Is this password scheme legit?Definitely safest password storage scheme?Hash(master + hostname) password scheme for a server poolPasswords In Securing Network DevicesStrong password vs. restriction on number of attemptsSimple-to-implement ad-hoc password validation schemeHow secure is this method of password generation?Group password creation schemeWhat is the weakest scheme in common use for password hashing?
"There were either twelve sexes or none."
Why is getting a PhD considered "financially irresponsible"?
How should i charge 3 lithium ion batteries?
Does EU 261/2004 compensation apply if delayed by the border check?
Unlock your Lock
How to check whether a sublist exist in a huge database lists in a fast way?
How to prevent a hosting company from accessing a VM's encryption keys?
Cooking Scrambled Eggs
Billiard balls collision
Make utility using LINQ
Do clerics commit a sin if they do not recite the liturgy of the hours?
How long do you think advanced cybernetic implants would plausibly last?
Hangman game in Python - need feedback on the quality of code
Joining lists with same elements
I don't have the theoretical background in my PhD topic. I can't justify getting the degree
Can an Arcane Focus be embedded in one's body?
Can RMSE and MAE have the same value?
How to get trace to get a cylinder when I rotate a rectangle?
Number of academics in various EU countries
How to gently end involvement with an online community?
Why is strlen so complex in C?
Who was the most successful German spy against Great Britain in WWII, from the contemporary German perspective?
transparent text, such that floats and footnotes are affected correctly
What is a natural problem in theory of computation?
Is this password scheme legit?
Definitely safest password storage scheme?Hash(master + hostname) password scheme for a server poolPasswords In Securing Network DevicesStrong password vs. restriction on number of attemptsSimple-to-implement ad-hoc password validation schemeHow secure is this method of password generation?Group password creation schemeWhat is the weakest scheme in common use for password hashing?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I received an invitation for an IT security fair (https://www.it-sa.de/en).
They additionally delivered a password "Kryptonizer". That is a little card to hang on your keychain with the following (example values, my translation):
It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin". This card tries to fix this by making easy to remember passwords crpytic.
Input Start ABC DEF GHI JKL MNO PQRS TUV WXYZ
Output 4uR=? x 1 F 3 Y i # 9
Original version in german:
Hintergrund: Passwort-Hackern wird der Zugang zu persönlichen Daten im
Internet häufig viel zu leicht gemacht. Der Grund liegt auf der Hand:
Passwörter, die wir uns merken können, sind meistens nicht besonders
kryptisch, sondern orientieren sich an gängigen Namen oder Wörtern wie
"Snowden" oder "Admin".
Everything from the output is random for every single card (66 different characters to choose from). Now we have to choose an "easy" password (they recommend at least 8 characters):
Input: HELLOWORLD
Output: 4uR=?F133Y9Yi31
They also recommend to use this card for only one password and change it, if you lose the card.
Is this password scheme good? It comes from a big security fair with many experts.
My novice guess is, that you have a reduced entropy because of only 8 different characters (+ 1 start sequence), but as long as your card stays unknown, the attacker can't exploit this fact.
passwords password-cracking
asked 9 hours ago
izlinizlin
1414 bronze badges
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 8 more comments
I received an invitation for an IT security fair (https://www.it-sa.de/en).
They additionally delivered a password "Kryptonizer". That is a little card to hang on your keychain with the following (example values, my translation):
It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin". This card tries to fix this by making easy to remember passwords crpytic.
Input Start ABC DEF GHI JKL MNO PQRS TUV WXYZ
Output 4uR=? x 1 F 3 Y i # 9
Original version in german:
Hintergrund: Passwort-Hackern wird der Zugang zu persönlichen Daten im
Internet häufig viel zu leicht gemacht. Der Grund liegt auf der Hand:
Passwörter, die wir uns merken können, sind meistens nicht besonders
kryptisch, sondern orientieren sich an gängigen Namen oder Wörtern wie
"Snowden" oder "Admin".
Everything from the output is random for every single card (66 different characters to choose from). Now we have to choose an "easy" password (they recommend at least 8 characters):
Input: HELLOWORLD
Output: 4uR=?F133Y9Yi31
They also recommend to use this card for only one password and change it, if you lose the card.
Is this password scheme good? It comes from a big security fair with many experts.
My novice guess is, that you have a reduced entropy because of only 8 different characters (+ 1 start sequence), but as long as your card stays unknown, the attacker can't exploit this fact.
passwords password-cracking
asked 9 hours ago
izlinizlin
1414 bronze badges
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Can you elaborate on what this card is being used for? It does seem like a rudimentary password hashing scheme designed for manual checks - especially with "simple passwords" you have reduced security. A password that matches the hash can easily be produced for every hash in one pass.
– Tobi Nary
9 hours ago
This looks like a very weak passwords hashing scheme. Given a hashed password, it won't be too difficult to reverse it into a list of possible plain text passwords (the reversing algorithm is essentially the T9 algorithm.
– Lie Ryan
9 hours ago
@TobiNary To cite the card (translated) "It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin"", this card tries to fix this by making easy to remember passwords crpytic.
– izlin
9 hours ago
@izlin do you have the German Text as well? This does seem like first class sarcasm.
– Tobi Nary
7 hours ago
1
@TobiNary I actually explain this very concept right in the beginning of my answer. Yes I absolutely agree that teaching people to use passwords is way better than to rely on what is effectively a crutch. And this may be perfectly fine for a 28-year-old college graduate with a MSc. in Engineering. But for the 57-year-old Karen from Accounting, this proves to be substantially more difficult.
– MechMK1
3 hours ago
|
show 8 more comments
I received an invitation for an IT security fair (https://www.it-sa.de/en).
They additionally delivered a password "Kryptonizer". That is a little card to hang on your keychain with the following (example values, my translation):
It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin". This card tries to fix this by making easy to remember passwords crpytic.
Input Start ABC DEF GHI JKL MNO PQRS TUV WXYZ
Output 4uR=? x 1 F 3 Y i # 9
Original version in german:
Hintergrund: Passwort-Hackern wird der Zugang zu persönlichen Daten im
Internet häufig viel zu leicht gemacht. Der Grund liegt auf der Hand:
Passwörter, die wir uns merken können, sind meistens nicht besonders
kryptisch, sondern orientieren sich an gängigen Namen oder Wörtern wie
"Snowden" oder "Admin".
Everything from the output is random for every single card (66 different characters to choose from). Now we have to choose an "easy" password (they recommend at least 8 characters):
Input: HELLOWORLD
Output: 4uR=?F133Y9Yi31
They also recommend to use this card for only one password and change it, if you lose the card.
Is this password scheme good? It comes from a big security fair with many experts.
My novice guess is, that you have a reduced entropy because of only 8 different characters (+ 1 start sequence), but as long as your card stays unknown, the attacker can't exploit this fact.
passwords password-cracking
asked 9 hours ago
izlinizlin
1414 bronze badges
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I received an invitation for an IT security fair (https://www.it-sa.de/en).
They additionally delivered a password "Kryptonizer". That is a little card to hang on your keychain with the following (example values, my translation):
It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin". This card tries to fix this by making easy to remember passwords crpytic.
Input Start ABC DEF GHI JKL MNO PQRS TUV WXYZ
Output 4uR=? x 1 F 3 Y i # 9
Original version in german:
Hintergrund: Passwort-Hackern wird der Zugang zu persönlichen Daten im
Internet häufig viel zu leicht gemacht. Der Grund liegt auf der Hand:
Passwörter, die wir uns merken können, sind meistens nicht besonders
kryptisch, sondern orientieren sich an gängigen Namen oder Wörtern wie
"Snowden" oder "Admin".
Everything from the output is random for every single card (66 different characters to choose from). Now we have to choose an "easy" password (they recommend at least 8 characters):
Input: HELLOWORLD
Output: 4uR=?F133Y9Yi31
They also recommend to use this card for only one password and change it, if you lose the card.
Is this password scheme good? It comes from a big security fair with many experts.
My novice guess is, that you have a reduced entropy because of only 8 different characters (+ 1 start sequence), but as long as your card stays unknown, the attacker can't exploit this fact.
passwords password-cracking
passwords password-cracking
asked 9 hours ago
izlinizlin
1414 bronze badges
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
izlinizlin
1414 bronze badges
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 4 hours ago
izlin
asked 9 hours ago
izlinizlin
1414 bronze badges
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
izlinizlin
1414 bronze badges
asked 9 hours ago
izlinizlin
1414 bronze badges
1414 bronze badges
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
izlin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Can you elaborate on what this card is being used for? It does seem like a rudimentary password hashing scheme designed for manual checks - especially with "simple passwords" you have reduced security. A password that matches the hash can easily be produced for every hash in one pass.
– Tobi Nary
9 hours ago
This looks like a very weak passwords hashing scheme. Given a hashed password, it won't be too difficult to reverse it into a list of possible plain text passwords (the reversing algorithm is essentially the T9 algorithm.
– Lie Ryan
9 hours ago
@TobiNary To cite the card (translated) "It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin"", this card tries to fix this by making easy to remember passwords crpytic.
– izlin
9 hours ago
@izlin do you have the German Text as well? This does seem like first class sarcasm.
– Tobi Nary
7 hours ago
1
@TobiNary I actually explain this very concept right in the beginning of my answer. Yes I absolutely agree that teaching people to use passwords is way better than to rely on what is effectively a crutch. And this may be perfectly fine for a 28-year-old college graduate with a MSc. in Engineering. But for the 57-year-old Karen from Accounting, this proves to be substantially more difficult.
– MechMK1
3 hours ago
|
show 8 more comments
Can you elaborate on what this card is being used for? It does seem like a rudimentary password hashing scheme designed for manual checks - especially with "simple passwords" you have reduced security. A password that matches the hash can easily be produced for every hash in one pass.
– Tobi Nary
9 hours ago
This looks like a very weak passwords hashing scheme. Given a hashed password, it won't be too difficult to reverse it into a list of possible plain text passwords (the reversing algorithm is essentially the T9 algorithm.
– Lie Ryan
9 hours ago
@TobiNary To cite the card (translated) "It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin"", this card tries to fix this by making easy to remember passwords crpytic.
– izlin
9 hours ago
@izlin do you have the German Text as well? This does seem like first class sarcasm.
– Tobi Nary
7 hours ago
1
@TobiNary I actually explain this very concept right in the beginning of my answer. Yes I absolutely agree that teaching people to use passwords is way better than to rely on what is effectively a crutch. And this may be perfectly fine for a 28-year-old college graduate with a MSc. in Engineering. But for the 57-year-old Karen from Accounting, this proves to be substantially more difficult.
– MechMK1
3 hours ago
Can you elaborate on what this card is being used for? It does seem like a rudimentary password hashing scheme designed for manual checks - especially with "simple passwords" you have reduced security. A password that matches the hash can easily be produced for every hash in one pass.
– Tobi Nary
9 hours ago
Can you elaborate on what this card is being used for? It does seem like a rudimentary password hashing scheme designed for manual checks - especially with "simple passwords" you have reduced security. A password that matches the hash can easily be produced for every hash in one pass.
– Tobi Nary
9 hours ago
This looks like a very weak passwords hashing scheme. Given a hashed password, it won't be too difficult to reverse it into a list of possible plain text passwords (the reversing algorithm is essentially the T9 algorithm.
– Lie Ryan
9 hours ago
This looks like a very weak passwords hashing scheme. Given a hashed password, it won't be too difficult to reverse it into a list of possible plain text passwords (the reversing algorithm is essentially the T9 algorithm.
– Lie Ryan
9 hours ago
@TobiNary To cite the card (translated) "It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin"", this card tries to fix this by making easy to remember passwords crpytic.
– izlin
9 hours ago
@TobiNary To cite the card (translated) "It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin"", this card tries to fix this by making easy to remember passwords crpytic.
– izlin
9 hours ago
@izlin do you have the German Text as well? This does seem like first class sarcasm.
– Tobi Nary
7 hours ago
@izlin do you have the German Text as well? This does seem like first class sarcasm.
– Tobi Nary
7 hours ago
1
1
@TobiNary I actually explain this very concept right in the beginning of my answer. Yes I absolutely agree that teaching people to use passwords is way better than to rely on what is effectively a crutch. And this may be perfectly fine for a 28-year-old college graduate with a MSc. in Engineering. But for the 57-year-old Karen from Accounting, this proves to be substantially more difficult.
– MechMK1
3 hours ago
@TobiNary I actually explain this very concept right in the beginning of my answer. Yes I absolutely agree that teaching people to use passwords is way better than to rely on what is effectively a crutch. And this may be perfectly fine for a 28-year-old college graduate with a MSc. in Engineering. But for the 57-year-old Karen from Accounting, this proves to be substantially more difficult.
– MechMK1
3 hours ago
|
show 8 more comments
2 Answers
2
active
oldest
votes
Full disclosure: I work for a company, which distributes such cards. This answer however is my own personal opinion of them.
The idea of these cards is that some users are just really bad at remembering passwords or pass phrases. The naïve approach would be to tell users "Just get better at remembering passwords", but experience has shown that such advice is counter-productive with some users.
Their memory seems to be hard-wired to only recall simple words, which probably have something to do with their work. So somebody working in a car factory may remember a word such as Engine.
Engine, of course, is a terrible password - both in length and entropy. So the "Kryptonizer" or similarly named cards try to add both of those.
Length is added by the prefix, 4uR=? in this case. It immediately increases the password length by 5 characters, bumping a 6 character password up to an 11 character password. Not perfect, but an improvement.
Entropy is added by substituting each character with a randomly chosen character. Not exactly a 1:1 substitution, but close enough. Since each card is unique, one can't build a pre-made rule on how to mangle each dictionary phrase.
In this example, Engine would turn into 4uR=?1YFFY1. Is this a good password? Probably not great, but certainly a lot better than Engine.
Problems with this scheme
Of course, it's not a perfect system. A good passphrase can't be replaced by a little paper card. Since three input characters map to one output character, the resulting password loses entropy instead of gaining it. The net entropy gain is that attackers can't use dictionary attacks as easily anymore. In order to do that, they would need to gain access to the mapping or perform an exhaustive search. If an attacker knows that such a card was used, they can use this to their advantage to speed up an exhaustive search.
Furthermore, users are expected to keep their card around, and many will probably leave it on their desk, under their keyboard or in similar bad locations. If they lose their card, they will probably lose their password too. They will need a new card, and change their password as well, which is not that good for usability.
Summary
So, is this a good system? Ultimately, I would say you have to judge it in the context of what it is designed to do. It's an aid for a specific group of users, who would otherwise use ungodly terrible passwords. And helping users choose marginally better passwords for a negligible cost is a good thing, in my opinion. Of course, it is not a silver bullet that magically solves the problem of credential storage and generation.
If possible, always use a password manager, let it generate long, high-entropy passwords and store them for you in a safe manner.
If this is not possible (e.g. for OS logins), I recommend either using Diceware or creating a long, nonsensical sentence, such as TheGreenLightFromOurEyesShinesThroughTheMirrorOfTime.. Just ensure that such a sentence isn't taken from a book or movie.
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
You may as well just print a proper randomly-generated 16-character string on the card for them to use as their password.
– OrangeDog
14 mins ago
@OrangeDog No, because then you have to trust the card designer with your (full) password.
– Jon Bentley
7 mins ago
@OrangeDog not only that but anybody who sees the card would have your password!
– Digital Chris
1 min ago
add a comment |
It's always depends on what you compare it with! What is the realistic alternative, that users would actually use, to using this card?
Clearly, 4uR=?F133Y9Yi31 is a much better password than HELLOWORLD. If you are giving this card to a non-techie whos not going to pick good passwords or use a password manager anyway, then it's an improvement.
On the other hand, using this system is much worse than just picking a random 16 letter password that you'll never remember and storing it in your password manager. An attacker who knows what letters there are on the card (e.g. by looking at leaked passwords from the same user) could easily crack it - suddenly it is only 40 bits of entropy!
So is this a good idea for people who might use a password manager? No, absolutely not. For your grandpa? Maybe! Don't let perfect be the enemy of the good.
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
izlin is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215919%2fis-this-password-scheme-legit%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Full disclosure: I work for a company, which distributes such cards. This answer however is my own personal opinion of them.
The idea of these cards is that some users are just really bad at remembering passwords or pass phrases. The naïve approach would be to tell users "Just get better at remembering passwords", but experience has shown that such advice is counter-productive with some users.
Their memory seems to be hard-wired to only recall simple words, which probably have something to do with their work. So somebody working in a car factory may remember a word such as Engine.
Engine, of course, is a terrible password - both in length and entropy. So the "Kryptonizer" or similarly named cards try to add both of those.
Length is added by the prefix, 4uR=? in this case. It immediately increases the password length by 5 characters, bumping a 6 character password up to an 11 character password. Not perfect, but an improvement.
Entropy is added by substituting each character with a randomly chosen character. Not exactly a 1:1 substitution, but close enough. Since each card is unique, one can't build a pre-made rule on how to mangle each dictionary phrase.
In this example, Engine would turn into 4uR=?1YFFY1. Is this a good password? Probably not great, but certainly a lot better than Engine.
Problems with this scheme
Of course, it's not a perfect system. A good passphrase can't be replaced by a little paper card. Since three input characters map to one output character, the resulting password loses entropy instead of gaining it. The net entropy gain is that attackers can't use dictionary attacks as easily anymore. In order to do that, they would need to gain access to the mapping or perform an exhaustive search. If an attacker knows that such a card was used, they can use this to their advantage to speed up an exhaustive search.
Furthermore, users are expected to keep their card around, and many will probably leave it on their desk, under their keyboard or in similar bad locations. If they lose their card, they will probably lose their password too. They will need a new card, and change their password as well, which is not that good for usability.
Summary
So, is this a good system? Ultimately, I would say you have to judge it in the context of what it is designed to do. It's an aid for a specific group of users, who would otherwise use ungodly terrible passwords. And helping users choose marginally better passwords for a negligible cost is a good thing, in my opinion. Of course, it is not a silver bullet that magically solves the problem of credential storage and generation.
If possible, always use a password manager, let it generate long, high-entropy passwords and store them for you in a safe manner.
If this is not possible (e.g. for OS logins), I recommend either using Diceware or creating a long, nonsensical sentence, such as TheGreenLightFromOurEyesShinesThroughTheMirrorOfTime.. Just ensure that such a sentence isn't taken from a book or movie.
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
You may as well just print a proper randomly-generated 16-character string on the card for them to use as their password.
– OrangeDog
14 mins ago
@OrangeDog No, because then you have to trust the card designer with your (full) password.
– Jon Bentley
7 mins ago
@OrangeDog not only that but anybody who sees the card would have your password!
– Digital Chris
1 min ago
add a comment |
Full disclosure: I work for a company, which distributes such cards. This answer however is my own personal opinion of them.
The idea of these cards is that some users are just really bad at remembering passwords or pass phrases. The naïve approach would be to tell users "Just get better at remembering passwords", but experience has shown that such advice is counter-productive with some users.
Their memory seems to be hard-wired to only recall simple words, which probably have something to do with their work. So somebody working in a car factory may remember a word such as Engine.
Engine, of course, is a terrible password - both in length and entropy. So the "Kryptonizer" or similarly named cards try to add both of those.
Length is added by the prefix, 4uR=? in this case. It immediately increases the password length by 5 characters, bumping a 6 character password up to an 11 character password. Not perfect, but an improvement.
Entropy is added by substituting each character with a randomly chosen character. Not exactly a 1:1 substitution, but close enough. Since each card is unique, one can't build a pre-made rule on how to mangle each dictionary phrase.
In this example, Engine would turn into 4uR=?1YFFY1. Is this a good password? Probably not great, but certainly a lot better than Engine.
Problems with this scheme
Of course, it's not a perfect system. A good passphrase can't be replaced by a little paper card. Since three input characters map to one output character, the resulting password loses entropy instead of gaining it. The net entropy gain is that attackers can't use dictionary attacks as easily anymore. In order to do that, they would need to gain access to the mapping or perform an exhaustive search. If an attacker knows that such a card was used, they can use this to their advantage to speed up an exhaustive search.
Furthermore, users are expected to keep their card around, and many will probably leave it on their desk, under their keyboard or in similar bad locations. If they lose their card, they will probably lose their password too. They will need a new card, and change their password as well, which is not that good for usability.
Summary
So, is this a good system? Ultimately, I would say you have to judge it in the context of what it is designed to do. It's an aid for a specific group of users, who would otherwise use ungodly terrible passwords. And helping users choose marginally better passwords for a negligible cost is a good thing, in my opinion. Of course, it is not a silver bullet that magically solves the problem of credential storage and generation.
If possible, always use a password manager, let it generate long, high-entropy passwords and store them for you in a safe manner.
If this is not possible (e.g. for OS logins), I recommend either using Diceware or creating a long, nonsensical sentence, such as TheGreenLightFromOurEyesShinesThroughTheMirrorOfTime.. Just ensure that such a sentence isn't taken from a book or movie.
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
You may as well just print a proper randomly-generated 16-character string on the card for them to use as their password.
– OrangeDog
14 mins ago
@OrangeDog No, because then you have to trust the card designer with your (full) password.
– Jon Bentley
7 mins ago
@OrangeDog not only that but anybody who sees the card would have your password!
– Digital Chris
1 min ago
add a comment |
Full disclosure: I work for a company, which distributes such cards. This answer however is my own personal opinion of them.
The idea of these cards is that some users are just really bad at remembering passwords or pass phrases. The naïve approach would be to tell users "Just get better at remembering passwords", but experience has shown that such advice is counter-productive with some users.
Their memory seems to be hard-wired to only recall simple words, which probably have something to do with their work. So somebody working in a car factory may remember a word such as Engine.
Engine, of course, is a terrible password - both in length and entropy. So the "Kryptonizer" or similarly named cards try to add both of those.
Length is added by the prefix, 4uR=? in this case. It immediately increases the password length by 5 characters, bumping a 6 character password up to an 11 character password. Not perfect, but an improvement.
Entropy is added by substituting each character with a randomly chosen character. Not exactly a 1:1 substitution, but close enough. Since each card is unique, one can't build a pre-made rule on how to mangle each dictionary phrase.
In this example, Engine would turn into 4uR=?1YFFY1. Is this a good password? Probably not great, but certainly a lot better than Engine.
Problems with this scheme
Of course, it's not a perfect system. A good passphrase can't be replaced by a little paper card. Since three input characters map to one output character, the resulting password loses entropy instead of gaining it. The net entropy gain is that attackers can't use dictionary attacks as easily anymore. In order to do that, they would need to gain access to the mapping or perform an exhaustive search. If an attacker knows that such a card was used, they can use this to their advantage to speed up an exhaustive search.
Furthermore, users are expected to keep their card around, and many will probably leave it on their desk, under their keyboard or in similar bad locations. If they lose their card, they will probably lose their password too. They will need a new card, and change their password as well, which is not that good for usability.
Summary
So, is this a good system? Ultimately, I would say you have to judge it in the context of what it is designed to do. It's an aid for a specific group of users, who would otherwise use ungodly terrible passwords. And helping users choose marginally better passwords for a negligible cost is a good thing, in my opinion. Of course, it is not a silver bullet that magically solves the problem of credential storage and generation.
If possible, always use a password manager, let it generate long, high-entropy passwords and store them for you in a safe manner.
If this is not possible (e.g. for OS logins), I recommend either using Diceware or creating a long, nonsensical sentence, such as TheGreenLightFromOurEyesShinesThroughTheMirrorOfTime.. Just ensure that such a sentence isn't taken from a book or movie.
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
Full disclosure: I work for a company, which distributes such cards. This answer however is my own personal opinion of them.
The idea of these cards is that some users are just really bad at remembering passwords or pass phrases. The naïve approach would be to tell users "Just get better at remembering passwords", but experience has shown that such advice is counter-productive with some users.
Their memory seems to be hard-wired to only recall simple words, which probably have something to do with their work. So somebody working in a car factory may remember a word such as Engine.
Engine, of course, is a terrible password - both in length and entropy. So the "Kryptonizer" or similarly named cards try to add both of those.
Length is added by the prefix, 4uR=? in this case. It immediately increases the password length by 5 characters, bumping a 6 character password up to an 11 character password. Not perfect, but an improvement.
Entropy is added by substituting each character with a randomly chosen character. Not exactly a 1:1 substitution, but close enough. Since each card is unique, one can't build a pre-made rule on how to mangle each dictionary phrase.
In this example, Engine would turn into 4uR=?1YFFY1. Is this a good password? Probably not great, but certainly a lot better than Engine.
Problems with this scheme
Of course, it's not a perfect system. A good passphrase can't be replaced by a little paper card. Since three input characters map to one output character, the resulting password loses entropy instead of gaining it. The net entropy gain is that attackers can't use dictionary attacks as easily anymore. In order to do that, they would need to gain access to the mapping or perform an exhaustive search. If an attacker knows that such a card was used, they can use this to their advantage to speed up an exhaustive search.
Furthermore, users are expected to keep their card around, and many will probably leave it on their desk, under their keyboard or in similar bad locations. If they lose their card, they will probably lose their password too. They will need a new card, and change their password as well, which is not that good for usability.
Summary
So, is this a good system? Ultimately, I would say you have to judge it in the context of what it is designed to do. It's an aid for a specific group of users, who would otherwise use ungodly terrible passwords. And helping users choose marginally better passwords for a negligible cost is a good thing, in my opinion. Of course, it is not a silver bullet that magically solves the problem of credential storage and generation.
If possible, always use a password manager, let it generate long, high-entropy passwords and store them for you in a safe manner.
If this is not possible (e.g. for OS logins), I recommend either using Diceware or creating a long, nonsensical sentence, such as TheGreenLightFromOurEyesShinesThroughTheMirrorOfTime.. Just ensure that such a sentence isn't taken from a book or movie.
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
edited 8 hours ago
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
answered 9 hours ago
MechMK1MechMK1
7,1473 gold badges25 silver badges47 bronze badges
7,1473 gold badges25 silver badges47 bronze badges
You may as well just print a proper randomly-generated 16-character string on the card for them to use as their password.
– OrangeDog
14 mins ago
@OrangeDog No, because then you have to trust the card designer with your (full) password.
– Jon Bentley
7 mins ago
@OrangeDog not only that but anybody who sees the card would have your password!
– Digital Chris
1 min ago
add a comment |
You may as well just print a proper randomly-generated 16-character string on the card for them to use as their password.
– OrangeDog
14 mins ago
@OrangeDog No, because then you have to trust the card designer with your (full) password.
– Jon Bentley
7 mins ago
@OrangeDog not only that but anybody who sees the card would have your password!
– Digital Chris
1 min ago
You may as well just print a proper randomly-generated 16-character string on the card for them to use as their password.
– OrangeDog
14 mins ago
You may as well just print a proper randomly-generated 16-character string on the card for them to use as their password.
– OrangeDog
14 mins ago
@OrangeDog No, because then you have to trust the card designer with your (full) password.
– Jon Bentley
7 mins ago
@OrangeDog No, because then you have to trust the card designer with your (full) password.
– Jon Bentley
7 mins ago
@OrangeDog not only that but anybody who sees the card would have your password!
– Digital Chris
1 min ago
@OrangeDog not only that but anybody who sees the card would have your password!
– Digital Chris
1 min ago
add a comment |
It's always depends on what you compare it with! What is the realistic alternative, that users would actually use, to using this card?
Clearly, 4uR=?F133Y9Yi31 is a much better password than HELLOWORLD. If you are giving this card to a non-techie whos not going to pick good passwords or use a password manager anyway, then it's an improvement.
On the other hand, using this system is much worse than just picking a random 16 letter password that you'll never remember and storing it in your password manager. An attacker who knows what letters there are on the card (e.g. by looking at leaked passwords from the same user) could easily crack it - suddenly it is only 40 bits of entropy!
So is this a good idea for people who might use a password manager? No, absolutely not. For your grandpa? Maybe! Don't let perfect be the enemy of the good.
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
add a comment |
It's always depends on what you compare it with! What is the realistic alternative, that users would actually use, to using this card?
Clearly, 4uR=?F133Y9Yi31 is a much better password than HELLOWORLD. If you are giving this card to a non-techie whos not going to pick good passwords or use a password manager anyway, then it's an improvement.
On the other hand, using this system is much worse than just picking a random 16 letter password that you'll never remember and storing it in your password manager. An attacker who knows what letters there are on the card (e.g. by looking at leaked passwords from the same user) could easily crack it - suddenly it is only 40 bits of entropy!
So is this a good idea for people who might use a password manager? No, absolutely not. For your grandpa? Maybe! Don't let perfect be the enemy of the good.
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
add a comment |
It's always depends on what you compare it with! What is the realistic alternative, that users would actually use, to using this card?
Clearly, 4uR=?F133Y9Yi31 is a much better password than HELLOWORLD. If you are giving this card to a non-techie whos not going to pick good passwords or use a password manager anyway, then it's an improvement.
On the other hand, using this system is much worse than just picking a random 16 letter password that you'll never remember and storing it in your password manager. An attacker who knows what letters there are on the card (e.g. by looking at leaked passwords from the same user) could easily crack it - suddenly it is only 40 bits of entropy!
So is this a good idea for people who might use a password manager? No, absolutely not. For your grandpa? Maybe! Don't let perfect be the enemy of the good.
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
It's always depends on what you compare it with! What is the realistic alternative, that users would actually use, to using this card?
Clearly, 4uR=?F133Y9Yi31 is a much better password than HELLOWORLD. If you are giving this card to a non-techie whos not going to pick good passwords or use a password manager anyway, then it's an improvement.
On the other hand, using this system is much worse than just picking a random 16 letter password that you'll never remember and storing it in your password manager. An attacker who knows what letters there are on the card (e.g. by looking at leaked passwords from the same user) could easily crack it - suddenly it is only 40 bits of entropy!
So is this a good idea for people who might use a password manager? No, absolutely not. For your grandpa? Maybe! Don't let perfect be the enemy of the good.
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
answered 8 hours ago
AndersAnders
51.6k22 gold badges147 silver badges173 bronze badges
51.6k22 gold badges147 silver badges173 bronze badges
add a comment |
add a comment |
izlin is a new contributor. Be nice, and check out our Code of Conduct.
izlin is a new contributor. Be nice, and check out our Code of Conduct.
izlin is a new contributor. Be nice, and check out our Code of Conduct.
izlin is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215919%2fis-this-password-scheme-legit%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Can you elaborate on what this card is being used for? It does seem like a rudimentary password hashing scheme designed for manual checks - especially with "simple passwords" you have reduced security. A password that matches the hash can easily be produced for every hash in one pass.
– Tobi Nary
9 hours ago
This looks like a very weak passwords hashing scheme. Given a hashed password, it won't be too difficult to reverse it into a list of possible plain text passwords (the reversing algorithm is essentially the T9 algorithm.
– Lie Ryan
9 hours ago
@TobiNary To cite the card (translated) "It is often too easy for hackers to acquire personal information. The reason: Passwords that we can easily remember aren't cryptic. They are often common names or words like "Snowden" or "Admin"", this card tries to fix this by making easy to remember passwords crpytic.
– izlin
9 hours ago
@izlin do you have the German Text as well? This does seem like first class sarcasm.
– Tobi Nary
7 hours ago
1
@TobiNary I actually explain this very concept right in the beginning of my answer. Yes I absolutely agree that teaching people to use passwords is way better than to rely on what is effectively a crutch. And this may be perfectly fine for a 28-year-old college graduate with a MSc. in Engineering. But for the 57-year-old Karen from Accounting, this proves to be substantially more difficult.
– MechMK1
3 hours ago