Occasional Puzzle: Passwords


A couple of days go the cloud password vault system “LastPass” was hacked.  Based on what I’ve read, their user tables were taken, which includes email addresses, password reminders, user salts, and authentication hashes.  Without getting overly technical, what happens when you log in to a site is that your password (say…”password1″) is appended with a unique (to the user) set of extra characters – a “salt” (say…KSK4EVR) and the corresponding output (password1KSK4EVR) is run through a hashing algorithm.  What comes out – a long complicated string of letters and numbers – is checked against the authentication hash in the user table that corresponds to the given username.  If they match, access is granted to that user.

Cracking a password is pretty tough simply because it takes time – the hashing algorithms are one-way, which means that the only way to see if a potential password is the right password is by running it through the algorithm and seeing if the output matches the authentication hash.  To make things tougher (i.e. more time-consuming) a lot of sites will run the hash repeatedly (i.e. get the hash for password1KSK4EVR, then take THAT result and put it back into the algorithm, take THAT result and put it back…etc).  There’s a practical limit for this, of course, because when you’re authenticating a user YOU have to do the same process, so if you’re going to run your hash through five billion rounds it will take too long and annoy your users.  The purpose of the salt is so that even if two users have the same password, the salt will cause them to end up with different authentication hashes; thus you have to check every possible password (until you hit the right one) for EACH user.

This news about LastPass is interesting to me because not only is LastPass downplaying the significance of the breach (as would be expected), but tech reporting sites are generally dismissing it as insignificant as well.  Even more curiously, Techcrunch (which I generally hate-read because their author Darrell Etherington is the most blatant Apple-polisher I have ever seen) hasn’t even mentioned it.  And for the most part, they’re right – anyone who has a password that is long, strong, and down to get the friction on is going to be safe, because it’s simply not practical to run brute force attacks against single users. What’s more likely to happen (says this guy who’s taking a brief respite from writing dick jokes) is that they’ll base their attack on finding the users who have weak passwords.  Instead of testing all possible password combinations for a single user, they will test – one by one – a bunch of commonly used weak passwords (123456, password, qwerty) against all the users.  And let’s face it, anyone who has such a terrible password isn’t likely to be keeping up with tech news, so they won’t have even heard about the hack.  It won’t be hugely successful – most people smart enough to use a password manager will be sharp enough to use a decent password – but they’ll get a few.

So I’ve been thinking a bit about password alternatives.  Password managers – where everything is secured with a single master password – are very popular these days, but I’m really not a fan of any kind of solution that puts all of your eggs in one basket.  In particular, cloud-based solutions like LastPass are particularly problematic because your entire online life – including things like banking details and credit card numbers – are potentially available to anyone with an internet connection.  Sure, they’ve got to crack it, but once they do…BAM!  I hate biometric solutions because they’re fantastic from a convenience standpoint but lousy from a security standpoint.  Fingerprints (and a number of other biometrics as well) can often obtained without the user’s knowledge or consent.  And once they’re compromised, you can’t change them, so they become entirely useless.  Two-factor authentication (i.e. something you know + something you possess) is pretty solid, but I’ve been trying to figure out a scheme to make the “something you know” part better.  Today’s puzzle is based on that scheme; this particular scheme is designed to allows you to generate over fifteen thousand different passwords and remember them all – what you’re remembering is the scheme, not the actual password.  This puzzle is based on a somewhat simplified version of it; in the solution I’ll explain what can be done to make it even stronger.

This seems like a fair enough place to mention one of the other schemes I’ve developed – using points on a map to link to passwords.  It’s not really practical for everyday login/authentication (it’s too slow), but I think a fairly practical implementation could be used for password reset function; instead of just pressing a button and having your account reset through your email (which leaves you pretty fucked if your email is compromised; they can reset any password they want!) the user has to register a point and find it in order for the reset process to be initiated.  It would need decent lockout procedures; longer successive wait times between each failed attempt.  It’s here – the point you’re looking for is the Pyramide at the Louvre.


This is the password I use to log in to hotmail.com:  gitek1ODVST@tabgi3

What is the password I use to log in to overstock.com?

Hints are below – don’t be shy about using them; this puzzle is specifically designed to be super-hard, if it’s not then my scheme is a failure (which is fine, but I’d certainly rather know before I deployed it in real life).

Hint 1: the password I use to log in to twitter.com is: tabgi1EHIDKRY@ubdua3

Hint 2: There are 17,576 possible permutations of this password scheme.

Hint 3: the password I use to log in to gmail.com is: gikf1MIKR@akoga3

Hint 4: this might help – http://virtualskies.arc.nasa.gov/communication/2.html

Hint 5: the password I use to log in to hustler.com is: gitek1UNIGOTM@suerra3 (no, YOU’RE the pervert)

Hint 6: in this password scheme, the word “foxtrot” becomes “fixtrit” if it comes first or third, or “gocytoy” if it comes second. 

Answer: iscar1BIVYOT@ecgi3

Solution: There are three groups of letters in each password – each of these groups is based on the first three letters in the website name – in the case of hotmail, it’s H-O-T and for overstock it’s O-V-E.  Each group of letters is based off the International Phonetic Alphabet, so H corresponds to “hotel”, O corresponds to “oscar”, etc.  Each word (hotel, oscar) is typed in by key-shifting.  The first word is typed by shifting the right hand over by one key – JKL: becomes HJKL, the second word is typed by shifting the left hand over one key – ASDF becomes SDFG, and the third verse is same as the first.  The numbers are just a basic 1, 2, and 3, and the entire middle group (including the 2) is capitalized.  

What’s the point?  A rotating phonetic alphabet scheme would be pretty easy to spot – anyone seeing the plaintext of hotel1OSCAR@tango3 is going to figure out the scheme pretty quickly.  Key-shifting obfuscates that nicely; presumably when you looked at the very first password given in the puzzle it just looked like random gibberish and it wasn’t evident that there was a pattern.  The theory behind this is that even if someone gets ONE of your passwords, it just looks like a standard strong password.  But of course, in order to make this really effective, instead of using the International Phonetic Alphabet (alpha, bravo, charlie…) you could use a custom alphabet of your own (apple, banana, carrot…).  To take it even further, you can add a salt of your own, just drop some letters and symbols onto the end that you use for ALL passwords, but isn’t related to the pattern.  That will become immediately obvious if a person gets TWO of your passwords in plaintext, but will make it much harder to decipher the pattern from a single breached password.  You can also add a custom shift scheme (SanDeE*) for bonus confusion.


12 thoughts on “Occasional Puzzle: Passwords

  1. This was a hard puzzle, so I decided to try to come up with one a little simpler with my meager mental resources. Here goes!

    Lately, we’ve all been plagued with all sorts of backend troubles at Uproxx. Specifically, it’s been eating our komments for no good raisin (but it might have something to do with attacking Uproxx or its sponsors)! Also, we still don’t have an edit button for all our gramatican errols! I mean, if it’s not the one thing, it’s the nothing! Those two factors makes me think Uproxx is trying to tell us all something; what could Uproxx be trying to say to us kommenters?

    I think I’ve cracked the case by taking a look at some komment sequences where these two troubles collided. Take a look:

    Burner420X: If Uproxx is as #UpforWhatever as they say they are, they should #suckmydick
    Burner420X: Gotta get those #sponsorship #dollars, right Uproxx?
    make it snow: Getting spoonsorship dollars has helped me become the Papa Johns Buick Nationwide champion football pitchman I am today!
    make it snow: *sponsorship, damnit
    Burner 420X: Gotta get that #BudLight money

    Cuntler: You’re mom reacted reasonably to my backdoor hacking.
    SonOfSpam: She’s totally #UpForWhatever, right Uproxx?
    Cuntler: Goddamnit, *you’re, you goddamn edit-button less looser
    SonOfSpam: There are no edit buttons in #WhateverUSA because IT’S ALL GOOD THERE!
    Cuntler: *Loser. Just like OSZ.

    OSZ: Uproxx is so #UpForWhatever they hired Rowles.
    OSZ: Last one got eaten, apparently. Again: Uproxx is so #UpForWhatever, they let Trent Green post from the memory unit as Johnny Sugar.
    OSZ: Stupid komment eater. Maybe I should just say FORUM and get it over with.
    Horatio Cornblower: I just caught my kid with an old copy of Panthouse forum. I didn’t even know any printed copies still existed!
    Horatio Cornblower: *Penthouse. I don’t even want to think about what “Panthouse Forum” would contain.

    Underball: I am a stupid dingbat who drinks #BudLight and I’m #UpForWhatever like trolling on Uproxx
    CBQUE: I’m totally gunna bite on that hook and rant now!
    Underball: CBQUE is totally #UpForWhatever I throw at him!
    CBQUE: *gonna, but GO YANKEYS!

    Balls Of Steel: I totally just had potine with Trevor Risk!
    Balls Of Steel: *Poutine, and it was damn tasty!
    Trevor Risk: And we totally got some #BudLight and were #UpForWhatever
    Trevor Risk: #BudLight #UpForWhatever #KOTW
    Balls Of Steel: *KOUTW

    Rikki-Tikki-Deadly: I wonder if everyone being #UpForWhatever is what causes Idiocracy to happen in the future?
    New School Zero: Oh, tha’ts part of it, all right. That and putting people like me in BREEDING PITS!
    New School Zero: *that’s, goodamnit!
    New School Zero: *goddmanit
    New School Zero: *GODDAMNIT I’m durkn

    Darkest Timeline Zach Morris: Darkest Timline Kelly and I just taught our dogs to cook our dinners! We’re set for life!
    Monty This Seems Strange to Me: Sounds like your dogs are #UpForWhatever! They can be the next #Spuds and sponsor Uproxx!
    Darkest Timeline Zach Morris: *Timeline. Without an edit buton, this really stays the darkest timeline.
    Monty This Seems Strange to Me: How much #sponsorshipmoney would it take for them to GIVE US A DAMN EDIT BUTTON?
    Darkest Timeline Zach Morris: *button. IT SHOULDN’T BE THIS DIFFICULT!


  2. I’ll admit I just dove right into the hints, and this is quite clever. I picked up on a little bit of it, but definitely wasn’t going to crack it. Well done.

    One quick question, though: Will any salt do, or does it have to be an artisan salt of some kind?

    Liked by 1 person

      1. Oh definitely. I think if I had laid out all the different pairs and gave myself time, I could have made more progress.


    1. Oh, it was. I went nowhere trying to convert letters to numbers, calculating how far into the alphabet each letter was, and the distance in numbers of letters from one to the next. Me dumb.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s