[SKIP ALL THIS IF YOU WANT TO GET STRAIGHT TO THE PUZZLE]
A couple of days go the cloud password vault system “LastPass” was hacked. Based on what I’ve read, their user tables were taken, which includes email addresses, password reminders, user salts, and authentication hashes. Without getting overly technical, what happens when you log in to a site is that your password (say…”password1″) is appended with a unique (to the user) set of extra characters – a “salt” (say…KSK4EVR) and the corresponding output (password1KSK4EVR) is run through a hashing algorithm. What comes out – a long complicated string of letters and numbers – is checked against the authentication hash in the user table that corresponds to the given username. If they match, access is granted to that user.
Cracking a password is pretty tough simply because it takes time – the hashing algorithms are one-way, which means that the only way to see if a potential password is the right password is by running it through the algorithm and seeing if the output matches the authentication hash. To make things tougher (i.e. more time-consuming) a lot of sites will run the hash repeatedly (i.e. get the hash for password1KSK4EVR, then take THAT result and put it back into the algorithm, take THAT result and put it back…etc). There’s a practical limit for this, of course, because when you’re authenticating a user YOU have to do the same process, so if you’re going to run your hash through five billion rounds it will take too long and annoy your users. The purpose of the salt is so that even if two users have the same password, the salt will cause them to end up with different authentication hashes; thus you have to check every possible password (until you hit the right one) for EACH user.
This news about LastPass is interesting to me because not only is LastPass downplaying the significance of the breach (as would be expected), but tech reporting sites are generally dismissing it as insignificant as well. Even more curiously, Techcrunch (which I generally hate-read because their author Darrell Etherington is the most blatant Apple-polisher I have ever seen) hasn’t even mentioned it. And for the most part, they’re right – anyone who has a password that is long, strong, and down to get the friction on is going to be safe, because it’s simply not practical to run brute force attacks against single users. What’s more likely to happen (says this guy who’s taking a brief respite from writing dick jokes) is that they’ll base their attack on finding the users who have weak passwords. Instead of testing all possible password combinations for a single user, they will test – one by one – a bunch of commonly used weak passwords (123456, password, qwerty) against all the users. And let’s face it, anyone who has such a terrible password isn’t likely to be keeping up with tech news, so they won’t have even heard about the hack. It won’t be hugely successful – most people smart enough to use a password manager will be sharp enough to use a decent password – but they’ll get a few.
So I’ve been thinking a bit about password alternatives. Password managers – where everything is secured with a single master password – are very popular these days, but I’m really not a fan of any kind of solution that puts all of your eggs in one basket. In particular, cloud-based solutions like LastPass are particularly problematic because your entire online life – including things like banking details and credit card numbers – are potentially available to anyone with an internet connection. Sure, they’ve got to crack it, but once they do…BAM! I hate biometric solutions because they’re fantastic from a convenience standpoint but lousy from a security standpoint. Fingerprints (and a number of other biometrics as well) can often obtained without the user’s knowledge or consent. And once they’re compromised, you can’t change them, so they become entirely useless. Two-factor authentication (i.e. something you know + something you possess) is pretty solid, but I’ve been trying to figure out a scheme to make the “something you know” part better. Today’s puzzle is based on that scheme; this particular scheme is designed to allows you to generate over fifteen thousand different passwords and remember them all – what you’re remembering is the scheme, not the actual password. This puzzle is based on a somewhat simplified version of it; in the solution I’ll explain what can be done to make it even stronger.
This seems like a fair enough place to mention one of the other schemes I’ve developed – using points on a map to link to passwords. It’s not really practical for everyday login/authentication (it’s too slow), but I think a fairly practical implementation could be used for password reset function; instead of just pressing a button and having your account reset through your email (which leaves you pretty fucked if your email is compromised; they can reset any password they want!) the user has to register a point and find it in order for the reset process to be initiated. It would need decent lockout procedures; longer successive wait times between each failed attempt. It’s here – the point you’re looking for is the Pyramide at the Louvre.
[PUZZLE STARTS HERE]
This is the password I use to log in to hotmail.com: gitek1ODVST@tabgi3
What is the password I use to log in to overstock.com?
Hints are below – don’t be shy about using them; this puzzle is specifically designed to be super-hard, if it’s not then my scheme is a failure (which is fine, but I’d certainly rather know before I deployed it in real life).
Hint 1: the password I use to log in to twitter.com is: tabgi1EHIDKRY@ubdua3
Hint 2: There are 17,576 possible permutations of this password scheme.
Hint 3: the password I use to log in to gmail.com is: gikf1MIKR@akoga3
Hint 4: this might help – http://virtualskies.arc.nasa.gov/communication/2.html
Hint 5: the password I use to log in to hustler.com is: gitek1UNIGOTM@suerra3 (no, YOU’RE the pervert)
Hint 6: in this password scheme, the word “foxtrot” becomes “fixtrit” if it comes first or third, or “gocytoy” if it comes second.
Solution: There are three groups of letters in each password – each of these groups is based on the first three letters in the website name – in the case of hotmail, it’s H-O-T and for overstock it’s O-V-E. Each group of letters is based off the International Phonetic Alphabet, so H corresponds to “hotel”, O corresponds to “oscar”, etc. Each word (hotel, oscar) is typed in by key-shifting. The first word is typed by shifting the right hand over by one key – JKL: becomes HJKL, the second word is typed by shifting the left hand over one key – ASDF becomes SDFG, and the third verse is same as the first. The numbers are just a basic 1, 2, and 3, and the entire middle group (including the 2) is capitalized.
What’s the point? A rotating phonetic alphabet scheme would be pretty easy to spot – anyone seeing the plaintext of hotel1OSCAR@tango3 is going to figure out the scheme pretty quickly. Key-shifting obfuscates that nicely; presumably when you looked at the very first password given in the puzzle it just looked like random gibberish and it wasn’t evident that there was a pattern. The theory behind this is that even if someone gets ONE of your passwords, it just looks like a standard strong password. But of course, in order to make this really effective, instead of using the International Phonetic Alphabet (alpha, bravo, charlie…) you could use a custom alphabet of your own (apple, banana, carrot…). To take it even further, you can add a salt of your own, just drop some letters and symbols onto the end that you use for ALL passwords, but isn’t related to the pattern. That will become immediately obvious if a person gets TWO of your passwords in plaintext, but will make it much harder to decipher the pattern from a single breached password. You can also add a custom shift scheme (SanDeE*) for bonus confusion.