So you Think you've Thwarted Weak Passwords with your Rules

The Perils of Poorly Written Software

You consider yourself to be a perceptive system administrator and after five years on the job you know that you will be fired on the spot if there is a single documented breach of your system.  Never mind that you have successfully struggled your way through the biological waste that the big name companies sell as software and on your own figured out where to apply chewing gum and other home remedies to make things appear to work.  Regardless, you know that your boss thinks you are an idiot because in his eyes you have been provided with the finest products to accomplish your assignments and yet have trouble using them.

With this in view, and because you realize the zeitgeist is that security trumps usability, you take measures to show that you are doing everything possible to preserve and enforce system security.  So you and your fellow sys admins independently and without regard to efficacy institute policies to eliminate weak passwords.  Things like forcing users to change passwords every six months, requiring passwords with at least eight characters of mixed case and not allowing any symbol to be repeated more than twice. You consider every tactic a user might conceive and institute a rule to eliminate it; life is good.

A Sad but True Tail

As a software developer I was confronted with such rules and it seemed that every computer system I used had slightly different restrictions.  I needed no fewer than ten different passwords on a daily basis just to get my work done, each formulated with slightly differing rules and expiring on different schedules.   As a result I became offended at the the amount of time it was taking to maintain my passwords.   One particularly unrewarding task was thinking up new passwords that I could remember only to have them rejected by one rule or another.  I realized that my productivity would be adversely affected by the effort required to maintain my passwords and I had to come up with some scheme to quickly generate valid passwords that were memorable.

All of My Secrets for Free

Ok, I know you are dying to see how I accomplished this so here goes.   Actually it’s much easier to show you than tell you so lets start by composing a new password together.

Type this: !@#1QaZ2WsX3EdC

While you type pay attention to the pattern of keys, I’ll write the rules I used to help you out a little.

1.  Hold the shift key and type the first three keys in the row from left to right: !@# 
2.  Working diagonally from top to bottom type each key alternately releasing and holding the shift  key: 1QaZ 
3.  Return to the top row and continue on the diagonal starting with next key to the right: 2WsX 
4.  Repeat with the next key to the right: 3EdC 

So there you have it, a memorable fifteen character password that has a high probability of complying with the system’s password rules. The only thing you have to remember is where you started the pattern and you can recreate the whole sequence by applying the method's rules. In this case all you need to remember is that the first key is “!”.

So what happens when this password expires, well you replace it with this one: @#$2WsX3Edc4RfV

Can you see how I did this? Think about it before reading on.

All I did was repeat the pattern of keystrokes except starting one character to the right in the top row “@“ rather than "!".

This tactic provides a sustainable path out of password hell that doesn't waste time and won't strain your memory. It accomplishes this by using the rows and diagonals of the keyboard as a mnemonic device and there are many methods that work so invent your own.

Watch how I Tie this in with my Previous Post

You’re probably wondering how this fits in with making a strong password weak. Well the sys admin, and more importantly his boss, thinks that he has increased the security level by devising rules to eliminate easily guessed passwords and when he sees your fifteen character password he smiles and declares victory.  Suppose, though, that someone wants to crack your password.   All he needs in his bag of tricks is a list of character sequences that have simple mechanical relationships on the keyboard and he will be well on his way.  While the list is quite long nevertheless it will be much shorter than a random list with the same number of characters and that makes each of his guesses more effective.

Dispondency and Dread

Is it hopeless then, is there no way to make a set of rules that ensures the use of strong passwords and actually increases security? The answer is yes, it is hopeless (See: How to Weaken a Strong Password). The only solution is to assign passwords from a carefully generated pool of random passwords rather than attempting to control their composition with restrictive rules. 

If the password is strong enough it doesn’t need to be changed and nothing is harder to guess than a random sequence. Also after a time the user will be able to memorize the password and have no need to write it down in the notebook he leaves on his desk while going out for lunch.

Some Perspective

Most people think their Social Security number is relatively secure even though it doesn't pass the security laugh test. First off it inadvertently encodes both the year and place of birth and is assigned in sequence as people are born. Also it doesn't expire and can't be changed. Here's a list of the biggest laughs:

1. Not random.
2. Never changes.
3. Encodes personal information.
4. Often required as personal identification, thus is shared with others.
5. Prescribed by law that the official card be in your possession thus making it vulnerable to being stolen.
6. Used by the government and financial institutions to uniquely identify you so if compromised allows you to be impersonated.

So let me get this straight, you are required to use a more secure method to guard against unauthorized access to your email than your life story and financial assets! Does that seem unbalanced to you?

So you Think Random is Easy

Be aware that computers on their own are not capable of generating random sequences and any algorithmically generated sequence is merely pseudorandom and consequently less secure.  Before attempting to generate your own pseudorandom sequences do some study and be sure to avoid the National Security Agency's approved generator complete with back door security hole and the Pseudorandom Sequences for Dummies algorithm.