3

Situation

Over time I am required to choose and use many passwords in different environments. Some on my computer where I could choose to use a password manager, but many on client systems where I may not even have online access and definitely can't plug in a storage device. Sometimes one cannot even bring in any auxiliary resources like a phone.

Question

Assuming that I don't want to use a password manager and have to select and use passwords manually, what would be a good system for this?

Ideally the system should meet the following constraints:

System constraints

  1. It should give me a password for (nearly) any combination of password constraints (see below)
  2. It be comparatively easy to remember/recreate if I know the setting (and the date?!) and its constraints
  3. It should be secure against someone who knows the system (but not the input parameters)
  4. It should be secure after I use the system in an insecure environment and the password used there may leak. I am not worried about someone knowing more than 1 leaked password.
  5. Bonus: It would be nice if it was secure against someone knowing an old password.

Example password constraints

Typical constraints in choosing a password (of course they vary per system):

  • Between min and max characters
  • No symbols / at least n symbols from a limited set
  • At least some letters of each case
  • Password must be changed periodically and does not match anything from last M periods

I am not worried about only numeric passwords


What have I tried?

I tried to come up with systems, but have not found anything that meets all system constraints (Or is good enough in general).

Example 1: smallest first fit

Just to show what a system could be like, I will mention this ridiculous example.

  1. Keep adding the letter a, until the minimum character count is satisfied, for example aaaaaa
  2. Recursively change a character till the constraints are met, you could end up with aaaaA1

This system will generate a password that can always match the requirements. Of course its strength can be horrible if you don't start with a random string. So this system would either fail system constraint 2 or 3.

Example 2: start with the core

I feel like this is not a strong system, but I believe it does get used in practice.

  1. Choose a (hopefully strong) core, for example: securitystackexchange
  2. Tweak it to match the requirements, for example: Securitystackexchange01

If you have a long core, it can typically lead to weak passwords when the max chars is limited. For example Security01. Also this system does not meet system constraint 4.

Example 3: Choose random characters within the requirements

  1. Choose random characters within the requirements

One cannot remember many of these, so this does not qualify as something I can use manually and I would say this fails system constraint 2.


Update regarding password managers

I am not worried about the quality of password managers, and understand that their use would make this question trivial. However I am looking for an answer that does not require them because you may not be able to conveniently use them everywhere. For instance when it is not allowed to access the internet, install programs, or bring your own device.

Dennis Jaheruddin
  • 1,715
  • 11
  • 17
  • 3
    Password managers can come with a password generator, and live in a simple smartphone. I use KeyPass this way and manually copy the password when I am asked for it. It meets all the requirements provided you accept to use an auxilliary device to help you to remember your passwords. – Serge Ballesta Aug 08 '16 at 10:28
  • 1
    @SergeBallesta That is very good to know, in many situations working with a password manager like this could be an outcome. -- I will still keep this question open as not all environments allow auxiliary devices and as showing the password in plaintext is also not always desirable. – Dennis Jaheruddin Aug 08 '16 at 10:54
  • 1
    I am not sure why you disqualify password-managers. Can you elaborate on that? Maybe there are workarounds. For instance, KeePass is a very strong password manager and also runs on smartphones. So you get to carry your encrypted database with you and don't need to plug anything into the local machine you are working on. – Potaito Aug 08 '16 at 13:27
  • 1
    @potAito I am not worried about the quality of password managers, and understand that their use would make this question trivial. However I am looking for an answer that does not require them because you may not be able to conveniently use them everywhere. For instance when it is not allowed to access the internet, install programs, or bring your own device. – Dennis Jaheruddin Aug 08 '16 at 13:44
  • Ah, the last 5 words made it clear. Maybe you should include that in your question, or more people will ask ;) – Potaito Aug 08 '16 at 13:45
  • @potAito It was already mentioned in an earlier comment, but have now included it in the question as well to make it more clear. – Dennis Jaheruddin Aug 08 '16 at 13:47
  • You want to remember *one* secret and method that generates *all* passwords? But constraints may be conflicting. One site >8 chars, no punctuation. Another site <=8 chars, punctuation required. If a site requires passwords to be changed, you'd have to remember a time or a change count. You end up having to remember different secrets for different sites anyway. – David Andersson Aug 31 '16 at 17:32
  • Manuel Blum's method http://security.stackexchange.com/questions/1222/is-there-a-method-of-generating-site-specific-passwords-which-can-be-executed-i/134614#134614 satisfies your constraints 3, 4 & 5 better than most other methods, but may not satisfy some of the other constraints without tweaking. – David Andersson Sep 05 '16 at 01:28

6 Answers6

3

An option (not saying it is great) is to combine the idea of the strong core with the notebook option.

Say you have a core like: secu_ritYstAcke_xChang_e01

You change this depending the requirements (say change 0 -> a, 1 -> b if numbers aren't allowed), the _'s you fill in from the notebook. The notebook contains entries like: (doesn't need to be 3 times 6 chars or have the same pattern each time)

CompanyX : abc123, xyz!*@, (#*987

So the resulting password for CompanyX would be:

secuabc123ritYstAckexyz!*@xChang(#*987e01

I believe it clearly can satisfy constraints 1, 2 & 3. For constraint 4 as long as both your "core" and "notebook values" are strong enough having 1 password exposed shouldn't dramatically increase the risk to the rest of your passwords as any of those characters could be "core" or not. Though it definitely redures the strenght. Assuming you change your "core" part often enough constraint 5 should be met as well. Sure the "notebook values" remain the same but given that the "core" changes completely it should keep a good amount of entropy.

The notebook will represent a physical risk of course but in and of itself it shouldn't be enough, one would need one active password for it to completely break the system.

I would however definitely argue to use this system for as few systems as possible (only those where you can't bring your phone AND can't access the internet) and use a password manager for the rest as such method is a lot safer.

Selenog
  • 984
  • 4
  • 8
2

You can try Off the Grid. It should meet all criteria 1,2,3,4,5.

It consists of a grid of random characters that can be used to encrypt domain names (or whatever you want) into secure passwords. You can print it out and keep it in your pocket, but there is nothing in plain text for a shoulder surfer to catch. If you use the "standard" way to use it (described on the website), a person who gets a copy could theoretically crack your passwords, but if you tweak it slightly (also described on the website) it should be safe even from that.

disclaimer: I've never actually used this system, so I can't say how difficult it is to use in practice.

pppp
  • 211
  • 1
  • 6
  • Interesting, it indeed seems to match the system requirements, and even claims to be the only known system that could match such requirements! That being said, I don't think I will actually use this now, but perhaps in the future. – Dennis Jaheruddin Aug 09 '16 at 07:48
  • 1
    I have some reservations about Off the Grid. It seems like a great idea on face value...but it's from Steve Gibson, who is known for some pretty stupid ideas, and doesn't really give off a vibe of understanding what he's talking about in the password area. I'm not expert enough to find any holes he may have, though. Anyway, if used exactly according to directions, it only gives about 67 bits of entropy for generated passwords, according to his own numbers (191 Quintilian possible passwords). You could make this better by adding more characters, maybe combining the username with the website. – Ben Aug 14 '16 at 04:10
  • Anyway, you're going to need to remember a few things for each entry: (1) website name exactly as used to create the password, (2) username, (3) row or column you're starting on (so you can change passwords as needed), and (4) special characters or numbers you're adding for password requirements. That's enough that you're probably going to write down the information, in which case I question whether it is any better than just writing down your passwords on the card instead. It's certainly going to be annoying playing a crossword puzzle for every login, so it's much harder to use for sure. – Ben Aug 14 '16 at 04:15
1

If you are not using a randomized method such as diceware or character-by-character randomness, then you should come up with a method to generate a password that could result in a very large number of possibilities even if they are not truly random. The difficulty for you will be to use a method that doesn't help the attacker too much if it is known.

So I'd suggest avoiding schemes that try to transform a weak password into something strong (for example, hashing the site name). If they guess your method you're in trouble once they make a rule for a dictionary attack.

Instead, if you're really going to avoid random passwords or diceware, I recommend starting with a nice long original passphrase, and taking the first letter of each word or syllable, as suggested by Bruce Schneier in a somewhat controversial post. As the makers of 1-Password point out, your passphrase should not make sense, and should not use real facts about you that someone could discover; as they say in their post, "there are more ways...to lie...than tell the truth" and "there are more ways for a sentence to not make sense than to make sense." Above all, don't use Bible verses, song lyrics, or wikipedia quotes since those can lead to dictionary attacks; make something up instead.

Numbers and symbols can be introduced with the usual substitutions.

This will NOT be as strong as a random password or diceware phrase. It may look random to a human but a computer can take advantage of letter frequencies at the front of words, statistical analysis of sentence structure, and all sorts of other things to make its job easier. How much easier would be very hard, if not impossible, to quantify.

Likely, with a good slow hash algorithm, and a long enough base passphrase, and avoiding common phrases, your password will be "strong enough" to resist attack long enough for you to discover a compromise and change the password. So this method is probably good enough for passwords which must be short and must be memorized.

But unlike diceware and random passwords, there are no guarantees.

Ben
  • 3,846
  • 1
  • 9
  • 22
0

Have you tried carrying a small notepad? Use a site like www.passwordsgenerator.net/ which lets you tweak it's generator to match whatever criteria the specific system has. Once generated, just write down the "Remember your Password" sentence. I know the physical risks are likely to be an issue, but it's the only solution I can think of that you would still be able to use offline and without any auxiliary devices.

  • 1
    I think this is even less secure then the recommendation in the comments to use a password manager which views the password in plaintext. – Dennis Jaheruddin Aug 08 '16 at 13:02
  • That depends on how the passwords are "keyed" in the notebook, For example, you could use a password manager to store a look-up of service+username->page-number,line-number and don't write down the service+username in the notebook. This makes it difficult for anyone else who comes across a notebook full of random character sequences to know a) the service to which they belong, and b) the username for that service. Similarly, anyone obtaining access to the electronic password manager would also require the physical notebook to be able to mount an attack. – daiscog Aug 08 '16 at 13:09
  • @DennisJaheruddin: By default, the password is starred (shows as `**********`). You must click to show it in clear text, and can hide it again as soon as you have used it. – Serge Ballesta Aug 08 '16 at 13:33
0

Diceware. Also known as xkcd style passphrases.

These can be memorable passwords meeting all your system constraints. The only difficulty is that they tend to be long, so when you say "between min and max characters" you may run into trouble on the maximum end. This can be overcome to some extent as long as "max" is on the order of 30-50 and not 10-12.

The idea is that you start with a list of several thousand common words, and choose 6-8 words at random. The classic Diceware uses actual physical dice to select the words, but you can use a cryptographically secure pseudo-random number generator if it is easier. Some password managers like 1Password have diceware generators built in, others like KeePass have plugins to do it for you (like Word Sequencer).

If you find 6-8 completely random words is not very memorable you can modify the method to generate nonsense phrases that loosely follow grammatical rules. Depending on how this is done it can be just as secure (e.g. if you create separate word lists based on part of speech but still select randomly from each list, in a particular order). I'm not sure how it is implemented but KeePass's Readable Passphrase Generator appears to do something like this.

If the passwords generated from these methods are too long, you can reduce the length somewhat by either trying again until you succeed, or by pruning your word lists to enfoce a certain average length. But note: pruning your lists will reduce the security of the resulting passphrase unless you replace any deleted words with new (shorter) words.

If you need certain special characters, or numbers, or whatever, you can either incorporate those into a word list, or just always add them in a specific place and depend on the security of the method itself to keep the rest of the passphrase secret.

Ben
  • 3,846
  • 1
  • 9
  • 22
  • 1
    I had considered diceware, but did not go with it because it does not meet the constraints. I can see how your suggestion for dealing with symbols and numbers could work, but for this answer to be complete it would be very helpfull to have a good way to extend it to be reasonably secure when you can use 8-12 chars. – Dennis Jaheruddin Aug 09 '16 at 07:35
-1

Manually, diceware is very good, but I know a corporation that uses this scheme (users select their own pw): 23 + 78 = 101, yielding 'twentythree plus seventyeight equals onehundredandone' . I don't use that scheme, since it can be attacked with custom wordlists if it is known to a cracker. Something like "Horsemeat is atrocious? But it's delicious!" is memorable. Use this kind of mnemonic, and use special chars: é, ö etc.

user400344
  • 863
  • 5
  • 9
  • 1
    I am a bit confused after reading this. It seems like you briefly mention three options without elaborating. I would recommend you to focus on 1 answer, be clear on what it is, and how(/whether) it satisfies the requirements that are mentioned in the question. – Dennis Jaheruddin Aug 09 '16 at 08:02
  • I recommend mnemonic passphrases with some emotional payload. I don't recommend the 'simple math' scheme. I don't recommend diceware because you need to carry a printed document and 5 die. – user400344 Aug 09 '16 at 09:51