The art of hiding passwords in plain sight

Every few years there is a discussion held in the security field. It’s always the same question and the same answers. Passwords. How do we use them securely? Most of these articles don’t even get read because to a lot of security professionals, and even end-users, it is like listening to a broken record.

I thought I’d touch on a slightly different approach to password security. Recently an article was posted on ThreatPost.com from Gunter Ollmann who stated that due to the shear number and complexities of passwords required for the day to day use of technology for the average user which is too high, leads to user’s re-using passwords for multiple sites and choosing weak passwords (because they are easy to remember). (Article can be found here http://threatpost.com/en_us/blogs/why-you-should-write-down-your-passwords-070610)

Now I somewhat agree with this viewpoint, and I somewhat don’t. It is true that people are re-using passwords across various sites. It is true people are choosing weak passwords so they can be remembered. What Gunter states is that people should infact, write down their passwords, and choose complex ones which you change often. He states that there is less chance of someone breaking in to your home or office and reading the post-it note you stuck on your monitor, then there is of a hacker or piece of malware either cracking your easy to remember passwords or syphoning them out of browser memory where people choose to allow the ‘remember password’ function.

Now while all of this is true. I can’t help to think however, that if malware or a hacker has got access to your machine in the first place. Even if you use strong passwords that you change often, don’t reuse them for different websites or services, and have a post-it note on your monitor. When you enter one of these passwords, the hacker/malware can and will intercept this. If you change your password often, whatever has infected your machine in the first place does not require any password to stay on your machine, because it is exploiting some type of vulnerability. So no matter what password scheme you use, if you have a compromised machine, it does not matter.

So his point there is invalid by saying writing them down is more secure. But it is true that if you are using complex and ever changing passwords, it is harder for people to try and ‘guess’ your password and log in to a service as you. This happens a lot in Social Networks. So much private information is disclosed on people, others take this information, and try and use it to guess their way into your account. This is where writing down your password is a good idea (provided your machine is not infected or exploitable to start with).

So I thought I’d give some examples on ways people might be able to write down passwords without making it so obvious for anyone who walks by your computer.

In the old days when mobile phones were dumb, a good idea was to store your complex passwords into a file or txt msg to yourself, somehow hidden within a message. If your phone was PIN protected, your password would be reasonably safe. With the evolution of the smartphones, they are as vulnerable, if not more vulnerable than the current PC. So I would not recommend storing passwords on your phone unless you can hide them well.

One other method back in the day was to just write down your passwords and keep it in your wallet. What are the chances of someone stealing your wallet? Well, again, there is a chance.

No matter where you physically store your password (be it written on a post-it note on your monitor or a piece of paper in your wallet) there is a real chance others can see or get a hold of this. So the solution is simple. Obfuscation.

Security through obscurity is never a good thing. But I believe that it is perfect for physically hiding passwords/pass-phrases. You can store your passwords wherever you want, on your phone, in your wallet or on your desk, in plain view of everyone, but only you can read what the password actually is.

If someone opened my drawer and found a piece of paper that said “Login for XXX: molly3618” – Then it is pretty obvious what it is.

If someone opened my drawer and found an old shopping list I made for the supermarket on Friday, would they think anything of it?

If someone went through my wallet and found a fuel receipt dated a few months ago, would they take any notice?

If someone opened up the Christmas card that was sitting on my desk, which was my from my grand mother, would they think there was something sinister going on?

The answer for the last 3 questions is ‘no’. If somebody was rifling through my desk at work, or home trying to find where I had written down my passwords, they would glance over all of the above. The trick is to use long and complex passwords, or pass-phrases which you derive from common, seemingly unnoticeable objects in the vicinity of your work area (or on your persons). All you have to do is sit down with a pen and piece of paper, and come up with a technique that you will start using for your passwords. And make sure you play around with a few examples to make sure you remember it. This will be your ‘key’ to remembering passwords.

For example: I might decide to hide my passwords within a shopping list. I might decide that every third item on the shopping list is a piece of my password/pass-phrase. I might decide that after each word I will add a special character and a space. Once you have your system (key) memorised you can use it repeatedly on anything around you. I now know my own password technique, so to make another password for another site, I might take out the fuel receipt from my wallet. Every third word on it, plus a special character and a space after each word. The card from my grandmother, every third word with a special character and a space. You re-use your password technique (key) on anything to get a unique and fresh passwords each time. This is a form of cryptography. And it may be dangerous if your technique is too obvious, because all the attacker needs to do is figure out your technique (key) and they can determine (crack) what all of your passwords are. So some care needs to be taken. This is just one example, you are only limited by your creativity.

Another example might be a print out from a technical book. ‘How to add ACLs to a Cisco Router’ (or something relevant to your profession). Having this pinned to your cubicle looks commonplace. You might have a few highlighted areas of text as most people would. These highlighted, or circled areas of text could be apart of a password. The biggest challenge is knowing WHAT website/service you are using for each password. This is also another layer of security.

If people understand your password key, they might not know what site it is for. You could deal with this a variety of ways. From scribbling down a keyword that indicates to you, and you only what website this is for. For example, writing down a scribbly note saying “note: don’t forget to check ebay for those skiis!” on the bottom of your shopping list. Indicates every third word in the shopping list is the password for your eBay account. A $ sign for your bank account. A doodle of a cartoon guy’s face for Facebook. Possibilities are endless. Provided you understand what it means, and not obvious to anyone else, then it is all you need.

You could just write a sentence or a random note or doodle, that reminds you which site or service this particular password is for. Again, this should be obvious to you, but nobody else. The trick here is hiding secrets within seemingly normal, common-place and unnoticeable objects.

There are unlimited ways you can obfuscate physically written secrets. You just have to use your imagination. The only ‘key’ you ever have to remember is how you derive your passwords. You could even have a poster hanging on your wall, provided you know that you use every third word (or whatever you decide on) then you will always know the password by looking at the poster.

As I stated before. If your computer has been compromised, any password you enter into the system, regardless of its strength and complexity, will get intercepted. So writing them down in secret messages has no impact on this. But let’s assume your PC is clean and free of any malware or viruses. And you have a fair few passwords you need to remember for your work login, banking website, social network and you want a safe way of having complex and hard to guess passwords for each one which you can easily remember. Then I think that obfuscating your passwords is the way to go. Get creative.

I may or may not have this picture as my desktop backround. Can you figure out my password and what website it may be for?

FACEBOOK: Adventures! Who@ Dragons#