Jump to content







Photo - - - - -

Mind Maps and Password Management

Posted by Wolf , 15 February 2012 · 2,646 views


Mind Maps and Password Management Password management and mind-mapping.

I have done some research on the management of passwords. The human mind does a poor job if it comes to remembering passwords. The strength of of human mind is not the mere reproduction of bits of information but in associating correlating data. The brain really excels in mapping correlated information. Thus, a so-called good chosen password hint will immediately facilitate the recalling of the 'real' password. It seems contradictory that a password and it's associated hint is easier to remember than the password alone. But this is true. The psychology of creating and managing strong passwords is focusing on creating mind-maps that are meaningful to the user alone.

A good password is of utmost importance. One has not only to create the so-called "mind maps" but also have some insight, technically speaking, in the rules that make a password very strong: it's length and the elements of character sets they contain: Uppercase, lowercase, numeric, symbol and extended characters. They must be resistant to dictionary attacks and not easy to guess. This is difficult because the only secure password is the one you can’t remember. Do not use names of family members, pets, telephone numbers, bank-accounts, and other data that are accessible to hackers. That's a pity because that are the data you can easily reproduce. Elderly people can have big problems with remembering new passwords. Their short-term memory might be imparted. However, their long term memory, believe me, is excellent and they can vividly recall their first kiss or another event that carries an emotional charge and they can map it readily with a name, place, date or year. This is where the mind-mapping of bits of information kicks in. Combine these vividly recalled elements of the mind-map and you have a very, very strong password. The password can be manipulated by character substitution rules and numbers, i.e. year can be placed between brackets, or parentheses to add symbols to make the password virtually unbreakable. The password could be: Name:Place:{year} and the associated password hint is "First Kiss".

Bank account numbers, social security numbers, phone numbers are well accessible by the human mind, but they are very bad passwords, even in a part of the password. However, you can convert the numbers into a hexadecimal representation and convert the consonants into lower case letters. 126499806 will give you $78A3bdE and vice versa. Hex values are identified with an "h" or dollar sign, thus $3E0 or 3E0h mean the number 3E0. If this is still considered to be too unsafe one can take the the integer part (including the dot) of the square root of this number. The result will be: 11247. . One can not reproduce the original number by squaring this number (result: 126495009). A good password could be: VVolf{11247.} (lenght=13) with the simple password hint: "My phone-number.." (two dots). The letter "W" in Wolf is substituted in "VV" and cannot be found in dictionaries. The extra dot means that this number is the integer result of a square root. Numbers are placed between parentheses. The length of the password is 13 characters and is quite strong! A drawback is that the number is difficult to remember but it is easily reproduced using a hand-held calculator.

Good mind maps are collections of bits of information that have a special meaning for the user and the user alone. They must not refer to the present situation but can date back to events in the youth of the user. They are preferably emotionally charged. Good mind maps preferably consist of three parts: prefix : seed : suffix. The prefix part usually refers to a paticular account. The "seed" is base constituent that can also occur in other passwords and the suffix (if used) is mostly a number between brackets or parentheses. In the majority of passwords that contain numbers it has been statistically shown that they have trailing numbers. Therefore, the use of brackets, or other delimiters is very much advocated. Apart from this, these passwords always contain symbols and are always elongated with two characters.

An example:
I have a Dr. degree in chemistry. So, I can easily relate names of chemical compounds with their corresponding formulae, i.e.:

Leadnitrate: Pb(NO3)2 or Styrene: Ph-CH=CH2

I can select a formula as a seed.
My Google Mail account could be: GM:Pb(NO3)2 L=11
My password hint could be:
General Motors : Leadnitrate.

According to my mind-map I could consider elongating the password with a suffix like the molecular mass of leadnitrate which results in:

GM:Pb(NO3)2:{331} L=17

having a password link: General Motors : Leadnitrate:mass
But for me the password GM:Pb(NO3)2 is sufficiently safe. It contains Uppercase-, lowercase, numeric- and symbol- characters. This might seem very much "fabricated" for non-chemists but this mind-map is very obvious for me.

A physicist would prefer other formula for a seed i.e.: E=mc^2 named 'Einstein' and could construct passwords based on the scheme prefix:E=mc^2:suffix.
"Einstein", albeit not very long (L=6), does however contain Uppercase-, lowercase, numeric- and symbol- characters: all the elements of a good password and extremely resistent to a dictionary attack and rapidly reproduced.

A dozen of named "seeds" can be readily constructed from your own specialism, hobby, fetish or other interests and used for the creation of hundreds of readily reproduced passwords according to the formula: prefix : seed : suffix. You might also consider the combination of readily reproduced seeds like: "Styrene-Einstein": Ph-CH=CH2:E=mc^2 (length=16) and is considered to be unbreakable on a desktop computer.

A property of very good "mind-maps" and their associated password hints is that they can be safely jotted down on paper. If they reveal too much they are not good enough for documenting your passwords.

One can find a lot of additional information on the internet on creating and easy to remember passwords. The reader is referred to the references at the bottom of this communication. These also include videos on the subject.

The use of password vaults is also advocated and these programs offer the possibility to drag'n drop or copy/paste passwords to the input fields to circumvent key-logger activity. Still, the access-passwords must be very strong, readily remembered and conveniently typed. A good advice: Never use an access-password of a password-vault for accounts on the internet. Backup regularly the encrypted vault database to your USB-drive and in the cloud.

File encryption and password management.

A lot of users of encryption programs are impressed by the "military strength" of encrypting routines and use poor passwords to secure their information. I don't have any information that would be of interest of the military, but I can assure you that my former mother in law could be much better then the military in guessing passwords.

So, 'military' or 'corporate' strength do not impress me but, good 'mind-maps' of passwords and the possibility to include 'password-hints' in encrypted archives and files and speed are of utmost importance. Virtually all of my backups in the clouds, on CD and some key-files on my USB-drive are encrypted. Most backup programs and popular archivers (ZIP, RAR, 7z) have inbuild encryption routines. These routines are often not 'militairy grade' and you can download various ZIP-password crackers (even freeware) from the internet. I have tested a number of these crackers but I'm not impressed by their performance when using strong passwords with a length of 16 characters. Moreover, some archivers (IZARC and 7ZIP) harbour AES256 (Rijndael) encryption routines that are widely considered as very strong. Likewise, a number of freeform text-databases, note-takers and even system cleaners/managers (i.e. Glary Utilities) feature good encryption routines. Chances are odd that most PC-users not interested in encryption and encryption programs do already have these routines on their PC. I will not go in depth in discussing encryption programs but how to manage passwords. Some encryption programs (ClipSecure and KPK File Pro) have inbuild password managers and one password manager (Oubliette) is integrated with a full-fledged file-encryption routine. With the latter freeware application one can document each encrypted archive location, contents and password. Unfortunately, one cannot open or access an encrypted archive from within Oubliette.

Other password managers (i.e. KeePass, nPassword, 'PINs Secure Password Manager' are suitable to open encrypted files or archives from the URL-field by using the URL-format: file://X:\MyPath\file.enc with the associated decryption program. So, a number of password vaults are suitable as a front-end to encrypted archives. An explorer-extention like "PathCopy" (freeware) comes in very handy to fill in the URL-fields of the password vault. KeePass is the most forgiving application in handling URL formats. Long filenames, spaces in the path are not a problem. Even the prefix (file://) is not necessary to open archives with their associated programs. So, good password-management for encrypted files is not a problem when encryption files stay in the same location where they were created.

Problems arise when the encrypted archives are moved (i.e. backup to the clouds or a CD). The link in the password-manager is broken. This problem will not arise with online accounts. So, It would be nice to link the password directly to the moved file. Using the well-established mind-maps and their associated password hints discussed above the problem can be solved if the encrypted file/archive has a 'hook' to attach additional information:

Solution #1: A number of encryption programs feature a so called password hint. The password hints are included in the encrypted files. Freeware programs I use include the inbuild encryption routine found in the freewares 'Glary Utilities' and 'Androsa File Protector' but there must be more programs of this kind out there.

Solution #2: Zip files can be commented and give ample room for an overview of the contents of the archive and a suitable password hint. This is even possible in AES256 (Rijndael) encrypted archives (IZARC and 7ZIP). So, a password hint like: "A mixture of cane sugar and gypsum" points to the password: C12H22O11:CaSO4.Aq2.5 (length=21) according to my mind-map.

Solution #3: Steganography: Hiding a file in a picture file. There was a time that I found steganography 'overdone' until I realised that I could include additional information in the
comments in the header of a JPEG file. Take the following actions prior to embedding an encrypted file in a JPEG picture. First, collect suitable photo's in a directory "\CleanFiles". Then, run a program in that directory like "jStrip" to clean all the JPEG files. jStrip is a handy tool for anyone that collects large numbers of images, as it will save hard drive space. Then, select and duplicate an image adding a '+' sign to the filename and annotate the file with the description(s) of the file(s) and a suitable password hint for the file to be embedded in the photo. For this program I use the program 'Scott's JPEG Commenter' but there are other freewares out there. Finally, hide the file into the graphic using a freewares like 'Free file Camouflage' or 'KPK File Pro'. Warning: you must annotate the JPG prior to the encryption/hiding routine, otherwise it will corrupt the conjugate file. There is ample room for documenting the contents of the hidden file/archive in the JPEG header of the photo.

Attached Image

Additional hints on passwords:

Passwords in DOS:
I also use commandline encryptors in DOS-scripts to automate certain tasks.
Passwords must be easy typable on the command-line and must not contain redirection or piping symbols. These include "<", ">" and "|" , otherwise unpredictable results may occur. Likewise, avoid spaces, "@", "/" and "-" or other symbols incompatible with the command-line syntax of the CLI of the encryptor/decryptor.

Named generated passwords.
If you want to "name" or link a name to a particular strong generated password I would recommend the freeware "Advanced Password Generator". So, if I select a length of 16 characters and tick the options Complexity=normal, Charcase=Mixed and Password properties digits and special chars. A keyword like "Mecedes16" will always result in the password: a#$C&y3QQN7jfI21 and "Yahoo Mail16", likewise, will always yield: v$3Y?#8$21o$8AnJ . If you lose the vault-database, you can always recreate the same generated passwords at least some of them.

Attached Image

REFERENCES

Video's on Password creation and remembering passwords:
How to choose strong passwords.
Strong Passwords - YouTube
Secure Passwords
A VERY GOOD VIDEO ON PASSWORDS:

Sites:
Good and Bad Passwords:
How to pick strong passwords and keep them that way:
How to Create Memorizable and Strong Passwords:
How to choose a good, secure password:
create a strong password that is easy to remember.
How to Choose a Good Password:
How to Create Strong Passwords:
How to create and remember strong passwords:
Pick a Safe Password -- a strategy for safe secure computing:
Choosing a smart password:
Use strong passwords
How To Create Strong Passwords That You Can Remember Easily:
Password strength - Wikipedia
How to Securely Manage All Your Passwords

Password strength checkers:
Password Strength Checker:

How Secure Is My Password?

I hope you enjoyed this overview on Mind-mapping and passwords
Wolf





WOW, that's a blog !! Normally we wouldn't allow as many external links as that Wolf, but I can see you've put in a great deal of work and time for this Blog so I'll leave everything in tact :)

Recent Comments