords and services don't have this limitation and must rely on passwords that must withstand millions of attempts by very fast computers.

A single character of a password if using a number has 10 possibilities and a single letter has 26 possibilities.  If you combine both upper-case, lower-case, and numbers (as Password Card does), you have 62 combinations available.

While a four number ATM code has 10,000 possibilities, a four character password from Password Card would have almost 15 million!  An 8 character password would have over 200 trillion combinations!

So the advantages of a difficult password are obvious.

An open password?

Unfortunately, as cool as the Password Card is, the weak link is for against an intelligent or dedicated thief.  If someone has your card and your login names, its very easy to enter all the left-to-right combination of characters present on the card and have a computer quickly try them all.  So the question becomes: could you publicly post a wallet-sized piece of paper with your password written on it on it and still be completely secure?

For any proposed system, the password must be present and visible and should use the current "Password Card" system in some format.  Here's what we came up with:

Use obvious associations that a human could make but a computer could not, such as grey being connected to the sad face and the heart with red.  So all someone would have to remember is "sad face, heart" to have a much more complex, harder to guess password.  Drawing from our card above, four characters would come from the grey line under the sad face ("svwR") and four more from the red starting under the heart character ("qYdr").

This two-part password seems to be much more secure and could of course be made three or four-part for better security.  Even a computer's "attack" on the card would be fruitless as the possible combinations starts to become nearly impossible again.


Generatedata.com - Generate any kind of data, including random passwords.

No comments: