Computer Science Canada

Algorithm Passwords
Author:  mirhagk [ Thu Apr 28, 2011 7:44 am ]
Post subject:  Algorithm Passwords
Someone proposed this to me the other day, and it's a really good idea, it gives a super secure, different password for every site, yet you only need to remember one thing.

What you do is you take the name of the site or something, and make the password a specific algorithm where you change it into the password. For instance say my algorithm is increment every other letter by 1,capitalize every 3rd letter, then fold the word onto itself 3 times. So for gmail it'd be

gmAil
gnAjl
glnjA
gAljn
gnAjl

if someone knew your gmail password was gnAjl, well that's doesn't help them figure out any other passwords. Plus you could add things so that you can add symbols and stuff. It would be very secure, with no password reuse. What do you guys think?
Author:  apython1992 [ Thu Apr 28, 2011 8:05 am ]
Post subject:  RE:Algorithm Passwords
It's like data encryption, where the act of securing data involves the use of internally-known algorithms. I think it's a decent enough idea, so long as the algorithm is complex enough and you keep the algorithm to yourself. The problem with this is that there are people who write programs to try to crack "codes" like this. A computer can try all sorts of algorithms, but it will never know my favourite teacher in high school Wink Another issue I see is that computers can be programmed to "know" that your password is some function of a website name. I really don't know much about this kind of thing, but I'm just saying it poses some potential issues.
Author:  mirhagk [ Thu Apr 28, 2011 8:26 am ]
Post subject:  RE:Algorithm Passwords
But noone would suspect it's an algorithm, and they would need to know multiple passwords in order to determine the algorithm, which your screwed anyways.

And a computer can't know who your favourite teacher in high school was, but I can check your high school online, find out teacher's names in the courses you took, look at their ratings, see which are the best 5, and I've probably gotten the right one. Worst case scenario is it takes me a day or 2 to go through every teacher in your school.

Or one of your friends might know that, and then they have access to it.

Also guessing a password isn't the problem, the problem is password reuse

Posted Image, might have been reduced in size. Click Image to view fullscreen.
there are multiple ways around this, the one I currently do is a heirarchy of passwords
Level 1=random forums, stupid games, etc
Level 2=stuff that kinda matters, like youtube and games I like, but I won`t actually lose anything if I lose the password
Level 3=Facebook,email etc
Level 4=banking sites etc (each one here gets it`s own)
That way I only have to remember a few passwords, but am relatively secure.

Remember it`s not guessing passwords thats the issue, its knowing a password for one site and being able to use it everywhere (a couple of your friends probably know your password to a download site or something)
Author:  apython1992 [ Thu Apr 28, 2011 8:38 am ]
Post subject:  RE:Algorithm Passwords
My example was pretty bad. I was just trying to illustrate the point that the best passwords are ones that are very unlikely to be guessed by a computer, because a computer could never in many lifetimes try all combinations of French, English, Spanish words, numbers, letters, symbols, and other things that are chosen completely at the individual's discretion. Arguably, there may be just as many unique algorithms, but if computers are, as we speak, trying out all kinds of combinations of encryption algorithms, I would think that people smarter than I think it's possible to crack these codes (especially with the rise of quantum computing). You are right though, at least you would be getting a different password for each website, but if a computer figures out one password, it will know the rest if you use the same algorithm.
Author:  apython1992 [ Thu Apr 28, 2011 8:47 am ]
Post subject:  RE:Algorithm Passwords
After thinking about it a bit more, I suppose there really are infinite combinations of both algorithms and "personal" passwords. It could be argued that algorithms are just as personal if one comes up with it on his or her own. In that case, I would say that it is a good idea, but at the very least use a different algorithm for each website. Now instead of having a password key-ring, you're going to have an algorithm key-ring Razz
Author:  mirhagk [ Thu Apr 28, 2011 8:47 am ]
Post subject:  RE:Algorithm Passwords
No, it will need two

4=f(2)

what is f(x)?

It could be =2x could be =x^2 it could be =3x-2

You need multiple points to solve for a line right? In the same way you need multiple points to solve for an algorithm (even more since you don't even know what kind of function it is)

And computers can try all the different words, it's called a dictionary attack, which can be successful, but takes a long time.

Again it comes to the issue of password reuse being the biggest problem, not weak passwords.

I can use "dog" as a password, so long as it's only on one site.
Author:  apython1992 [ Thu Apr 28, 2011 8:49 am ]
Post subject:  RE:Algorithm Passwords
My bad, you're right, it would be a system of algorithms to yield a solution. Even still, that's worse than having something unique for every different website.
Author:  mirhagk [ Thu Apr 28, 2011 11:28 am ]
Post subject:  RE:Algorithm Passwords
Yeah but most people can't remember that many passwords (I can think of at least 20 different password sites I use pretty regularly), so most people right them down somewhere, sometimes even on the computer.
Author:  apython1992 [ Thu Apr 28, 2011 11:30 am ]
Post subject:  RE:Algorithm Passwords
And it would be even harder to memorize twenty algorithms.
Author:  mirhagk [ Thu Apr 28, 2011 11:33 am ]
Post subject:  RE:Algorithm Passwords
But not hard to memorize one, which is what I'm saying. One algorithm means different passwords for any site, so the site owners don't get your password.
Author:  apython1992 [ Thu Apr 28, 2011 11:35 am ]
Post subject:  RE:Algorithm Passwords
But then this goes down to the problem of a computer being able to figure out _all_ your passwords after guessing two or three by chance. Unlikely as it may be, it's still worth thinking about!
Author:  chrisbrown [ Thu Apr 28, 2011 11:47 am ]
Post subject:  RE:Algorithm Passwords
If I may jump in here, I've always been a fan of the finger shift method. Just hit the key above/left/right/below, depending on some start condition. For example, qwerty rightshifted becomes wertyu, facebook upshifted becomes rqd3g99i. Press shift every other key and you get rQd#g(9I. By the same algorithm, gmail becomes tJq*o.

It's not perfect but it's not CPU-intuitive so human intervention would be required, and even then it would take a real sharp eye.
Author:  mirhagk [ Thu Apr 28, 2011 2:15 pm ]
Post subject:  RE:Algorithm Passwords
chrisbrown, you are a genius, that is the perfect algorithm. that is impossible to guess, very easy to remember, no dictionary attack would work, and you can't even work out that relationship (if you can do that, then you can more than hack w/e website it is lol)
Author:  chrisbrown [ Thu Apr 28, 2011 7:27 pm ]
Post subject:  RE:Algorithm Passwords
Credit belongs to Lifehacker, but yes, it's certainly a handy trick.
Author:  mirhagk [ Fri Apr 29, 2011 7:41 am ]
Post subject:  RE:Algorithm Passwords
I need to read more lifehacker apparently lol
Author:  mirhagk [ Wed Aug 31, 2011 3:47 pm ]
Post subject:  RE:Algorithm Passwords
I read another XKCD recently about passwords, and it's really got me thinking. Have we being doing passwords wrong or is XKCD bad at math. To me the general idea of the math seems pretty simple and very true:

Posted Image, might have been reduced in size. Click Image to view fullscreen.
Author:  DemonWasp [ Wed Aug 31, 2011 4:17 pm ]
Post subject:  RE:Algorithm Passwords
If anything, the second way is better than you would think: he's suggesting that there are perhaps 11 bits of entropy per word, which suggests 2048 possible words (I think -- could be wrong as I haven't studied Information Theory). Even if you throw away 99% of the Oxford English dictionary, you end up with 2500 words to choose from, so it's probably safe to say that there are more words than that.

The only problems you're likely to encounter there are problems you already see in passwords -- password reuse, "mypasswordispassword", etc. Assuming you let people choose their own passphrases, you will probably find that there are certain patterns to the data you get back: passphrases like "mybirthdayisMMddYYYY" or "jellybeansareawesome" (not to mention the ones composed entirely of four-letter words).

Passwords that long also counter one of the more trivial ways of stealing passwords: watching people type. It's pretty easy to figure out what password someone is typing by watching their fingers, especially immediately after they change it (and don't forget, you need to change passwords frequently!*); on the other hand, a long enough passphrase is incredibly difficult to catch, even with relatively-novice typists.

* Lies. Create a decent password -- or passphrase -- and learn it. Don't change it unless the service is compromised in some way (hashed passwords released, etc).
Author:  Tony [ Wed Aug 31, 2011 6:07 pm ]
Post subject:  RE:Algorithm Passwords
password entropy is hard to calculate accurately. A bunch of it lies in various assumptions -- knowing the "shape" of the password is probably the biggest one.

If the assumption is that most of the population uses current trend of short passwords, then a 28 character passphrase is really strong (as password bruteforce is typically incremental, with 27 character long passwords being attempted first).

If we assume that passwords are commonly a passphrase and attack those forms first, then the entropy is calculated from the dictionary of words typically used and not necessarily from the size of the available dictionary. As DemonWasp alludes to, certain words (or patterns in word usage) will be more common than others. At this point if the bruteforce attempt iterates over the dictionary word then any "tricks" described by xkcd for the short passwords would once again greatly increase the strength (via the order in which a particular shape of a password is attempted to be bruteforced first)
Author:  Dan [ Wed Aug 31, 2011 7:21 pm ]
Post subject:  RE:Algorithm Passwords
The awnser to bad passwords is not forcing ridiculously long or convoluted passwords on poeleop but to use multifactor authentication.

The future is in security tokens and other such devices. Honestly it scares me that my e-mail and MMORPG accounts are using authenticators while my bank account still just requires a username and password.
Author:  mirhagk [ Wed Aug 31, 2011 7:25 pm ]
Post subject:  RE:Algorithm Passwords
Yes there are certain words more likely to be used, however you would probably be surprised at just how creative people can get with 4 words. If you tell them to make a four word password that is pretty random but easy to rememeber then they might get awesome. If you ever look at a list of passwords (you can see some online sometimes) you'll notice that the baseword is usually something really random, but it means something to them.

You can also parse the input to check for things like birthdays, phone numbers, the word password, the name of the site etc.

On a related note, my friend's password is "hotdogninja" which is pretty random, easy to remember and most importantly would involve an extensive dictionary to find it.

If you tell people to follow XKCD's example of choosing four random words, and avoid things like "are", "is", "has" etc then they would be pretty secure.

Regardless it will be more secure than the current model of a "word5!", (there are several more variations, but even 8 different types is still only 3 bits of entropy)
Author:  DemonWasp [ Wed Aug 31, 2011 9:07 pm ]
Post subject:  RE:Algorithm Passwords
What you really, really don't want to do (even though many banks choose to do so) is to limit passwords. Let me make this as clear as possible:

Limiting the length of passwords to less than X will ALWAYS make for less secure passwords.

Further, requiring one symbol, one numeral, one upper case and one lower case will ALSO make for a smaller possibility space, which is much more readily searched. However, it will reject passwords below a certain strength, so there is some value in doing so.
Author:  mirhagk [ Wed Aug 31, 2011 9:23 pm ]
Post subject:  RE:Algorithm Passwords
Well the problem is that if you say it has to be 8 letters long or under (an example) with one symbol and one number, nearly everyone will put the number and the symbol at the end, meaning that instead of the 26 characters you normally have you'd have 10 characters (for numbers) and about 18 for symbols. Actually makes it worse than comparatively "weak" passwords.

:


You can syndicate this boards posts using the file backend.php or view the topic map using sitemap.php.

Terms of Use | Privacy Policy