29 June 2015

RandomCards: a simple low-tech method for managing strong passwords

Passwords, always a problem

Everyone with access to a computer has problems with passwords. Repeatedly, whenever some website is hacked we're reminded that the majority of all people use weak passwords like "P@ssw0rd1" or their dog's name. Whenever some website is hacked, users with weak passwords or those who reuse their passwords are the first victims, and often have their data compromised at other systems than the ones that got hacked.

Others try to use strong passwords, but the elements that make a password strong such as length, entropy (randomness), and not being based on a dictionary word in the first place usually make strong passwords very hard to memorize. This is often overcome by using a password manager, or by simply writing the passwords down in a file or on paper.

Unfortunately, password managers are sometimes compromised too, for good reasons. Why would hackers not put extra effort into breaking into a system where thousands of users store all their credentials? They do, and as a result it happens that even top-of-the-line password managers are sometimes breached.

Good password managers are designed to make life harder for hackers by employing layer after layer of strong encryption, yet if a user's master password is not strong enough that user is at risk of having all their passwords leaked anyway.

Writing passwords down in a file or on a paper is equally insecure, as has also been shown repeatedly. When the French TV channel TV5 Monde was hacked recently, it turned out that not only did they use a combination of very weak passwords such as "azerty12345" ("qwerty12345"), and "lemotdepassedeyoutube" ("password for youtube"), but they also posted them on post-it notes all over their offices.

Of course, they're not alone on using post-it notes for passwords:
Personally, I am not a fan of password managers, especially the "online"/cloud based ones where you store all your credentials in one central location, trusting a third party to ensure that unauthorized users can't access them.

I don't claim to have a solution to any of the issues surrounding passwords, but being sceptical of password managers and still wanting to use sufficiently strong passwords myself, I have put together an experimental app for generating and printing pocket-sized cards with random content that can be used to derive passwords, "RandomCards".


RandomCards is a small app that will generate large random numbers using cryptographic random number generators, convert them to printable/human readable characters (Base64), and print out 10 wallet sized cards with random characters on a sheet of A4 or Letter paper.

The RandomCards app has a fairly simple user interface: choose which RNG (random number generator) you want to use, how many pages of RandomCards you want to print (with 10 cards on each page), hit the "Print" button, select target printer, and it will print out your cards. Each card has a small unique icon to distinguish it from your other cards, so you can keep a stack of them together and still be able to distinguish the cards from each other.

The list of random number generators available in the app depends on which RNGs you have on your system. On a baseline windows system with no TPM, you may see only Microsoft's CSPs. If you have a TPM ("trusted platform module") installed, you should be able to use the TPM's hardware-based random number generator. The default option is "All Available RNGs", which will generate random numbers using all installed RNGs and XOR them together. This should result in a random sequence at least as strong as the strongest RNG, regardless of if any of the other RNGs are weakened/predictable.

Although this can resemble some kind of "post-it notes on steroids" password manager, the idea is that these cards contain enough entropy to be used for strong passwords, and since you can read them in any direction you want they are much more difficult for an attacker to figure out your password if you lose them than an ordinary password note or file.

Print, laminate, and keep a sufficient number of cards in your wallet. The cards are wallet sized for a good reason, and if you make up your own technique for reading them ("red pineapple card, start at J5, read diagonally up for 18 characters is for xyz.com") then they're going to provide you with strong passwords without having to memorize a full long random password, while making no sense to someone else if you lose your cards.

Change around your RandomCard printed cards, pick a starting point that you can memorize, pick an arbitrary reading direction (up, down, left, right, diagonally, diagonally pairwise, zig-zag [up/down/ltr/rtl] etc), pick an arbitrary password length (12 characters or longer), and each card offer a very large number of combinations of fairly strong* passwords.

* = Remember, since the random data on the RandomCar cards is base64 encoded, every 3 characters of a RandomCard password correspond to 2 bytes or 16 bits of entropy, so a 12 character string from one of these cards are equivalent to 8 bytes or 64 bits of entropy, or 1 in 18,446,744,073,709,551,616 for someone who have no access to your password cards.

Download the app (or source code)

If you want to try out or use RandomCards, you can download the app from https://apps.huagati.com/download/RandomCardsApp.zip, or the source code for it from https://apps.huagati.com/download/RandomCardsSource.zip

The app requires a PC with .net 4.0, sufficient user privileges to use the random number generators installed on the system, and a printer.

As always: provided as-is. No warranties (expressed or implied). Use at your own risk. Batteries not included.

Feedback, comments, questions? Post it in the comments section below.

No comments:

Post a Comment