Algorithm Passwords

[mirhagk]

Someone proposed this to me the other day, and it's a really good idea, it gives a super secure, different password for every site, yet you only need to remember one thing.

What you do is you take the name of the site or something, and make the password a specific algorithm where you change it into the password. For instance say my algorithm is increment every other letter by 1,capitalize every 3rd letter, then fold the word onto itself 3 times. So for gmail it'd be

gmAil
gnAjl
glnjA
gAljn
gnAjl

if someone knew your gmail password was gnAjl, well that's doesn't help them figure out any other passwords. Plus you could add things so that you can add symbols and stuff. It would be very secure, with no password reuse. What do you guys think?

[apython1992]

It's like data encryption, where the act of securing data involves the use of internally-known algorithms. I think it's a decent enough idea, so long as the algorithm is complex enough and you keep the algorithm to yourself. The problem with this is that there are people who write programs to try to crack "codes" like this. A computer can try all sorts of algorithms, but it will never know my favourite teacher in high school Another issue I see is that computers can be programmed to "know" that your password is some function of a website name. I really don't know much about this kind of thing, but I'm just saying it poses some potential issues.

[mirhagk]

But noone would suspect it's an algorithm, and they would need to know multiple passwords in order to determine the algorithm, which your screwed anyways.

And a computer can't know who your favourite teacher in high school was, but I can check your high school online, find out teacher's names in the courses you took, look at their ratings, see which are the best 5, and I've probably gotten the right one. Worst case scenario is it takes me a day or 2 to go through every teacher in your school.

Or one of your friends might know that, and then they have access to it.

Also guessing a password isn't the problem, the problem is password reuse


there are multiple ways around this, the one I currently do is a heirarchy of passwords
Level 1=random forums, stupid games, etc
Level 2=stuff that kinda matters, like youtube and games I like, but I won`t actually lose anything if I lose the password
Level 3=Facebook,email etc
Level 4=banking sites etc (each one here gets it`s own)
That way I only have to remember a few passwords, but am relatively secure.

Remember it`s not guessing passwords thats the issue, its knowing a password for one site and being able to use it everywhere (a couple of your friends probably know your password to a download site or something)

[apython1992]

My example was pretty bad. I was just trying to illustrate the point that the best passwords are ones that are very unlikely to be guessed by a computer, because a computer could never in many lifetimes try all combinations of French, English, Spanish words, numbers, letters, symbols, and other things that are chosen completely at the individual's discretion. Arguably, there may be just as many unique algorithms, but if computers are, as we speak, trying out all kinds of combinations of encryption algorithms, I would think that people smarter than I think it's possible to crack these codes (especially with the rise of quantum computing). You are right though, at least you would be getting a different password for each website, but if a computer figures out one password, it will know the rest if you use the same algorithm.

[apython1992]

After thinking about it a bit more, I suppose there really are infinite combinations of both algorithms and "personal" passwords. It could be argued that algorithms are just as personal if one comes up with it on his or her own. In that case, I would say that it is a good idea, but at the very least use a different algorithm for each website. Now instead of having a password key-ring, you're going to have an algorithm key-ring

[mirhagk]

No, it will need two

4=f(2)

what is f(x)?

It could be =2x could be =x^2 it could be =3x-2

You need multiple points to solve for a line right? In the same way you need multiple points to solve for an algorithm (even more since you don't even know what kind of function it is)

And computers can try all the different words, it's called a dictionary attack, which can be successful, but takes a long time.

Again it comes to the issue of password reuse being the biggest problem, not weak passwords.

I can use "dog" as a password, so long as it's only on one site.

[apython1992]

My bad, you're right, it would be a system of algorithms to yield a solution. Even still, that's worse than having something unique for every different website.

[mirhagk]

Yeah but most people can't remember that many passwords (I can think of at least 20 different password sites I use pretty regularly), so most people right them down somewhere, sometimes even on the computer.

[apython1992]

And it would be even harder to memorize twenty algorithms.

[mirhagk]

But not hard to memorize one, which is what I'm saying. One algorithm means different passwords for any site, so the site owners don't get your password.

[apython1992]

But then this goes down to the problem of a computer being able to figure out _all_ your passwords after guessing two or three by chance. Unlikely as it may be, it's still worth thinking about!

[chrisbrown]

If I may jump in here, I've always been a fan of the finger shift method. Just hit the key above/left/right/below, depending on some start condition. For example, qwerty rightshifted becomes wertyu, facebook upshifted becomes rqd3g99i. Press shift every other key and you get rQd#g(9I. By the same algorithm, gmail becomes tJq*o.

It's not perfect but it's not CPU-intuitive so human intervention would be required, and even then it would take a real sharp eye.

[mirhagk]

chrisbrown, you are a genius, that is the perfect algorithm. that is impossible to guess, very easy to remember, no dictionary attack would work, and you can't even work out that relationship (if you can do that, then you can more than hack w/e website it is lol)

[chrisbrown]

Credit belongs to Lifehacker, but yes, it's certainly a handy trick.

[mirhagk]

I need to read more lifehacker apparently lol