Wednesday, April 28, 2010

Shifted Password Strategy = Simple Obfuscation

Recently Adam Pash posted an article on lifehacker titled “Shift Your Fingers One Key to the Right for Easy-to-Remember but Awesome Passwords”. The basic idea behind this trick is to generate what appear to be complex passwords by merely placing your fingers one key to the right and typing something easy to remember. For example, “Password” would become “{sddeptf”.

Due to a lack of a better term, I will call this approach “Shifted Password” in this post.

Initially I thought Shifted Password was a great idea, and I wondered if it is a better and simpler approach to the one proposed by Bruce Schneier’s in his Wired article titled “Secure Passwords Keep You Safer”. However after careful consideration, I have come to the conclusion that Shifted Password approach is neither practical nor secure.

People are no longer accessing their password protected resources using only a laptop/desktop with a full size keyboard. The use of alternative input mechanisms and variations in keyboard layout (iPhone, Blackberry, Dvorak etc.) renders Shifted Password strategy ineffective.

Although passwords generated using Shifted Password strategy might appear to be strong (more complex), the fact is Shifted Password is merely an obfuscation of a simple password (easy to remember). In other words, shifted password is not a good substitute for a complex password.

For example, if someone wants to use "myDogSpot” as the password, the Shifted Password version would look like “,uFphD[py”. Looks secure! But is it? The fact is it is still vulnerable to a dictionary brute force attack. These attacks might not be common yet, but it is a matter of time till the attackers smarten up and modify their attack strategy to include this obfuscated variation.

Over at Command Like Kung Fu blog, they already have a post titled "Shifty Passwords” which shows how easy it is to compensate for this obfuscation using unix tr command and generate a new shifted version dictionary based on an existing dictionary.

$ cat dict.txt | tr "$r1$R1$r2$R2$r3$R3$r4$R4" "$r1s$R1s$r2s$R2s$r3s$R3s$r4s$R4s" >shift-dict.txt

In the lifehacker article, Adam Pash concludes:

Something longer but still really lame, like, say, "topsecretpassword", becomes "yp[drvtry[sddeptf". These may not be perfect compared to secure password generators, but they're likely orders of magnitude better than a lot of people's go-to passwords."

I would humbly disagree with Adam, because I think that the appearance of complexity could fool a user into a false sense of security. I think claiming that Shifted Password approach is "magnitude better" is a bit of a false advertisement.

If you are willing to accept the practical limitation of Shift Password strategy, it could prove to be useful, granted that you use a complex password to start with (catch 22!).

In my book, I am going to score this as Bruce Schneier 1, Adam Pash 0. :-)


No comments:

Post a Comment