20 August 2018

Guest Post - Paper-Based Password Systems - Marcus

Thank you to Marcus for this post about safely using your organiser to store your passwords.


Passwords, passwords, everywhere

Passwords are a necessary feature of using online services for shopping, banking, social media or anything else. They are intended to allow you, and you alone, into your online accounts and need to be strong enough that they cannot be guessed, but not so complex that they cannot be remembered.

Many people use PC or smartphone apps such as 1Password, LastPass, bitwarden and similar to manage their passwords. These are great solutions and if they work for you, then keep on using them. However, others might not like the idea of their passwords floating around in The Cloud, however strong the encryption, and prefer instead to keep their passwords safely on paper far away from online hackers and the Dark Web.

This article describes ways that you can use your Filofax or other paper-based system to generate and store your passwords. It lists useful online resources for you to explore and encourages you to adopt secure and consistent password behaviour. Your Filofax helps you to organise other aspects of your life so why not your passwords too?

Convenience versus security
The easiest way of recording your passwords is to write them down in a long list. Filofax even sells pre-printed inserts for this purpose with the accompanying description:
Never forget passwords again with these handy Password Paper Refills for your Filofax Organiser. Complete with reference, website, login, password and notes fields you can keep your login information all in one place.
This is easy but not secure. It relies wholly on the physical security of your Filofax binder. If it is lost or stolen, then your entire online life and identity could be put at risk. Heed the warning that Filofax now prints in the footer of their Personal Information page:
Please exercise caution when recording personal information in these pages.
This is especially true when recording names, addresses, key account numbers and passwords.

Paper, but with security
There are very few Web sites devoted to paper-based password security, despite industry luminaries such as Jesper Johansson (Microsoft) and Bruce Schneider (security technologist) recommending that people write down their passwords.

A casual Web search for "paper password generator" returns mainly online password generators (avoid these), sites that let you print a paper Bitcoin wallet (a different thing entirely) and only two truly paper-based systems: a DIY solution described on the Digital Inspiration technology blog and passwordcard.org, a Web site that generates passwords on a printable card for you.

DIY using Excel
Authors Amit Agarwal and/or Andres Rorrubia (it's not entirely clear) describe a method for generating passwords from a printed table containing short random strings of letters or numbers. These can be generated in Excel or similar software and printed at home. The body of the table can contain anything you like, but should ideally be randomised characters and numbers. For example:


The idea is to use the name of the website to choose corresponding password characters from the table. Using the example table above, your amazon Website password would be ajvAN6xs7enb based on the following logic:
1st letter is a – > a (Column 2, Row 1)
2nd letter is m – > jv (Column 7, Row 2)
3rd letter is a -> AN6
4th letter is z -> xs7
5th letter is o – > enb
You do not have to remember this complex string, because you can refer to the card and look up your password when you log in to amazon to do some shopping.

What happens if someone steals the card? Firstly, it's not entirely obvious what the card is for or how you use it (don't label it Password Generator in your Filofax!). Secondly, the authors suggest interleaving something you know into the password string as a means of increasing the security of the card. Even if stolen, the card cannot be used on its own to generate passwords.

Their example extends the password generated above by interleaving your birthplace (say) into the password thus:
PahjviAN6lxs7aenbdelphia

It's a neat and secure solution that requires no electricity, backups, system updates, never goes obsolete and cannot be hacked ... much like your Filofax!

Password Card
PasswordCard takes a different approach by allowing you to generate a unique printable card on their Web site. It comprises symbolic column headers and coloured rows, where each string of numbers and characters is completely unique to your card.

The idea is that instead of remembering, or otherwise recording your Facebook password (say), you remember (or record) something like Umbrella, Blue which denotes the starting column and starting row for your password. You then read off whatever number of characters you wish to make up your password (say, 8 characters) and you can choose any direction right/left/up/down/diagonal.


In the example card above, I could find my Facebook password by starting at Umbrella, Blue (C) and counting off eight letters to the right: CWPwkkBN

A weakness of this system, to me anyway, is the requirement to keep track of the symbol and colour starting combination of each Web site you visit and log in to. This could get tedious very quickly, unless you can work out a personal (and confidential) way of assigning a starting position for each new Web site. For example, you could use the site's logo colour to specify the starting row, and the first letter of its name to count along the columns to choose a starting symbol (e.g. Facebook has a blue logo = row 8; starts with F = sixth letter of the alphabet, so column 6 = umbrella; 8 characters to the right of this starting symbol = CWPwkkBN)

Even describing that potential workflow, I feel myself clutching at straws a bit because it sounds so unwieldy. Indeed, the authors of the PasswordCard site do hint that the system works best if you reuse the same password across multiple sites because you will then only ever have to remember a single starting location. They also acknowledge that this is poor security practice and recommend using different passwords for "very important sites, such as Internet banking sites".

In the event of loss or theft, the card is useless to whoever finds it because they do not know how to navigate it to generate passwords. If you securely record the unique code number for your card (the string at the base of the card) you can regenerate it on the PasswordCard site. This is helpful if you've lost your card or if it's just looking worn.

No more password lists
With both methods, you are never carrying around lists of passwords that anyone could read and use. Instead, you are carrying around the means for you to generate passwords on-the-fly for any sites that require them, or to look up passwords that you generated previously. All it requires is the master lookup table (DIY/Excel or PasswordCard) and your personal rules about how to navigate it.

Closing thoughts
Regardless of whether you use an electronic or paper-based password system, you should as a minimum follow these guidelines to keep yourself safe online.

Choose strong passwords that

  • Are at least 8 characters in length
  • Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
  • Have at least one numerical character (e.g. 0-9)
  • Have at least one special character (e.g. ~!@#$%^&*()_-+=)

But do not -

  • Spell a word or series of words that can be found in a standard dictionary
  • Spell a word with a number added to the beginning and the end
  • Be based on any personal information such as user id, family name, pet, birthday, etc.
  • Contain trivial letter/number substitutions such as P@55w0rd instead of Password.

Avoid using the same password for multiple accounts.
If that obscure shopping site you used last year suffers a data breach, your email address and password could leak into the public domain and put all your other accounts at risk.

It's time to stop using petsname_27 or pet5_n@me28 as your preferred style of password. The examples described above are more secure than keeping a paper-based list, but are certainly less convenient.

Ask yourself where you sit on the convenience-security continuum and choose your password solution accordingly. Software-based password managers are fantastic but for some people there's nothing more secure than pen and paper.

Thank you Marcus.

7 comments:

  1. Great post! Thanks Marcus. I particularly like the idea of a single code card to produce passwords. The only problem is that some sensitive websites require you to change your password every 90 days, so a way around that will be needed.

    Personally, I’ve stopped buying anything from Amazon, in order to support smaller, tax paying businesses, so that’s one password I won’t be needing!

    ReplyDelete
  2. Wow!! The most fantastic post. Utterly useful. Thank you so, so, much Marcus.xx

    ReplyDelete
  3. Many moons (decades, actually) ago my Dutch bank provided a card which allowed its customers to remember pin numbers. I've never seen one since, but it's still useful (tattered though it is) and can be adapted to remember passwords.


    The idea is similar to your first table above, except where you have 1st, 2nd etc. down the y axis, this system puts the name of the site or whatever you need to remember the password to, e.g. Amazon, Google etc. The system mentioned above would cause problems for me as, for example, I use multiple Amazon sites (sorry Tim, but living in the sticks, I don't have much choice in supporting local retail outlets cos they aren't there!), and you have to remember the name you give to each site. Also, passwords may not end up long enough (e.g., to log into BBC using that system the length of the password might be insufficient).

    Any old how, back to this modified system: you then choose one master password (not to be written down anywhere, naturally). Spelling out the master password on the top row (x axis) gives you the password for the site on the relevant row. This may need slight tweaking if you are forced to add capital letters/punctuation/numbers to any password, but these can be added as extra columns and weaved into the password.


    Not entirely fool proof, but a good compromise system if you do feel the need to write down passwords.

    ReplyDelete
  4. Great post and info, Marcus. Thanks so much for sharing!

    Definitely have some work to do in this dept.....

    Mark

    ReplyDelete
  5. Brilliant post! Fascinating. Thank you very much.

    ReplyDelete
  6. From memory, Bruce Schneider's recommendation has one important addition: write it down, yes, *and then keep it with your cash*. Don't leave ti lying around or keep it in your diary any more than you would leave $100 bills on your table or in your diary.

    Both suggestions suffer if an attacker gets hold of your sheet. Even without knowing the starting position (and direction), having the sheet reduces the search space to nothing, for practical purposes. In other words, an attacker can brute-force crack your password in seconds. Interleaving a secret word as suggested helps.

    Some people find it easier to remember random phrases; instead of CWPwkkBN you get something like

    Flying blue horses eat green panda eggs daily

    which are eight random words instead of eight random letters. Words are safer -- there are many more of them than letters -- so you could use fewer of them for the same safety. And I challenge you to get that image of horses and eggs out of you memory any time soon....

    Here is one handy list of common words: https://www.ef.com/english-resources/english-vocabulary/top-3000-words/ (cut out the too short ones)

    Even if the attacker knows you used eight words and they were all from this list, that is still a huge search space.

    Here is a site that generates it for you: https://www.useapassphrase.com/ But of course that is not paper based so you may want to print out that word list instead.

    ReplyDelete
    Replies
    1. Allan, I'm very curious as to why Bruce Schneider would recommend keeping password sheets with cash rather than, for example, in a diary. Is the assumption that people would guard their cash more closely? Personally, my diary is far more important to me than USD 100 - I'd rather lose the latter any day. (As an aside, when I lived in Amsterdam many of us would leave a high denomination note on a table so that, should a junkie break in, they would take the cash and go rather than turning the place upside down looking for valuables).


      Though I would never advise anybody to write down any password ever, I don't think an attacker with a password sheet which follows any of the systems above would have it as easy as you suggest. They would still face quite a conundrum - unless you were being specifically targeted, they would move on to easier prey. If an interleaved extra word is used, without knowing the method of interleaving, a password from these systems becomes just as hard to guess as any other. Most problems occur because passwords get hacked or phished and poorly structured systems can get broken into using brute force. Scammers these days use algorithms, though I like the idea of somebody sitting down of an evening with a glass of wine and trying to make head or tail of one of these password sheets.


      But, as I said, not providing any clues is always better.

      Delete