tags:

views:

282

answers:

4
Q: 

Password composition algorithm

I'm sick of remembering all the passwords for different logins. Lately I found the interesting tool password composer which lets you generate passwords base on the hostname and a secret master password. But I don't want to use a website or installing software to generate my passwords.

So I'm looking for a simple one way hashing alogorithm which I can execute without computer aid to generate my passwords. Something in the spirit of the solitare cipher without the need for cards.

Using a PW store is not an option.

+1  A: 

Why don't you just use the exact same algorithm as the password composer?

  • Pick a master password
  • Take the application/machine name for which you want a password
  • Concatenate the two (or shuffle)
  • Apply a code you can do in your head, like Caesar's cipher
  • Take the first X characters (15 is usually a good length for secure passwords)

Example:

Master Password: kaboom
Machine Name: hal9000
Shuffle: khaablo9o0m00
Transposition table: shift 5 left
abcdefghijklmnopqrstuvwxyz 1234567890
vwxyzabcdefghijklmnopqrstu 6789012345 

Result: fcvvwgj4j5h55

You could use as complex a substitution as your head can do reliably (with or without a paper). You could also use a different table for each password (say, deduce the table from the first letter of each machine name). As long as your master password is secure, there's nothing to fear about the simplicity of the algorithm.

Vinko Vrsalovic  2008-09-26 02:33:25
Let's say I'm somewhere where I have no access to a computer and want to remember/recalculate the password. Doing md5 in my head is a little too much...
Peter Hoffmann  2008-09-26 02:35:28
Under what circumstances would you need to use the password without having access to the computer? Surely not to write it down or tell it to someone.
paxdiablo  2008-09-26 02:43:42
Sorry, hadn't read the without a computer part. There you have an alternative
Vinko Vrsalovic  2008-09-26 02:46:51
Lets say for entering a boot password, or using the password for some kind of fancy security system.
Peter Hoffmann  2008-09-26 02:53:10
Dumb (but fun) trick: You can complicate the substitution cypher by shifting your hands up and left 1 key when you type in the resulting password.
 2008-09-26 03:18:06
A: 

Something I used to do (before I started using pwgen to generate my passwords) was to find a nearby paper document and use the first and last character of each line. So long as you know which document goes with which account, regenerating the password is easy if you lose/forget it and no computer is required to do so. (It is important to use a book or other paper document for this, of course, as anything electronic could change and then you'd be lost.)

Dave Sherohman  2008-09-26 02:36:05
A: 

First pick a person (celebrity, relative, fictional character or whatever). This person's identity is your private key, which you should keep secret.

To generate a password for a site, juxtapose the person with the sitename and think about the two for a while. Whatever mental image you get, sum it up with a memorable phrase and take a moment to fix the image and the phrase in your mind. The phrase is your password for this site.

(edit) The rationale for this method is that any maths-based system would be either insecure, or too complicated to do in your head.

 2008-09-26 02:45:39
A: 

Alternate characters of the hostname with characters from your master password until you run out of master password characters.

hostname: stackoverflow.com master password: homer

new password: shtoamcekro

I can almost do that in my head. No need for paper or pencil.

Don't use this system for anything super important. But for your half dozen email, facebook and other random accounts it should be fine.

Mnebuerquo  2008-09-26 03:47:10
Makes the original password very easy to determine though, no?
 2008-09-26 03:57:27
Like I said, don't use this system for anything inmportant.
Mnebuerquo  2008-10-01 19:19:02

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords