Code Map Password Method

Monday, December 19, 2005

The Code Map Password Method

Having multiple bank accounts online is becoming more common. In addition to bank accounts, many people may have multiple brokerage accounts and credit card accounts. Any online account that involves money needs to be carefully protected. One of the important tasks of protecting online accounts is to safely manage your passwords. This requires the following:

1. Passwords should not be writen down or recorded in a file

2. Each password should be unique and random compared with those used at other places

3. Passwords are regularly changed with new unique and random characters

This password management becomes difficult as you acquire more and more online accounts. If you strictly follow these rules, you'll likely be forgeting passwords every week.

Password Method

I've come across a password method that can help. It's a method that was decribed in this slashdot thread. The method involves giving each account a 4-to-6 letter code. This code can be an easy to remember name. Each character of this code maps to a random 2-character string. After each character is mapped, you have a new password that is random and twice the number of characters as your code word. An example makes this much more understandable.

Suppose you use the code word of "bank" and you use the following code word mapping:

a=Y5, b=5r, c=pM,
d=LG, e=R3, f=Ky,
g=WP, h=hh, i=E2,
j=gM, k=Ya, l=fP,
m=Pk, n=wm, o=U7,
p=8a, q=2P, r=Sn,
s=5i, t=yc, u=9P,
v=JK, w=cr, x=Wg,
y=R8, z=cS, 0=TX,
1=6M, 2=63, 3=8s,
4=Jj, 5=Uc, 6=6w,
7=Vg, 8=pa, 9=nF,

The mapping would be done as follows:

b maps to 5r
a maps to Y5
n maps to wm
k maps to Ya

Thus, the code word "bank" maps to the password 5rY5wmYa.

With this method, all you need to do is to come up with simple code words for each online account that you can easily remember. Then you generate a random code map and print it out. Any time you need your password, you just apply your code word to the map.

This method allows you to meet the three password rules:

1. Passwords should not be writen down or recorded in a file

You don't have the passwords printed, just the code map table. If someone steals the code map table, it can't be used without your code words.

2. Each password should be unique and random compared with those used at other places

If each online account has a different code word, each will map to a password that will be very different than the others.

3. Passwords are regularly changed with new unique and random codes

To come up with new unique passwords only requires generation of a new code map table. Your code words that you remember can remain the same.

My Code Map Generator Program

The person who described this method in the slashdot thread said he wrote a perl program to generate the code map. I thought I could write a similar program that would be accessible from the web. So I created one using javascript. In addition to being accessible from the web, javascript programs are executed locally on your browser. Thus, when you generate the code map table, it's listed on your browser. Nothing gets recorded at the server. This makes this program intrinsically safe to use.

Code Map Generator Steps

Here is a list of steps to implement this password method with this code-map generator tool.

1. Select the left button to create the codes. A new window will open up containing 3 code-map tables. All 3 tables are identical. Every time the button is select, new random codes are generated that are different than previous runs.

2. Print out the code map table. Cut out the three tables. One can be carried in your wallet. The other two can be kept in a safe place. An easy way to protect the paper is to attach the paper to a business card with clear plastic tape. The tape can provide a crude laminate over the paper.

3. Close the code-map table window. It would be a good idea to clear out your browser cache so there is no chance of someone else seeing the codes.

4. Once you have your code-map generator, you now have to come up with code words for each online account. I would recommend code words more complex than "bank". One method might be to use the first three letters of the financial institution name combined with the first two letters of your name.

5. Record your online accounts with the corresponding login names and these code words into a secure file or onto paper. Since these will not be changing, you can keep this in your safe deposit box or in other secure locations.

6. Login into your accounts and change the passwords.

7. To change passwords in the future, just generate a new code-map table and redo the password changing process at each account.

Accounts With Password Rules

Some accounts require passwords to have at least one upper case letter and one number. EmigrantDirect's online account system is one example. The code map strings are randomly chosen between upper case, lower case, and numbers. There could be a chance that all of the characters of your code word map to a string with only lower case letters. However, I have designed a method to overcome this potential problem.

If you have an account that requires passwords to have at least one upper case letter and one number, make sure you include at least one vowel in your code word (a, e, i, o, u and y).

My program requires all vowels to map to a string with one numeral and one upper case letter. Thus, if you include a vowel in your code word, there's no chance that the password will not meet the account's requirement.

If you have an account that requires passwords to have at least one upper case letter, one number AND one lower case letter, make sure you include at least one vowel and one number in your code word.

I've constrained the numbers to map to a 2-character string that will include at least one lower case letter. For example, if your code word has two vowels and two consonants, it may be possible that the two consonants won't include a lower case letter. If you include a one-digit number in your code word, you'll be guaranteed to have at least one lower case letter.

If you have an account that requires passwords to have at least one punctuation mark, you're going to have to work around this issue with my tool.

I didn't want to include punctuation marks in the strings since many places only allow letters and numerals. One way to handle this is to include a vowel in your code word. Then change the number in the vowel to a fixed punctuation marke (like a $).

Due to these constraints, the randomness of the code map is not ideal. Another thing that reduces the randomness of the code map generator is excluding a few letters and numerals that look very similar to other letters or numerals. For example, I exclude a zero and the letter "O" from being included in the string.

Drawbacks

This password method isn't perfect. Here are some drawbacks that you should consider:

You always need the paper with the code map. It's very difficult to remember without the code map. If you lose all the code map tables, you have to reset the passwords to all of the online accounts. That's why the tool generates three tables and not just one. It's important to keep these in safe and secure places.

If you don't change all the passwords at once, you might need mulitple code map tables. If you only have one account that requires periodic changes, you might be tempted not to change the others. That's why I include the date on the table to help differentiate multiple tables.

Other Password Methods

As discussed in that slashdot thread, there are many other password methods that can be used. There are programs which can encrypt all of your password information. Then you only need to remember one password to see the passwords of all of your accounts. Account agregation services like Yodlee provide a similar service.

My concern with this method is that if that main password is compromised, then all of your other passwords can get compromised.

Another technique is an acronym method as described in this article. The problem with this is that it's difficult to regularly change the passwords to all of your accounts.

User Agreement

As with any software, I'm sure this program isn't bug free. It may not work perfectly in some browsers. Also, there could be issues with the randomness of the codes. The basic tests that I've done don't show a problem, but there are likely to be issues. Feel free to leave comments if you find any problems. I'll release new versions to fix bugs as best I can. The theory behind this password method seems intrinsically safe. Nothing is kept on the server so there is nothing to steal. However, I can't guarantee that there will not be issues.