August 25, 2010

Dynamic Passwords

There will come times that, like it or not, you will not be able to use passphrases.  A service might require you to follow "complexity requirements" in your password, or you might be limited to a certain number of characters.  So, if you can't use your a passphrase, what is your next, most secure option?

Traditional security rules state that a password should be least 8 characters long, with at least one capital letter, one lowercase letter, one number, and one special character.  It is also recommend practice that each service, website, or application you use have a separate password. Sounds great, but is this really a practical solution? Unless you have exceptional memory, remembering all those unique passwords is going to be extremely difficult, and chances are you will either forget them or write them down. Sure, you could use one complex password for everything (as many people do, unfortunately), but what if one of your services get compromised? The attacker would then be able to log into any other service you use.  So, what is the best compromise?

Enter dynamic passwords. Put simply, a dynamic password is simply an algorithm that is used to produce a password that is unique to each site or service you create the password for.  All you need to do is remember the algorithm you used; if you forget the password, you can always use the same algorithm to arrive at the same password.  This keeps passwords easy to remember, and if the algorithm is sufficiently complex, difficult for attackers to figure out.  This is best explained by example:

Let's start with a very basic password, such as "Q". Now, let's throw in some dynamic variables at the end of the password, such as the first and last character of the service or website you're using, represented by X and Y.  The password would then look like: "QXY".  Applying this to a website is easy. For example, if you're creating a password for Amazon, X would be "a" and Y would be "n".  Thus the password for Amazon would "Qan". Using the same algorithm, the password for Walmart would be "Qwt".

But let's not stop there - obviously a three-character password isn't going to last for long.  We could add on other variables, such as the length of the first word of the service (represented by LL), as well as static characters, like "3!". Now the password is "QXYLL3!", and if used for Newegg, would be "Qng033!".  To top it off, you could add a shift-cipher at the end that capitalizes the first character of the website/service, and moves it forward two letters in the alphabet (thus, 'a' would become 'C', 'b' would be 'D', etc).

Thus, our final algorithm would look like "QXYLL3!(+2)", and would generate the following passwords:
GovernmentSecurity.org:    Qgy103!I
Yahoo.com:                       Qyo053!A
Paypal.com:                       Qpl033!R

This is just a sample algorithm, but it has the advantages of being sufficiently complex for most websites, is unique to each site, and is relatively easy to remember.  Experiment with your own algorithm, combining various features and other tricks to obscure it. The possible variations are endless. Note, that if an attacker has access to enough passwords, they may be able to deduce the algorithm.  However, they would need to compromise several such services that you use and then correlate the results.  Even so, a sufficiently complex algorithm should be able to resist casual deduction, short of statistical analysis.

Happy Hacking.
-J

No comments:

Post a Comment