Home Page
Back



Written:
24-Jul-1999

Revised:
20-Feb-2000

Published:
20-Oct-1999
Post Database

Password Crib Sheets
By Thiravudh Khoman

Conventional wisdom states that passwords should never be written down. They should be easy enough to remember but difficult enough so that others can't guess them. Despite this, there's a simple way to safely write down passwords. The trick is to hide your password among a group of seemingly random characters. A case in point: I carry a slip of paper in my wallet on which is printed 9 rows by 17 columns of numbers. Hidden among these numbers are the passcodes for my ATM and credit cards, plus a safe combination. Can you find my passcodes? You probably can't. (OK, this ISN'T really my cribsheet.)

1 3 4 9 8 2 3 4 0 3 9 8 2 4 3 4 5
1 2 9 4 3 4 3 4 3 8 2 4 3 2 9 4 3
2 1 3 0 8 4 9 5 9 0 8 4 9 2 2 9 0
8 9 8 1 0 4 0 9 3 4 4 0 5 9 3 4 5
1 5 7 3 9 5 8 0 9 3 4 9 3 4 9 4 9
2 0 9 7 5 6 2 9 8 4 9 2 3 9 4 2 4
1 7 7 0 8 3 5 7 3 4 7 2 3 4 3 2 7
5 8 6 8 2 0 7 2 2 3 8 4 3 4 2 3 4
6 8 0 9 3 9 5 3 1 3 4 9 0 4 9 8 3
8 3 0 9 4 4 5 9 3 4 8 3 4 8 2 2 3
2 1 6 8 9 7 9 2 3 4 9 9 3 1 2 4 3
4 1 6 8 9 2 4 8 9 9 3 4 9 8 4 3 9

Numeric Passcodes

Let's play with this a bit. What's the best way to hide your numbers on this piece of paper? Well, you could place four passcodes at each of the four corners of the 9x17 matrix. You could string 2 passcodes together with a dummy separator character on the first and last lines. You could start somewhere in the middle and position the 4 passcodes vertically, shifting them one column to the right for each row you move down. Et cetera. It's entirely up to you and there are an infinite number of possibilities.

Note that you don't need to remember the numbers per se, as long as you can recognize them when you see them or can remember how the numbers are laid out. To aid your memory, you could place an easily recognizable "starter" string at the beginning of the series. One of my ATM numbers is self-assigned and therefore it's easy for me to pinpoint this number. Once located, I can work out the placement of the other numbers.

How secure is this? In my opinion, quite secure as long as the matrix isn't too small and the placement of the numbers isn't too simplistic. Besides, as long as you keep this crib sheet on your person, no one will even have a chance to crack your codes.

Alphabetic Passcodes

This technique can be applied to character-based passwords as well, although it can be a bit trickier. While it's easy to populate a matrix with random numbers or alphabetic characters, if your passwords consist of recognizable words they will stick out like a sore thumb. Even if you add a number of dummy words to the matrix, the number of meaningful words will be limited and this will increase the chances of the passwords being found.

There are several ways out of this. First, avoid recognizable words altogether (you shouldn't be using these as passwords anyway). Second, recognizable words could be chopped into pieces and located in different parts of the matrix (e.g. an 8 letter password could have 2 characters located in the 4 corners). Third, the vowels in a password could be removed, leaving only the consonants. For example, if your password were "rabbit", removing the vowels would reduce this to "rbbt". If you saw "rbbt" in a soup of random characters, chances are you'd be able to make the connection with the word "rabbit". But someone else might not.

One final tip: When printing out your crib sheet, make sure you use a non-proportional font, so that the numbers/characters line up properly.



wobble
Copyright © 1998-2000, Thiravudh Khoman