FYI.

This story is over 5 years old.

Tech

How to Make Unbreakable Passwords In Your Head Using Mental Cryptography

It's not easy, but neither is having your identity stolen.
Image: IAKOBCHUK VIACHESLAV/Shutterstock

You almost certainly do passwords wrong. That's OK, though, because most people do. 

You're supposed to have distinct passwords for every one of your different accounts, and, what's more, those passwords are supposed to be difficult. Use some numbers and symbols and weird capitalization, they tell us. But it's hard, and so we wind up just using the same password for everything and taking the risk.

That risk is the possibility of someone hacking one password and suddenly having access to your entire life, which might mean your money, private photos, work stuff, etc. One interesting solution to this problem is just handing off the task of password creation entirely and using something akin to identity-based encryption.

Advertisement

This is where some aspect of the user (a name or some other identity feature) is used as the basis for an encryption scheme. So, I might hand "amazonmichael" to a password generator and it would return a unique password tailored for just that one account.

The problem, of course, is trusting a single third-party with this task. Turing Award winner Manuel Blum recently proposed a solution at the Heidelberg Laureate Forum that uses ID-based encryption but avoids the third-party password generator. Instead, this encryption is done mentally by the user.

The hard part is memorization, but there's really no way around memorization in a safe password scheme

Blum's method is rather optimistic about the average person's capability for processing numbers, but given the current privacy anxiety, maybe some will be willing to invest the mental energy.

Here's how it works: The first part is the most difficult and involves assigning letters to the numerical digits 0 through 9. Something like this could probably be achieved with just a subset of the alphabet, but Blum wants the full thing, which requires some numbers to have multiple letters assigned (26 letters, 10 digits).

This mapping should be random. That is, no cheating by using patterns to aid memorization. No A=1, B=2. Next, take the set of numerical digits and put them in a random order. Again: no cheating. The important thing is that both the mapping and the sequence of digits are random and memorized by the user. Those are your private keys.

Advertisement

I know this already seems hard, but there's one more thing needed in this setup stage. We'll need a function, which is just something that transforms an input to an output according to a rule. The function we need, which we'll call "g," just takes the digits in your sequence one by one and returns the next one in the sequence. So, in the sequence "1328," it would return "g(1) = 3," "g(3) = 2," and "g(2) = 8." That's pretty easy.

Using your map you'll convert the letters of your identity sequence ("amazonmichael") to numbers.

YOU'RE ALREADY MEMORIZING MORE PIECES OF INFORMATION THAN BLUM'S SCHEME REQUIRES

Next, add the first and last number of that sequence and apply what's known as the modulus operation. It's not as difficult as it sounds, and basically ensures that we'll always wind up with a number between 0 and 9 after adding that first digit and the last digit. It works by dividing and returning just the remainder of the division.

So, in this encryption scheme we need to take "mod 10," because there are 10 digits in the sequence. In my example, I would add 1 to 8, which is 9, and the modulus operation would just return 9, the remainder of dividing 9 by 10. If my digits added up to be, say, 16, the mod 10 operation would give 6.

After that, we apply that "g" function. If you'll remember, that just means taking a number and returning the next number in that random sequence you made earlier. This result is the first digit in your encrypted password. The rest is computed by taking the last password digit and adding it to not the last digit of the sequence but the next to last, and on down the line.

So, for 1328, I would take my 9 and add it to 2, which is 11. It becomes 1 after the modulus operation and that's the next digit of the password. Next, that would get added to three and the result of that would get added to 1.

That all seems much more complex and difficult than it really is. The hard part is memorization, but there's really no way around memorization in a safe password scheme anyhow. If you had five different eight-digit passwords that are suitably random for five different accounts, you're already memorizing more pieces of information than Blum's scheme requires.

And if a password ever becomes compromised, all the user needs to do is come up with a new variation on the initial identity string, e.g. "amazonhackproof" or whatever. If the map becomes comprised (which it shouldn't if the user isn't leaving it laying around), make a new one.

OK, I know. Seems like a lot. So I'll tell you what. Let me try it. I'll report back in a couple of weeks and, if successful, then, hey, if a scatterbrain like me can do it, you can too.