1

I recently saw this idea of using AutoHotKey to perform character replacement allowing mapping of shortcut-keys to long sequences of characters.

Consider a .ahk file mapping :

Ctrl-Alt-a --> s0k&*GHn0
Ctrl-Alt-A --> 75_+:+E@#
Ctrl-Alt-b --> <:L2389ne
... etc. ....

This would allow me to have freakishly long passwords for different websites but remember a much shorter sequence. e.g. with a two keystroke sequence

[Ctrl-Alt-a] [Ctrl-Alt-b]

I can type the password

*s0k&*GHn0<:L2389ne

Yes, I know -- correct horse battery staple may still be better, and yes, I lose portability as I know rely on having AHK and the .ahk file.

However, does this method buy me any increase in password security? Is it a good idea to try?

Community
  • 1
Jedi
  • 3,906
  • 2
  • 24
  • 42
  • It's certainly an interesting idea. Can you think of benefits of using this approach over a password manager? I guess capturing the database wouldn't be enough, as you'd then have to either brute-force with your new dictionary, or keylog the entry for a site? – Xiong Chiamiov Dec 01 '16 at 02:36
  • 1
    Isn't the script still sending the keys to be logged? In any case, some password managers have similar features, you are probably better off using one of them. – Alexander O'Mara Dec 01 '16 at 03:06
  • I'm completely sold on password managers. But, call it security-by-novelty, sometimes it pays to be different, as the password manager breaches start to trickle in. As for keyloggers, true, the gains are less certain-- but then again, isn't *`malware = game over`* ? – Jedi Dec 01 '16 at 04:45

3 Answers3

6

No, It gets you a decrease in security because you now have your passwords in a searchable file.

A password manager does the same job but holds the data securely. It is also likely to have mitigation tools for common attacks.

Julian Knight
  • 7,092
  • 17
  • 23
  • True, but this could be mitigated by having a shortcut key replacement for all 101 * 2 (shift key) keys and you could use a different sequence of (say) 8 for each website. You're less likely to be caught n a broad attack, as no one's looking.... – Jedi Dec 05 '16 at 09:44
  • A reasonable point though I think that it depends on *where* an attacker is monitoring the dialog. Personally, I'd say the risks are a lot lower when using a hardened, proven, tested tool. This is one of the tenets of security - don't roll your own. – Julian Knight Dec 05 '16 at 13:28
2

Does this method buy me any increase in password security? Is it a good idea to try?

Using AutoHotKey buys you a small bit of security through obscurity, because if an attacker gets access to your computer, an .ahk file is probably not on the list of "credential-holding files" that common exploit toolkits will look for.

Still, storing unencrypted passwords in a .ahk file is notably LESS secure than using an encrypted password manager. I wouldn't consider it a good idea to use AutoHotKey for security.

Jacob
  • 131
  • 5
-1

This is like using simple substitution ciphers in the computer age. You will be better off using AHK to type the hash of your password as the password.

billc.cn
  • 3,852
  • 1
  • 16
  • 24
  • The key substitution merely adds a layer of obfuscation on the underlying security, and this obfuscation buys longer, more complex passwords that don't have a memorization problem. I'm not sure why hashing the password helps, and how using AHK for this is more secure than my approach. – Jedi Dec 06 '16 at 19:22
  • AHK = AutoHotKey (Hint: look at the file extension in your question). Hashing serves the same purpose as "obfuscation" but does it in a much more secure way: there's no way for a spear-phishing hacker to learn your dictionary from a few compromised sites. – billc.cn Dec 06 '16 at 22:21