Code Map Password Method

Monday, December 19, 2005

The Code Map Password Method

Having multiple bank accounts online is becoming more common. In addition to bank accounts, many people may have multiple brokerage accounts and credit card accounts. Any online account that involves money needs to be carefully protected. One of the important tasks of protecting online accounts is to safely manage your passwords. This requires the following:

1. Passwords should not be writen down or recorded in a file

2. Each password should be unique and random compared with those used at other places

3. Passwords are regularly changed with new unique and random characters

This password management becomes difficult as you acquire more and more online accounts. If you strictly follow these rules, you'll likely be forgeting passwords every week.

Password Method

I've come across a password method that can help. It's a method that was decribed in this slashdot thread. The method involves giving each account a 4-to-6 letter code. This code can be an easy to remember name. Each character of this code maps to a random 2-character string. After each character is mapped, you have a new password that is random and twice the number of characters as your code word. An example makes this much more understandable.

Suppose you use the code word of "bank" and you use the following code word mapping:

a=Y5, b=5r, c=pM,
d=LG, e=R3, f=Ky,
g=WP, h=hh, i=E2,
j=gM, k=Ya, l=fP,
m=Pk, n=wm, o=U7,
p=8a, q=2P, r=Sn,
s=5i, t=yc, u=9P,
v=JK, w=cr, x=Wg,
y=R8, z=cS, 0=TX,
1=6M, 2=63, 3=8s,
4=Jj, 5=Uc, 6=6w,
7=Vg, 8=pa, 9=nF,

The mapping would be done as follows:

b maps to 5r
a maps to Y5
n maps to wm
k maps to Ya

Thus, the code word "bank" maps to the password 5rY5wmYa.

With this method, all you need to do is to come up with simple code words for each online account that you can easily remember. Then you generate a random code map and print it out. Any time you need your password, you just apply your code word to the map.

This method allows you to meet the three password rules:

1. Passwords should not be writen down or recorded in a file

You don't have the passwords printed, just the code map table. If someone steals the code map table, it can't be used without your code words.

2. Each password should be unique and random compared with those used at other places

If each online account has a different code word, each will map to a password that will be very different than the others.

3. Passwords are regularly changed with new unique and random codes

To come up with new unique passwords only requires generation of a new code map table. Your code words that you remember can remain the same.

My Code Map Generator Program

The person who described this method in the slashdot thread said he wrote a perl program to generate the code map. I thought I could write a similar program that would be accessible from the web. So I created one using javascript. In addition to being accessible from the web, javascript programs are executed locally on your browser. Thus, when you generate the code map table, it's listed on your browser. Nothing gets recorded at the server. This makes this program intrinsically safe to use.

Code Map Generator Steps

Here is a list of steps to implement this password method with this code-map generator tool.

1. Select the left button to create the codes. A new window will open up containing 3 code-map tables. All 3 tables are identical. Every time the button is select, new random codes are generated that are different than previous runs.

2. Print out the code map table. Cut out the three tables. One can be carried in your wallet. The other two can be kept in a safe place. An easy way to protect the paper is to attach the paper to a business card with clear plastic tape. The tape can provide a crude laminate over the paper.

3. Close the code-map table window. It would be a good idea to clear out your browser cache so there is no chance of someone else seeing the codes.

4. Once you have your code-map generator, you now have to come up with code words for each online account. I would recommend code words more complex than "bank". One method might be to use the first three letters of the financial institution name combined with the first two letters of your name.

5. Record your online accounts with the corresponding login names and these code words into a secure file or onto paper. Since these will not be changing, you can keep this in your safe deposit box or in other secure locations.

6. Login into your accounts and change the passwords.

7. To change passwords in the future, just generate a new code-map table and redo the password changing process at each account.

Accounts With Password Rules

Some accounts require passwords to have at least one upper case letter and one number. EmigrantDirect's online account system is one example. The code map strings are randomly chosen between upper case, lower case, and numbers. There could be a chance that all of the characters of your code word map to a string with only lower case letters. However, I have designed a method to overcome this potential problem.

If you have an account that requires passwords to have at least one upper case letter and one number, make sure you include at least one vowel in your code word (a, e, i, o, u and y).

My program requires all vowels to map to a string with one numeral and one upper case letter. Thus, if you include a vowel in your code word, there's no chance that the password will not meet the account's requirement.

If you have an account that requires passwords to have at least one upper case letter, one number AND one lower case letter, make sure you include at least one vowel and one number in your code word.

I've constrained the numbers to map to a 2-character string that will include at least one lower case letter. For example, if your code word has two vowels and two consonants, it may be possible that the two consonants won't include a lower case letter. If you include a one-digit number in your code word, you'll be guaranteed to have at least one lower case letter.

If you have an account that requires passwords to have at least one punctuation mark, you're going to have to work around this issue with my tool.

I didn't want to include punctuation marks in the strings since many places only allow letters and numerals. One way to handle this is to include a vowel in your code word. Then change the number in the vowel to a fixed punctuation marke (like a $).

Due to these constraints, the randomness of the code map is not ideal. Another thing that reduces the randomness of the code map generator is excluding a few letters and numerals that look very similar to other letters or numerals. For example, I exclude a zero and the letter "O" from being included in the string.

Drawbacks

This password method isn't perfect. Here are some drawbacks that you should consider:

You always need the paper with the code map. It's very difficult to remember without the code map. If you lose all the code map tables, you have to reset the passwords to all of the online accounts. That's why the tool generates three tables and not just one. It's important to keep these in safe and secure places.

If you don't change all the passwords at once, you might need mulitple code map tables. If you only have one account that requires periodic changes, you might be tempted not to change the others. That's why I include the date on the table to help differentiate multiple tables.

Other Password Methods

As discussed in that slashdot thread, there are many other password methods that can be used. There are programs which can encrypt all of your password information. Then you only need to remember one password to see the passwords of all of your accounts. Account agregation services like Yodlee provide a similar service.

My concern with this method is that if that main password is compromised, then all of your other passwords can get compromised.

Another technique is an acronym method as described in this article. The problem with this is that it's difficult to regularly change the passwords to all of your accounts.

User Agreement

As with any software, I'm sure this program isn't bug free. It may not work perfectly in some browsers. Also, there could be issues with the randomness of the codes. The basic tests that I've done don't show a problem, but there are likely to be issues. Feel free to leave comments if you find any problems. I'll release new versions to fix bugs as best I can. The theory behind this password method seems intrinsically safe. Nothing is kept on the server so there is nothing to steal. However, I can't guarantee that there will not be issues.

14 Comments:

  • I think you ought to make it so you can remember your seed value. Then make a little 'blank' so you can put in your code word, like bank. Then if you were really feeling ambitious, put the darned thing in a toolbar in Firefox!

    Marlan

    By Blogger The Author, at 6:24 PM  

  • Thanks!
    Ken

    By Blogger Banking Guy, at 10:12 AM  

  • Thank you! Enter Password: 7dhf329op02

    Go Ahead... uncode that, Einstein!


    - Steven Burda -
    e-mail: steven.burda.mba @gmail.com
    http://www.linkedin.com/in/burda
    (to connect to my professional network)

    By Blogger StevenBurda, at 7:13 AM  

  • I keep a thumbdrive w/ a file of my pw. So when I don't remember a password
    I just put the thumbdrive in and open it

    By Anonymous zy, at 10:02 PM  

  • this button does not work, I tried 2 browsers at home and work - some JS error shows up :(

    By Anonymous Anonymous, at 6:57 AM  

  • Thanks, I see it's not working. Another script of mine just started having this same problem. It has been working for the last year without problems.

    I think Google has done some blocking at blogspot of javascript execution due to abuse by hackers. I'll have to see how to fix the script so it'll work at blogspot.

    By Blogger Banking Guy, at 7:26 AM  

  • Looks like blogger tries to add its navigation bar to the new window that the program tries to create, and this causes the problem.

    Until I recode the script, you can execute the program at the page saved by the Internet Archive:
    Working page at the Internet Archive.

    By Blogger Banking Guy, at 8:27 AM  

  • Password Tool is fixed as of 8/3/07

    I was able to fix it by changing how I write the html to prevent blogger from inserting the navigation bar into the new page.

    I also did a fix so the new window won't require you to press the browser stop button.

    The new version is 1.1.

    By Blogger Banking Guy, at 5:39 PM  

  • CHECKOUT
    WWW.ROBOFORM.COM

    By Blogger DD, at 4:52 PM  

  • This comment has been removed by the author.

    By Blogger DD, at 4:53 PM  

  • use
    KeePass

    By Anonymous Anonymous, at 5:13 PM  

  • I love Roboform. Never have used keypass. Roboform is elegant, works great and makes filling out purchase forms a breeze to boot. I use Roboform2go so its on my thumbdrive. The beauty of it is that I can avoid anybody "resetting" my passwords by answering stupid security questions because the answers to my security questions are long strings of randomly generated characters, like my username and password. Result: People don't know my username; if they know my username they can't answer my security questions to reset my password. Downside -- without roboform I can't log on to my accounts. Indeed, i don't even know my own username.

    By Blogger David Scubadiver, at 12:21 PM  

  • I just make all of my passwords equal to "PASSWORD". It is very easy to remember. No need for fancy code conversions.

    By Anonymous Anonymous, at 6:45 AM  

  • Who knows where to download XRumer 5.0 Palladium?
    Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!

    By Anonymous Anonymous, at 5:09 AM  

Post a Comment

<< Home