I tend to be against race-based discrimination, no matter what the reason. Whether it be cops profiling drivers ("Driving While Black"), or admissions policies that give preference to people of one color over another—any way you slice it, making a decision based on the color of one’s skin, rather than the content of their character, is wrong. If we’re to move to a place where race is meaningless, then we have to drop all pretense of using race for classification.

This comes up in relation to my previous article regarding changing my name. My petition went through, so now my legal name is Paul Theodoropoulos, rather than Paul Theodoropoulos. Joy!

My next step is to get a new Social Security card with the new name. In filling out the form, I came across the following section: 

While I’m not of a mind to muck about with this—I’m merely going to leave it blank—I wonder…Since the information is voluntary, it should have no legally binding effect upon getting the card. So would there be any problem at all in checking a box other than your correct race? It’d be a dandy bit of civil disobedience. A sudden massive spike in the population of North American Indians would be nice.

This post brought to you by Lazy Sunday Ontological PeriMotivationalism©.

Continuing on the theme of passwords and security—and I promise this will be my last on the matter, as I’m getting sick of it too—I’d like to make a software recommendation.

Even though I’m a Unix Systems Administrator by trade, I use Microsoft Windows on the Desktop. Have for more than a decade. It’s partly pragmatic, as it’s what most of the rest of the world uses on the desktop too. It’s partly for fun, as I enjoy "First-Person Shooter" games, and most are written either for the PC or for consoles. And beyond that, I like playing around in Windows. I have no particular religious sentiment in the matter, unlike many people. I don’t get my nose bent out of shape when I have to pay real, actual money to purchase software. I realize that Bill Gates is one of the wealthiest men ever to have lived, and that too doesn’t bend my nose out of shape. He’s rich, I’m poor, so what? I dislike fairly intensely the use of Windows in a server environment, and that’s largely due to the less than stellar performance of Microsoft products in that milieu. I prefer Solaris for bulletproof services, and to a lesser extent some flavors of Linux and FreeBSD. But I digress.

I do my online banking and finances on my Windows XP desktop PC. As a highly internet-centric individual, I have visited, and maintain accounts, on many, many websites that require username and password. For a long time, I used a very weak password of my own making, all of seven characters long, for almost every site I visited. I still do use it occasionally for sites that are of no significance—wherein if someone busted into the account, nothing of any importance would transpire from it.

Realizing the inherent danger in using such a weak password for everything, I took a look around several years back for a solution, and I found one that has served me exceptionally well: Roboform. Roboform automates creating and saving passwords, tied to the specific site that needs it. The passwords are encrypted, and you can set a master password with which you can prevent access to any stored passwords.  It is elegant in its simplicity, but exceptionally powerful at the same time. The built in password generator can create stunningly long, complex passwords, far more complex than one could easily remember—or for the ‘blackhats’ to break. When I was creating the examples for my followup article on obfuscated passwords, I used roboform to generate those strings. With just a mouse click, you can generate random password after random password, like this:

g*w4#Kg49785G8Q7f97F483Jp36BHb4xqQCe82P^

4rf8kXta73@%5!CKD&4co2EU4wdZdiS9Fn%

hBt#WjVY5363Mz5xz#2

4DJTP8u$xc$*H^95b8HB!^GMYXGgZGsXYpnJ7

And you don’t have to try to remember them! They’re all safely stored, tied to the username and site you created them for. Visit the site, and a box pops up offering to fill the fields (roboform recommends using their toolbar, but I don’t particularly care for it). Further, roboform can store Credit Card and personal information securely, and can autofill online forms with that information for you, speeding up checkout when making online purchases.

There are many, many more features beyond just these few I’ve listed. There is a ‘portable’ version you can install on a USB drive, and keep all your information with you, ready to hand, and yet still secure.

I can’t sing my praises for roboform enough. You can download it for free, and use it with up to ten stored passwords/sites. Roboform Pro is $29.95. Though it’s ten dollars more expensive, Roboform2Go, for USB drives, may be the better choice in the long run.

I give it 18.5 out of 20 klaatus! (so it must be good!)

I should add I have absolutely no affiliation with Roboform or Siber Systems (the company that makes roboform), besides being a very happy customer. I’m not getting any kickback from them for this fantastic review. Unfortunately.

In the aftermath of the controversy that erupted concerning my article yesterday regarding passwords, it seems—from the repeated comments misconstruing the idea—that I should write this followup, and clarify things a bit.

Mistake #1: A less catchy title might have helped, along with a less aggressive photo. In going for something attention-getting, I immediately set a tone that apparently a great many people took literally—that one should just feel free to write their [minimally modified] password on a Post-it, include what the password was intended for ("Desktop password", "root", etc), and stick it on your monitor.

I thought while I was writing it that that was over-the-top enough that people would just laugh. Er, no, not so much! I undermined the message pretty seriously with that. One merely invites scrutiny that would otherwise not occur, by publicly sticking Post-its on their monitor with passwords, modified or not. It’s best to stick the Post-it under your keyboard! (yes, I’m kidding again).

Mistake #2: Don’t say ‘Here’s the rule’ when what you really mean is "Here’s an example". In the middle of the article, I wrote—in the emphatic, mind you—

Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.

Well, no, not so much again. That’s one way to do it. As I tossed in at the end of the article, there’s a ‘reverse’ method that works too. But the reality is, there are numerous ways one can employ this idea, with great success. The more ways people do it, the more work the l33t haX0rs face when they stick their nose where they shouldn’t. So along the lines of remedying Mistake #2, here, in depth, is more. This may seem tedious, but I think it’s important to address the criticisms that were expressed.

Suggested method A: Pick a letter or number that will be your secret key, and add it in a random position to any password you write down.

Example: "My personal secret character is uppercase J". I have a password of 

 ph48Xc2Cz06fCoWY1

Since I can’t easily remember that, I write it down as

phJ48Xc2Cz06fCoWY1

Suggested method B: Pick two letters or numbers that will be your secret ‘key’, and add them in random positions to any password you write down.

Example: "My personal secret characters are b and 8". I have a password of

MSmc7UtC6Cy

Since I can’t easily remember that, I write it down as

bMS8mc7UtC6Cy

Suggested method C: Pick a letter or number that will be your secret ‘add’ key, and a letter or number that will be your secret ’subtract’ key. You add the one character to the password you write down. The subtract character is one you always use in the password, but always remove when you write it down. This requires that you pick a position where you will always use the character in your actual password.

Example: "My personal secret ‘add’ character is G. My personal secret ’subtract’ character is h". I have a password of

4To7oJR9oMyVomzqbWukAJyPnAbh

Since I can’t easily remember that, I write it down as

4GTo7oJR9oMyVomzqbWukAJyPnAb 

Suggested method D: Pick a count and position. For any password you have, at the position you chose, enter random characters in the amount you chose.

Example 1: "My count and position are 3 and 3." I have a password of

7DiD9w9W8gZo6

Since I can’t easily remember that, I write it down as

7D4R3iD9w9W8gZo6

Example 2: "My count and position are 4 and end." I have a password of  

5NSKhcD

Since I can’t easily remember that, I write it down as

5NSKhcDwW21 

---

By no means are the above suggested methods and their concomitant examples exhaustive. There are countless variations of the above that are reasonably easy to think up, and reasonably easy to remember.

But the most critical aspect of all of these methods and examples is that you pick the method, and you keep it to yourself. The most frequently repeated criticism has been—in a nutshell—"you have nine characters and you know that one of the fake, so it’ll take at most ten tries to figure out the correct password!" (often followed by "LAME!" or "IDIOT!"). I’m baffled by this criticism. Obviously, you (the person writing down the password) know how many characters are in the password, and what character(s) are bogus—and where in the password they’re located. But unless you stand up in the office and announce

"My secret key for passwords that I write down is the letter T and the number 4,  and I always make my passwords nine characters long!"

..then Binky Q. Snoopsalittle is not going to have the first clue where to begin trying to figure out how to use that written down password—he isn’t necessarily going to even know that you’ve done anything to the password at all! All he’ll know is that he found a Post-it that said

root password: Raf9KxZrZ2jWDa1a

But when he types it in, he keeps getting "incorrect password". If Mr. Snoopsalittle doesn’t know that you’ve modified the password in the first place, his first impression is most likely to be "huh. I guess it’s been changed since then".

But wait! Snoopsalittle reads Digg! And he read that stupid article about masking your written-down passwords! So, tell me Binky, what will you do when presented with this?

root password: Raf9KxZrZ2jWDa1a

How will you know, without having been told in advance, that the real password is only twelve characters long—not sixteen—and that the first two characters and the last two characters are completely bogus? The real password is actually f9KxZrZ2jWDa. But you didn’t know that, Binkster. You saw sixteen characters labeled "root password". 

But what if our Digging friend is a l33t haX0r, with all the latest password cracking software, and a kick-ass machine he can dedicate to cracking the password? Well sure. He’ll crack it in a jiffy. With the exception of more sophisticated security schemes, he doesn’t need any of the password at all. Having an obfuscated password might cut down some of the time necessary to crack it. But we’re not trying to thwart the dedicated malevolent intruder. He’s an entirely different problem. If you’re dealing with data that is life or death, or of the nature that million dollar transactions could be compromised—you aren’t using weak security systems like ‘username and password’ to begin with! Across the landscape of security, you tailor your response to your audience, so to speak. If for example I work a helpdesk and share my workstation with another employee, the information on that PC is likely neither highly confidential, nor highly desireable to acquire. This technique I’ve described is not intended for someone working, on the other hand, in Chase-Manhattan’s datacenter.

It was indeed quite foolish to state in the article  "This is, for all practical purposes, completely uncrackable." Really, really poor choice of words. As above, the determined hacker on a fast machine can pretty swiftly slice through a great many passwords of non-trivial length. Presenting a modified password can reduce the amount of work the password-cracking software has to do. But again, this technique is not geared towards thwarting that audience.

This technique is not intended as some sort of foolproof, Total Security, Super Dooper Password Perfect Protection system. It’s a pragmatic response to the rational tension between

Easy password, easy to remember, easy to break

and

Difficult password, difficult to remember, difficult to break

This method is a synthesis of ‘easy to remember’ coupled with a difficult password. Choosing your own private ‘key’ for unlocking long, complex passwords that have been written down is more secure than making your password "TGiF" and being able to remember it.

Getting back to the poorly chosen photo—and wording—suggesting writing the password on a Post-it and sticking it to your monitor. When this idea first came to me, it was in response to having been presented, at a job I’d just started, with a wallet-sized printout of some very long and complex passwords (regularly changed, as well), to servers that provided ‘last line of defense’ security for an entire server farm. A person would first have to thwart three previous layers of security, one of them requiring a Securekey keyring fob which generated one-time-use passwords, to even get to a place where they could use those written-down passwords. Even for the young crew of senior admins, memorizing them was wasted effort, so they kept the ‘cheat-sheet’ in their respective wallets. That’s when it occurred to me that obfuscating the actual printed password in some simple way could provide a "can’t hurt to do it" further layer of security.

Finally, I’ll reiterate the important concept that underlies this method: You, the person who obfuscates the password when writing it down, you choose the formula you use to obfuscate it, and there are countless different ways for any one person to do so. The other guy, however, the guy who finds your wallet with the list of passwords in it, he does not know that the password’s been modified, or how it has been modified. When considering this method, it’s important to keep that in mind. When presenting examples of it, sure, it all seems drop-dead easy to figure out, and not terribly secure at all. But good luck when you aren’t aware of the specifics.

 

Any password can be brute-forced, given enough time and enough computational horsepower. Not knowing in advance how those passwords in the photo above differ from the real, underlying passwords—and the changes to them are simple, similar to the methods described above—that makes brute-forcing them somewhat harder. But it’s the casual attacker for whom they’ll prove of no value at all.

(and no, those aren’t real or obfuscated passwords, or hosts. It’s a prop, for demonstration purposes.)

 I understand a lot of the criticism made of the technique, particularly relative to my poor presentation of the idea in the article yesterday. Nevertheless, I believe this technique has merit. It’s a pragmatic technique that Joe Cubicle-dweller can use, and be perhaps a little less vulnerable to Hacky McHackerson (tip of the fez to Coda on that last!).

Oh, and don’t forget—who besides me might know that three of the passwords in the photo above are bogus end-to-end? Nothing like adding some fruitless busywork to the process. Heck, by the time Hacky gets to the real obfuscated passwords, you’ll already have changed them all.

Much to my surprise, the article I published yesterday—regarding a nifty, simple trick for adding a measure of security to passwords that have been written down—was submitted to digg.com, and even more surprisingly, it turned out to be very popular. Or rather I should say, it was very popular on digg.com,  but was a nightmare for me, scrambling to keep my server going under the crushing load.

The ‘fun’ began shortly after 7am, Pacific time. I got a text message from a script I run on an offsite system, probing my server every few minutes. After the second page, I dragged my ass out of bed and had a look. Yikes. I still had four SSH session open on my PC’s desktop from the night before, but none of them were responsive when I typed in them. Ouch.

I ran down to the garage (yep,  the server’s in my garage) to check it out. The server was up, but the disks were going absolutely crazy. This past night, we had had record low temperatures for our area, so one thing that crossed my mind was that the disks had simply gotten too cold, and were unable to recalibrate to compensate. Maybe. Since I didn’t have a serial console handy and this is a headless server, I power-cycled her. I use a logging filesystem, so the risks of a power-cycle even while doing busy disk seeks are minimal—I’ve yanked the plug from the wall during tests, over and over, and never had a problem. No problem this time either—server came back up, I headed upstairs to have a look.

Yikes! Server load was off the charts. All httpd processes. I quickly took a look at the logs, and there I could see that Digg had descended upon my little server.

I’ve been running the anastrophe.com server for something like eight years now. It started out as a Sun Sparc 20, and now it’s a Sun Netra T1. 440Mhz UltraSPARC IIi CPU, one gig of ram, and a pair of disks, mirrored. I provide email and webhosting and shell and other services for a few dozen friends and family. It’s a light load, and the hardware has held up just dandy. Until today.

The problem more than anything else was lack of ram. The Netra T1 can only hold 1G, so there were no quick fixes there. I did the usual things to try to tame the tiger—reduced the maximum number of concurrent httpd processes, fine tuned KeepAlive, etc.. But the reality was, I was caught utterly unprepared. I think I can be forgiven for not having anticipated that an article about passwords of all things would be a hit on digg. It’s no excuse though. I really should have had at least a backup plan, just in case. Maybe set up a secondary server, mounting the apache directories NFS, so the load could be split. I’ll be looking into that later tonight. One thing I did at one point was to attach an external disk array, and move swap onto it. That helped some—but by that point, the load on the server had already begun dropping, so it was too little, too late.

So what does the title of this article have to do with any of this? There’s an old skydiving rule of thumb:

When cars look as big as ants, it’s time to open the parachute.
When ants look as big as cars, you’ve waited too long.

 I’ve been picking ants from my teeth all day long.

A not-uncommon IT-to-user conversation: 

IT Dude:  "The password to log in to your new PC is r4eo1ss89"
User: "Um. Okay. But how will I remember that?"
IT Dude: "Not my problem."
User: "Okay, but there’s no way I can remember that. I’ll have to write it down"
IT Dude: "If you write it down, it’s no longer secure – if someone finds it, they’ll have access to your machine. Do not write it down!"
User: "But…but if I can’t write it down, and I can’t remember it, what can I do?"
IT Dude:  "Not my problem."

At this point, IT walks away, and the user will likely change the password for their PC to "letmein". Or "abc123". And tell security ‘Goodbye’.

But there is a way to keep that impossible to remember password always at the ready, in plain view even—and yet foil anyone who tries to use it. I came up with this idea about a year ago, and to my knowledge, nobody has ever suggested the idea. So I claim inventor status!

So, IT stuck you with r4eo1ss89 as your password. You’re a smart cookie, but you know that if you try to memorize it, you’ll forever be transposing the ‘eo’ to ‘oe’ or running out of memorized characters after the ‘1′. So, the reality of that secure password is, you have to write it down.

Well, don’t hesitate, write it down! Use a bold Sharpie® on a Post-it® , write it in big letters—if you’re feeling particularly cheeky, write "Password for my computer" right above it.

The secret—and there’s a pun in there, I promise—is to ‘password protect your password’. How? It’s absurdely easy, mind-numbingly simple, and you’ll wonder why you didn’t think of it yourself first!

Drum-roll, please: Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.

Here’s an example. I decide that—for every password I will ever write down—my ‘personal password’ character—my ’secret key’ so to speak—is a lowercase ‘w’. IT gave me the password r4eo1ss89 . so I write down my password like this:

This is, for all practical purposes, completely uncrackable. The only way someone could ever get in with that is if they already know that you are using a bogus character in the password, and already know what the character is. You’re presenting them with a password that cannot work unless they know your secret—and it’s a secret that’s exceedingly easy for you to remember and keep secret—just a solitary character! Obviously, it’s a good idea to not use one of the initials of your name. But again, for someone to even put it to use, they have to know that you’re doing this to the password in the first place. If you want to get even more clever, pick a position and designate that your ‘personal position’ along with your ‘personal character’. With that, you can then have passwords that do contain your secret character – just so long as it’s not in your chosen position. So if I chose the letter ‘w’, and always in the fifth position, I could have a password of

a9are4wp2w1 and simply modify it to

a9arwe4wp2w1

Arguably, this positional technique could be slightly less secure—if for example you were to print out your passwords in a cheatsheet, and have them all aligned to the left—then the pattern of a ‘w’ in the fifth position might become apparent. For the serious IT person who has to maintain his/her own list of many complex passwords, it’s probably best to not use a position parameter.

With this exceedingly simple technique, you can hide your passwords in plain sight. People will wonder why it is that you can get in with your password all the time, but when they try to take a sneak-peek into your computer after you’ve gone home for the day, they can never get in.

Share and enjoy!

Followup: It just occurred to me that there’s another variation on this that can work well: Secret character removal. This one does work best with positional parameters: select a character that you will always have in your password, in a particular position, then remove that character from what you write down. So, for example, your secret character is ‘f’, and your secret position is two. You create and use a password of:

Mf497ree1

But you write it down as

M497ree1

Since you know there will always be an ‘f’ in that second position, it’s just as easy to remember as the ‘extra’ character method. And since you are not writing down the character, it’s potentially even more secure than the already very secure ‘add a character’ method!

Update: Please read my followup article, which addresses some of the concerns that have been expressed regarding these methods.

But what I really meant to write was…