Password Security: A Combination in a Haystack

Every week, it seems, some web site or another has reported that their password database has been compromised by hackers, which means the bad guys have access to your email address, username, and password for at least that one web site. And if, like most of us, you are a little lazy and you use the same password in multiple places, then they can start probing around and seeing where else you used that same username/email/password combination. Let's hope it's not your bank. 4354264923_ac43bb95e6

Some advisors tell us changing our passwords frequently is the solution. Others say having tiered passwords, based on how much security we think a site deserves is an answer. Still others advise using secure services like LastPass to store our passwords.

But what if you want to do it yourself? What if you want to be as secure as you can, without relying on a company that might go out of business taking their service with them? What if you don't want to have to try to remember your passwords, but want to be able to reconstruct it easily and quickly?

An Algorithm

For each web site you go to, you need a simple method of devising a short, six-character password. It should be something you can remember easily and perform each time you see the name of the web site so that the password just comes to you. Let's use amazon.com as an example:

Taking the six letters "amazon", let's uppercase the second letter, shift the third letter three letters to the right, and uppercase the last letter. Thus, "amazon" becomes "aMdzoN". The idea is to introduce some randomness, and some uppercase letters. That's all. We'll add the rest of the complexity in a moment. Don't go crazy here, keep this manageable.

So for any web site you visit, take the first six letters of the web site name (if there are less than six, use all of them and if there are more than six, use just the first six) and manipulate them in some fashion like this to get your core password.

In a Haystack

The haystack is the "container" into which we're going to insert that core password. It will be the same for each and every password we ever create. It will consist of six characters before the password and six characters after the password. The first six can be "......" or "()()()" or "^^^^^^" or whatever characters you choose. Likewise, the final six can be anything, but I suggest mixing numbers with the symbols, like "333***" or "---777".

Putting the pieces together, our password for Amazon becomes, for an example, "()()()aMdzoN333***". That's an 18-character password, but you really only have to remember the haystack and the method for constructing the site-specific portion in the middle to get there. With practice, you'll be able to do it in a few seconds.

Why It's Secure

Password haystacking was invented by Steve Gibson of Gibson Research, and he has a web page which will help you compute the security of any haystacked password. Using our example above, if a hacker had a computer capable of guessing a trillion passwords per second, it would take 1.28 trillion centuries to search all the passwords in the space defined by the combination of letters and symbols in our password. That's quite a few. It would take less time to find ours, but it's still a prohibitively long time.

Hackers crack passwords primarily through dictionary attacks. They have long lists of dictionary words, and words with numbers interspersed, with upper and lower character combinations. They push these through encryption programs and try to match the results against the encrypted form of your password and, if they get a match, they'll know your password.

By haystacking our password, we've made that search impossible. There is no password dictionary on the planet that will contain "()()()aMdzoN333***" or anything remotely like it. Which means that to find our password, the hacker must do a brute force search. That means starting a "a", proceeding to "b" and continuing on, searching every possible combination of letter, number, and symbol until they find a match. This is why it takes centuries to match our password, because the number of combinations is staggering. By including uppercase, lowercase, numbers and symbols, we have a total of 95 different characters in our "alphabet", for a combination of (are you ready for this)?

401,440,002,697,135,760,758,578,320,767,017,120

That's how many combinations of these characters are possible up to a password length of 18.

Still think using your pet's name is a good password?

How many passwords do you think you'll change in the next 24 hours using this technique?

Image CC by 2.0 George Kelly