But What I Really Meant To Write Was…

Posted Monday, 15 January 2007, 12:36 am | 7 comments

In the aftermath of the controversy that erupted concerning my article yesterday regarding passwords, it seems—from the repeated comments misconstruing the idea—that I should write this followup, and clarify things a bit.

Mistake #1: A less catchy title might have helped, along with a less aggressive photo. In going for something attention-getting, I immediately set a tone that apparently a great many people took literally—that one should just feel free to write their [minimally modified] password on a Post-it, include what the password was intended for ("Desktop password", "root", etc), and stick it on your monitor.

I thought while I was writing it that that was over-the-top enough that people would just laugh. Er, no, not so much! I undermined the message pretty seriously with that. One merely invites scrutiny that would otherwise not occur, by publicly sticking Post-its on their monitor with passwords, modified or not. It’s best to stick the Post-it under your keyboard! (yes, I’m kidding again).

Mistake #2: Don’t say ‘Here’s the rule’ when what you really mean is "Here’s an example". In the middle of the article, I wrote—in the emphatic, mind you—

Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.

Well, no, not so much again. That’s one way to do it. As I tossed in at the end of the article, there’s a ‘reverse’ method that works too. But the reality is, there are numerous ways one can employ this idea, with great success. The more ways people do it, the more work the l33t haX0rs face when they stick their nose where they shouldn’t. So along the lines of remedying Mistake #2, here, in depth, is more. This may seem tedious, but I think it’s important to address the criticisms that were expressed.

Suggested method A: Pick a letter or number that will be your secret key, and add it in a random position to any password you write down.

Example: "My personal secret character is uppercase J". I have a password of 


Since I can’t easily remember that, I write it down as


Suggested method B: Pick two letters or numbers that will be your secret ‘key’, and add them in random positions to any password you write down.

Example: "My personal secret characters are b and 8". I have a password of


Since I can’t easily remember that, I write it down as


Suggested method C: Pick a letter or number that will be your secret ‘add’ key, and a letter or number that will be your secret ‘subtract’ key. You add the one character to the password you write down. The subtract character is one you always use in the password, but always remove when you write it down. This requires that you pick a position where you will always use the character in your actual password.

Example: "My personal secret ‘add’ character is G. My personal secret ‘subtract’ character is h". I have a password of


Since I can’t easily remember that, I write it down as


Suggested method D: Pick a count and position. For any password you have, at the position you chose, enter random characters in the amount you chose.

Example 1: "My count and position are 3 and 3." I have a password of


Since I can’t easily remember that, I write it down as


Example 2: "My count and position are 4 and end." I have a password of  


Since I can’t easily remember that, I write it down as


By no means are the above suggested methods and their concomitant examples exhaustive. There are countless variations of the above that are reasonably easy to think up, and reasonably easy to remember.

But the most critical aspect of all of these methods and examples is that you pick the method, and you keep it to yourself. The most frequently repeated criticism has been—in a nutshell—"you have nine characters and you know that one of the fake, so it’ll take at most ten tries to figure out the correct password!" (often followed by "LAME!" or "IDIOT!"). I’m baffled by this criticism. Obviously, you (the person writing down the password) know how many characters are in the password, and what character(s) are bogus—and where in the password they’re located. But unless you stand up in the office and announce

"My secret key for passwords that I write down is the letter T and the number 4,  and I always make my passwords nine characters long!"

..then Binky Q. Snoopsalittle is not going to have the first clue where to begin trying to figure out how to use that written down password—he isn’t necessarily going to even know that you’ve done anything to the password at all! All he’ll know is that he found a Post-it that said

root password: Raf9KxZrZ2jWDa1a

But when he types it in, he keeps getting "incorrect password". If Mr. Snoopsalittle doesn’t know that you’ve modified the password in the first place, his first impression is most likely to be "huh. I guess it’s been changed since then".

But wait! Snoopsalittle reads Digg! And he read that stupid article about masking your written-down passwords! So, tell me Binky, what will you do when presented with this?

root password: Raf9KxZrZ2jWDa1a

How will you know, without having been told in advance, that the real password is only twelve characters long—not sixteen—and that the first two characters and the last two characters are completely bogus? The real password is actually f9KxZrZ2jWDa. But you didn’t know that, Binkster. You saw sixteen characters labeled "root password". 

But what if our Digging friend is a l33t haX0r, with all the latest password cracking software, and a kick-ass machine he can dedicate to cracking the password? Well sure. He’ll crack it in a jiffy. With the exception of more sophisticated security schemes, he doesn’t need any of the password at all. Having an obfuscated password might cut down some of the time necessary to crack it. But we’re not trying to thwart the dedicated malevolent intruder. He’s an entirely different problem. If you’re dealing with data that is life or death, or of the nature that million dollar transactions could be compromised—you aren’t using weak security systems like ‘username and password’ to begin with! Across the landscape of security, you tailor your response to your audience, so to speak. If for example I work a helpdesk and share my workstation with another employee, the information on that PC is likely neither highly confidential, nor highly desireable to acquire. This technique I’ve described is not intended for someone working, on the other hand, in Chase-Manhattan’s datacenter.

It was indeed quite foolish to state in the article  "This is, for all practical purposes, completely uncrackable." Really, really poor choice of words. As above, the determined hacker on a fast machine can pretty swiftly slice through a great many passwords of non-trivial length. Presenting a modified password can reduce the amount of work the password-cracking software has to do. But again, this technique is not geared towards thwarting that audience.

This technique is not intended as some sort of foolproof, Total Security, Super Dooper Password Perfect Protection system. It’s a pragmatic response to the rational tension between

Easy password, easy to remember, easy to break


Difficult password, difficult to remember, difficult to break

This method is a synthesis of ‘easy to remember’ coupled with a difficult password. Choosing your own private ‘key’ for unlocking long, complex passwords that have been written down is more secure than making your password "TGiF" and being able to remember it.

Getting back to the poorly chosen photo—and wording—suggesting writing the password on a Post-it and sticking it to your monitor. When this idea first came to me, it was in response to having been presented, at a job I’d just started, with a wallet-sized printout of some very long and complex passwords (regularly changed, as well), to servers that provided ‘last line of defense’ security for an entire server farm. A person would first have to thwart three previous layers of security, one of them requiring a Securekey keyring fob which generated one-time-use passwords, to even get to a place where they could use those written-down passwords. Even for the young crew of senior admins, memorizing them was wasted effort, so they kept the ‘cheat-sheet’ in their respective wallets. That’s when it occurred to me that obfuscating the actual printed password in some simple way could provide a "can’t hurt to do it" further layer of security.

Finally, I’ll reiterate the important concept that underlies this method: You, the person who obfuscates the password when writing it down, you choose the formula you use to obfuscate it, and there are countless different ways for any one person to do so. The other guy, however, the guy who finds your wallet with the list of passwords in it, he does not know that the password’s been modified, or how it has been modified. When considering this method, it’s important to keep that in mind. When presenting examples of it, sure, it all seems drop-dead easy to figure out, and not terribly secure at all. But good luck when you aren’t aware of the specifics.

 Wallet with password cheatsheet

Any password can be brute-forced, given enough time and enough computational horsepower. Not knowing in advance how those passwords in the photo above differ from the real, underlying passwords—and the changes to them are simple, similar to the methods described above—that makes brute-forcing them somewhat harder. But it’s the casual attacker for whom they’ll prove of no value at all.

(and no, those aren’t real or obfuscated passwords, or hosts. It’s a prop, for demonstration purposes.)

 I understand a lot of the criticism made of the technique, particularly relative to my poor presentation of the idea in the article yesterday. Nevertheless, I believe this technique has merit. It’s a pragmatic technique that Joe Cubicle-dweller can use, and be perhaps a little less vulnerable to Hacky McHackerson (tip of the fez to Coda on that last!).

Oh, and don’t forget—who besides me might know that three of the passwords in the photo above are bogus end-to-end? Nothing like adding some fruitless busywork to the process. Heck, by the time Hacky gets to the real obfuscated passwords, you’ll already have changed them all.


Made with WordPress and the Semiologic CMS | Design by Antonella Pavese