The simple ABCs of password security
How many different passwords do you use to log into various websites? Let me guess: maybe three to five? You would be in good company. Manuel Blum, the computer scientists and Turing award winner, gave the keynote lecture yesterday on secure and user friendly passwords. He told me over lunch that even his students at Carnegie Mellon often use no more than three to five passwords. They should know better.
Reusing passwords poses a security risk. Even if your password is a long, complicated string of letters, numbers and special characters: once it has been hacked, your privacy and data on a potentially high number of sites are at risk. The more secure solution would be to have many individual, website-specific passwords, guaranteeing protection even against multiple security breaches.
It might be more secure, you may reply, but it does sound rather unpractical. Who on earth can and wants to remember dozens of different and website specific passwords? One solution to this problem would be to store them in a (encrypted) file or database. But this approach has risks, too. If the master password was hacked, potentially all your data would be compromised and even providers of password management software are not immune to privacy attacks.
In his keynote lecture, Manuel Blum presented a method to generate individual, website-specific passwords which are equally secure and userfriedly. The only precondition is: you need to know the alphabet.
With no further ado, here are the step by step instructions:
1. You need to remember a secret string of numbers. Make it 6 or seven digits long. For illustrative purposes I’ll be using “234234” here but it can be any string of numbers. Just make sure to remember it.
2. For every password protected website you now need a specific abbreviation, a so-called “challenge”. Facebook could be “FACE”, Twitter “TWIT”, Gmail “GMAI”, etc. The length of your abbreviations should not exceed the number of digits in your secret string of numbers from step 1. You could, but you don’t have to memorize those challenges. You might as well store them in a text document or a password database. Potential intruders won’t be able to determine your website passwords from these abbreviations – without knowing your secret string of numbers.
3. Now, to generate website specific and secure passwords, you need to encode the abbreviations with your secret string of numbers. Lets take FACE (for Facebook) as an example:
– Stating from the first letter (F) you move to the letter of the alphabet coming after F and corresponding to the first digit of your secret string (in our case: the first 2 in 234234). Thus, the first letter of your password would be F +2 = H.
– Proceed correspondingly for the other lettres in FACE: A +3 turns to D. C +4 turns to G und E +2 gives another G. The generated password for FACE would therefore be: HDGG. Done.
Often, password protected sites require the use of small and large caps letters, numbers as well as special characters. To meet these conditions, Manuel Blum suggested to simply add a term to all your specific passwords, such as: “Aa1!”.
Following this method, the passwords in our example would thus be:
Facebook —> FACE —> Aa1!HDGG
Twitter —> TWIT —> Aa1!VZMV
Gmail —> GMAI —> Aa1!IPEK
Of course the level of protection can be raised, for example by using less obvious abbreviations, or by using the alphabet backwards. The main feature contributing to making this method both simple and secure is the fact that the passwords are computed with a secret key, but from a human being and not a machine – Human Computation. It goes without saying that thus generated passwords should not be noted down but ideally recalculated with every login.
I think I will use the occasion and change the passwords for the 100-odd websites I have logins for. Because I am one of those with pathetic privacy protection who uses only three to five different ones.
Manuel Blum’s lecture as been recored and can be seen again here.
Here is a link to a relevant paper on Arxiv describing the problem and evaluating the level of security that can be reached using such an approach.