Introduction:

As a change of pace from the usual articles on how to crack passwords, I thought I’d show a method for making them harder to crack. In last weeks article ‘does password padding make your password more secure‘ I showed that adding a simple repeating character or characters to a password doesn’t necessarily make it more secure. The problem wasn’t that someone was adding characters, it was that they might have used repeating or patterned characters as their padding. So the question is how do we add complexity without lowering entropy.

Method:

It occurred to me that people are generally able to memorize simple pins, or numbers like in a phone number. However one of the worst things someone could do is simply add numbers to a password. Adding numbers to a base password is nearly as bad as adding a repeating pattern. Using a dictionary hybrid attack an attacker could bruteforce appending and prepending digits while simultaneously using dictionaries as a base word. It also occurred to me that people tend to write long or complex passwords down, which is also a concern. So if adding numbers is bad, and writing them down is bad what if you combine the two? The result is something I call the password pad. Surely many variations of this idea already exists, but none that I’ve seen are so simplistic.

The idea is not to remember a long complex high entropy password, or to be so insecure as to write them down or use simple padding. Instead one would use a small “password pad” to increase the size of an already used password.

As an example lets say you use Pass123 as your login password for a web site. This is an obvious bad password as it contains a dictionary word, it’s short, and is followed by a very common series of numbers. So instead of using 123 directly we could use our password pad to extend the complexity of the password.

On our sample password pad 1 = CY?, 2 = =45, and 3 = :Vh. So rather than having Pass123 we have PassCY?=45:Vh.  This increases our password complexity substantially. Not only are we now using characters from all character sets but the length has increased from 7 to 13. Even using a hybrid attack where ‘Pass’ was the base word, ‘CY?=45:Vh’ would take a prohibitively long time to try to bruteforce. Sounds simple enough but you may be wondering what if someone else uses the pin 123? The uniqueness comes from the fact that no two people’s “password pad” is the same. The sample pad I used was generated from the key “password”. Ideally you wouldn’t use something as simple as that, likewise you could use a randomly generated key. Thus everyone that has a pad will have different randomized characters for each digit on the pad. To create your own password pad use the generator below.

Password Pad Generator:

Conclusion:

Once your password pad has been generated you can print it out and put it in your wallet, stick on your monitor, save it as an image on your desktop or in your email, you could even msg it to your phone. Or keep it safe so it’s an easy way to have 2-factor authentication -something you have, and something you know. The pad is unique to the key that generated it, and has adequate entropy. It also allows you to chose digits that the password policy allows for, an example would be if a site only allows 10 characters then choose less padding digits that allow it to fit. Here are some do’s and do not’s.

Do -

• Choose a unique key to generate your pad
• Use a known password in addition to the pad
• Select at least 3 different digits from the pad that as a whole have at least one character from each character set
• Use a different pin for each web site login

Do not -

• Use only the pad to compose your entire password
• Write your base password on or near your pad
• Just add the padding to the end of your base word

Some other suggestions might be to use it as method for agreeing on a pre-shared key between two people without actually passing the plain text password. Use the 4 character pad option on the generator for better security. Mentally reverse some character sets from the pad to increase obfuscation. If you ever lose your pad you can generate the same one by using the same key. I’m sure there’s lot of other ideas you can come up with on your own just be creative.

(UPDATE!) Over the weekend I put together a windows executable version of the password pad. It can be downloaded here.The windows version allows you to generate a pad exactly like the php version. It also allows you to click the pad numbers and it will fill in the box below, click copy to clipboard and paste where ever you need it. Anyone interested in helping me develop a iphone/android app equivalent please contact me.

DG