But What I Really Meant To Write Was…

Posted Monday, 15 January 2007, 12:36 am

In the aftermath of the controversy that erupted concerning my article yesterday regarding passwords, it seems—from the repeated comments misconstruing the idea—that I should write this followup, and clarify things a bit.

Mistake #1: A less catchy title might have helped, along with a less aggressive photo. In going for something attention-getting, I immediately set a tone that apparently a great many people took literally—that one should just feel free to write their [minimally modified] password on a Post-it, include what the password was intended for ("Desktop password", "root", etc), and stick it on your monitor.

I thought while I was writing it that that was over-the-top enough that people would just laugh. Er, no, not so much! I undermined the message pretty seriously with that. One merely invites scrutiny that would otherwise not occur, by publicly sticking Post-its on their monitor with passwords, modified or not. It’s best to stick the Post-it under your keyboard! (yes, I’m kidding again).

Mistake #2: Don’t say ‘Here’s the rule’ when what you really mean is "Here’s an example". In the middle of the article, I wrote—in the emphatic, mind you—

Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.

Well, no, not so much again. That’s one way to do it. As I tossed in at the end of the article, there’s a ‘reverse’ method that works too. But the reality is, there are numerous ways one can employ this idea, with great success. The more ways people do it, the more work the l33t haX0rs face when they stick their nose where they shouldn’t. So along the lines of remedying Mistake #2, here, in depth, is more. This may seem tedious, but I think it’s important to address the criticisms that were expressed.

Suggested method A: Pick a letter or number that will be your secret key, and add it in a random position to any password you write down.

Example: "My personal secret character is uppercase J". I have a password of 


Since I can’t easily remember that, I write it down as


Suggested method B: Pick two letters or numbers that will be your secret ‘key’, and add them in random positions to any password you write down.

Example: "My personal secret characters are b and 8". I have a password of


Since I can’t easily remember that, I write it down as


Suggested method C: Pick a letter or number that will be your secret ‘add’ key, and a letter or number that will be your secret ‘subtract’ key. You add the one character to the password you write down. The subtract character is one you always use in the password, but always remove when you write it down. This requires that you pick a position where you will always use the character in your actual password.

Example: "My personal secret ‘add’ character is G. My personal secret ‘subtract’ character is h". I have a password of


Since I can’t easily remember that, I write it down as


Suggested method D: Pick a count and position. For any password you have, at the position you chose, enter random characters in the amount you chose.

Example 1: "My count and position are 3 and 3." I have a password of


Since I can’t easily remember that, I write it down as


Example 2: "My count and position are 4 and end." I have a password of  


Since I can’t easily remember that, I write it down as


By no means are the above suggested methods and their concomitant examples exhaustive. There are countless variations of the above that are reasonably easy to think up, and reasonably easy to remember.

But the most critical aspect of all of these methods and examples is that you pick the method, and you keep it to yourself. The most frequently repeated criticism has been—in a nutshell—"you have nine characters and you know that one of the fake, so it’ll take at most ten tries to figure out the correct password!" (often followed by "LAME!" or "IDIOT!"). I’m baffled by this criticism. Obviously, you (the person writing down the password) know how many characters are in the password, and what character(s) are bogus—and where in the password they’re located. But unless you stand up in the office and announce

"My secret key for passwords that I write down is the letter T and the number 4,  and I always make my passwords nine characters long!"

..then Binky Q. Snoopsalittle is not going to have the first clue where to begin trying to figure out how to use that written down password—he isn’t necessarily going to even know that you’ve done anything to the password at all! All he’ll know is that he found a Post-it that said

root password: Raf9KxZrZ2jWDa1a

But when he types it in, he keeps getting "incorrect password". If Mr. Snoopsalittle doesn’t know that you’ve modified the password in the first place, his first impression is most likely to be "huh. I guess it’s been changed since then".

But wait! Snoopsalittle reads Digg! And he read that stupid article about masking your written-down passwords! So, tell me Binky, what will you do when presented with this?

root password: Raf9KxZrZ2jWDa1a

How will you know, without having been told in advance, that the real password is only twelve characters long—not sixteen—and that the first two characters and the last two characters are completely bogus? The real password is actually f9KxZrZ2jWDa. But you didn’t know that, Binkster. You saw sixteen characters labeled "root password". 

But what if our Digging friend is a l33t haX0r, with all the latest password cracking software, and a kick-ass machine he can dedicate to cracking the password? Well sure. He’ll crack it in a jiffy. With the exception of more sophisticated security schemes, he doesn’t need any of the password at all. Having an obfuscated password might cut down some of the time necessary to crack it. But we’re not trying to thwart the dedicated malevolent intruder. He’s an entirely different problem. If you’re dealing with data that is life or death, or of the nature that million dollar transactions could be compromised—you aren’t using weak security systems like ‘username and password’ to begin with! Across the landscape of security, you tailor your response to your audience, so to speak. If for example I work a helpdesk and share my workstation with another employee, the information on that PC is likely neither highly confidential, nor highly desireable to acquire. This technique I’ve described is not intended for someone working, on the other hand, in Chase-Manhattan’s datacenter.

It was indeed quite foolish to state in the article  "This is, for all practical purposes, completely uncrackable." Really, really poor choice of words. As above, the determined hacker on a fast machine can pretty swiftly slice through a great many passwords of non-trivial length. Presenting a modified password can reduce the amount of work the password-cracking software has to do. But again, this technique is not geared towards thwarting that audience.

This technique is not intended as some sort of foolproof, Total Security, Super Dooper Password Perfect Protection system. It’s a pragmatic response to the rational tension between

Easy password, easy to remember, easy to break


Difficult password, difficult to remember, difficult to break

This method is a synthesis of ‘easy to remember’ coupled with a difficult password. Choosing your own private ‘key’ for unlocking long, complex passwords that have been written down is more secure than making your password "TGiF" and being able to remember it.

Getting back to the poorly chosen photo—and wording—suggesting writing the password on a Post-it and sticking it to your monitor. When this idea first came to me, it was in response to having been presented, at a job I’d just started, with a wallet-sized printout of some very long and complex passwords (regularly changed, as well), to servers that provided ‘last line of defense’ security for an entire server farm. A person would first have to thwart three previous layers of security, one of them requiring a Securekey keyring fob which generated one-time-use passwords, to even get to a place where they could use those written-down passwords. Even for the young crew of senior admins, memorizing them was wasted effort, so they kept the ‘cheat-sheet’ in their respective wallets. That’s when it occurred to me that obfuscating the actual printed password in some simple way could provide a "can’t hurt to do it" further layer of security.

Finally, I’ll reiterate the important concept that underlies this method: You, the person who obfuscates the password when writing it down, you choose the formula you use to obfuscate it, and there are countless different ways for any one person to do so. The other guy, however, the guy who finds your wallet with the list of passwords in it, he does not know that the password’s been modified, or how it has been modified. When considering this method, it’s important to keep that in mind. When presenting examples of it, sure, it all seems drop-dead easy to figure out, and not terribly secure at all. But good luck when you aren’t aware of the specifics.

 Wallet with password cheatsheet

Any password can be brute-forced, given enough time and enough computational horsepower. Not knowing in advance how those passwords in the photo above differ from the real, underlying passwords—and the changes to them are simple, similar to the methods described above—that makes brute-forcing them somewhat harder. But it’s the casual attacker for whom they’ll prove of no value at all.

(and no, those aren’t real or obfuscated passwords, or hosts. It’s a prop, for demonstration purposes.)

 I understand a lot of the criticism made of the technique, particularly relative to my poor presentation of the idea in the article yesterday. Nevertheless, I believe this technique has merit. It’s a pragmatic technique that Joe Cubicle-dweller can use, and be perhaps a little less vulnerable to Hacky McHackerson (tip of the fez to Coda on that last!).

Oh, and don’t forget—who besides me might know that three of the passwords in the photo above are bogus end-to-end? Nothing like adding some fruitless busywork to the process. Heck, by the time Hacky gets to the real obfuscated passwords, you’ll already have changed them all.


Categorically Incorrect, Modren Lfie



You have now discovered security through osbcurity.

You may now move on to the next level.

Having said that, I must admit that I use a similar technique for many common circumstances – it you knew my passwords for the top 5 online websites which don’t have any credit/debit card information, you would see a pattern. My slashdot.org password is not very different from my digg.com password, for example.

However, my PayPal and eBay passwords have nothing in common (with each other, nor the above – although now I’m sure that they’ll happily share such info between themselves)

See also http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

Thursday, 22 March 2007, 5:08 pm | Permalink

while the ‘security through obscurity’ meme tends to be tossed out pretty frequently, the reality is that the term really is:

security through obscurity is no security at all.

which is true – that is, if obscurity is your *only* mechanism for security, the blackhats will have the last laugh. so, if you simply use a password that’s the same as your login, your security will be compromised in no time. however, here’s the kicker:

security without obscurity is no security at all.

why is it when you type in a password on a webpage, the characters appear as “*******”? because it’s worthless to have even an incredibly secure password if you display it verbatim for all to see. obscurity is integral to security. it’s when obscurity is your *only* security that it’s a problem.

the method i outlined obscures the actual content of the password. true, putting it on a post-it note for all to see will certainly assist any genuine blackhat who comes across it. but if the blackhat doesn’t even know that you’ve obscured the password that they’re viewing, chances are they’ll figure it’s an old post-it, and the password’s been changed since then.

the method is novel, but not extreme. nor did i intend it as such.

a password of W88RywU46XfA , where only you know that the lowercase y and the lowercase f don’t even belong in it, is more secure than if you’d written down W88RwU46XA.

but i’m belaboring an already belabored discussion.

Monday, 26 March 2007, 10:55 am | Permalink

Your method is quite interesting, but not really suitable for the average Joe.

Try Clipperz (www.clipperz.com), it’s an online password manager and really prevent you from putting anything on paper.

I’m a tad biased since I’m Clipperz co-founder …

Anyway send your feedbacks and comments to our discussion group (http://groups.google.com/group/clipperz) or email me at feedback@clipperz.com.


Wednesday, 28 March 2007, 9:28 am | Permalink

my only reservation about clipperz is that it’s online. not much help if you need offline password handling. i prefer to have my passwords managed on my machine, totally under my control. that’s why i use roboform.

Wednesday, 28 March 2007, 7:19 pm | Permalink

Pizza said:

You have learnt that security through obscurity is no security at all by wasting a lot of other people’s time.
Please next time do us all a favour. Shut up and read a good book on the subject.

Monday, 07 May 2007, 3:05 pm | Permalink

Classic anonymous coward. It’s a shame you don’t even understand the concept behind the phrase you tossed out.

security through obscurity ALONE is no security at all. however, obscurity is an important component of most security schemes.

it’s precisely why we use passwords in the first place. obscurity is implicit in the concept of a password.

Monday, 07 May 2007, 3:11 pm | Permalink

J. Anthony Carter said:

It just keeps getting better and better. There’s no end to the twits and idjits who can’t think their way out of a paper bag but “By GOD!” are certainly so much smarter than you that, even reading what’s written in black and freaking white, can’t understand humor, sarcasm, generalization, content or meaning.
Does that keep the mental midgets from getting all yackety-schmack about what they think they found wrong with what you write? Nope!
I’m so fearful of the continuation of this nation. So many people who should have been euthanized at birth not only weren’t, but were allowed to procreate! And this is explicitly evident in the replies that arrive showing they were constructed by someone with only two neurons (and they weren’t even holding hands!). You see, of course, how many offspring the walking brain-dead made. Just read all the flames from the ones who use such favorites as “LAME” and “IDIOT”.
It’s exceedingly sad that you have to write a whole other article to clear up misunderstandings that shouldn’t have been misunderstood. I read both articles and the second was superfluous, redundant and a total waste of time and ink just to be a crutch… no, an electric wheelchair, for the mentally impaired in this country.

Thursday, 16 June 2011, 4:56 pm | Permalink


Made with WordPress and the Semiologic CMS | Design by Antonella Pavese