Banks still don’t get online security

I was changing my Chase account password online when I came across this mess.

Change password page

And establishment IT strikes again.

You idiots still don’t get it

I can understand this limitation for usernames, but passwords too? Clearly, Chase thinks it knows better than people who want to take a proactive approach to their passwords.

Between bunny123, MonkeyWrench5875 and cNF7k=RsF$M4p which do you think is the more secure password? Hint: The one not likely to show up pre-hashed in a Rainbow Table.

This forced dumbing down is just because whoever wrote it, clearly didn’t bother with or wasn’t able to put it proper filtering to make sure there’s no SQL injection taking place.

I don’t believe there should be any limits up to maybe 600 characters since hashing is universal. I should be able to write a password in Kanji or Sanskrit if I so please and maybe even an entire sentence with numbers. Why in the name of all that is holy would you be this lazy with something simple like a password?

Is it any wonder that financial institutions are being targetted by hackers as ruthlessly as they are? They know the banking world is full of these. If you’re trying to advise customers with security procedures, why would you put in this glaring shorticoming? Whoever came up with this limiation should be fired on the spot. If your banking software is as archane as your security, then what else is hiding in there?

If you want to create passwords that are impossible to guess, yet easy for you to remember, try out my password generator. You can take a phrase like “Scooby Doo Where are you” and turn it into a password like s19D4@w23a1$y25 with all the bells and whistles turned on. Make passwords out of lines from out-of-print books, some secret shared with a loved one or even a phrase in another language transliterated into English (my favorite technique).

Of course, no secure password in the world will help you if the institutions you depend on aren’t willing to accept them for stupid technical reasons.

Ultra-secure passwords part II

This is mostly a followup to my original post on easily generating passwords from a mnemonic. It was prompted by a comment by Francesco Sullo advocating against the method, saying “If the attacker is a cryptoanalyst and he catch two of your generated “super secure” passwords (for example, because you login into his websites) he can easily discover your method in minutes.

The premise is false, and here’s why…

For an attacker to decipher the password, I either have to be using commonly known phrases or sentences from well known books (which I don’t) or the attacker needs to scan every book in print and out of print, which is quite unlikely. Mind you the text can even be a phrase, as demonstrated in my reply to him, which no attacker would ever hope of guessing unless it was made public at some point.

As a side note, I created a quick little utility that does the hard part. There’s ample room for improvement for sure, but it gets the point across that book cipher cryptography is only weak when the source is known.

Ultra-secure passwords for the rest of us

Recently, the Jack O’Spades wrote an interesting article about passwords and how NOT to create them. He’s, of course, absolutely right in that, when it comes to passwords, longer doesn’t mean better. Complex is always better.

The problem, it seems, isn’t coming up with a complex password, it’s remembering it when you really need to. How exactly do you remember a password that has both numbers and letters in it?

Take for example, the following secure password : tlpwtm201216232013

Believe it or not, I can reproduce that password, on command, whenever I want, without even memorizing it. How, prey tell?

The solution isn’t to remember the password itself, but to remember how to create the password. I.E. Remember the algorithm that originally produced the password to recreate it on demand. In simple terms, this is no different than encryption algorithms that produce the same output when provided the same input. Fortunately, our algorithm is much simpler than encryption algorithms. And if our password is small enough, we could probably do it all in our head.

The password, tlpwtm201216232013, was created using the phrase “This Little Piggy Went To Market“. We now take the first letter of each word in the phrase :

This Little Piggy Went To Market”
t  l  p  w  t  m: We now have the first “letter part” of our password. Unfortunately this isn’t secure by itself as it will only take a short while to crack it with a brute force attack. Then we must also add a few numbers to it to make this much more difficult to guess. However, the numbers don’t need to be random at all and can be quite long…

Let’s consider the following list :

  1. A
  2. B
  3. C
  4. D
  5. E
  6. F
  7. G
  8. H
  9. I
  10. J
  11. K
  12. L
  13. M
  14. N
  15. O
  16. P
  17. Q
  18. R
  19. S
  20. T
  21. U
  22. V
  23. W
  24. X
  25. Y
  26. Z

Each letter of the alphabet has a corresponding number which denotes it’s place. We have already selected our letters, t  l  p  w  t  m, now we need to match it to the numbers…

T = 20
L = 12
P = 16
W = 23
T = 20
M = 13

Now put those numbers together : 201216232013 … We now have the number portion of our password.. Put it all together : tlpwtm201216232013 And now we have our password completed!

To make this even more secure, you have the option of capitalizing every other character and, perhaps, add special characters here and there : =tLpWtM%!?201216232013. As long as you maintain the same pattern throughout all your passwords, you won’t have to worry about which special character goes where.

Let’s take a look at a few more phrases and passwords derived from them :

“Now is the winter of our discontent”
nitwood149202315154

“What a piece of work is man”
wapowim231161523913

“Have patience, and endure”
hpae81615

The best thing about this method is that you don’t have to limit yourself to popular phrases. It could be something you were told as a child, some phrase in a book that has been out of print for a decade, a Latinized phrase from a non-English book… Your imagination is the limit. And since the method of formulation is so simple, now you don’t have an excuse not to come up with a complex and unique password for every occasion.