Results 1 to 22 of 22

Thread: 'Hashing' with a paper and pencil.

  1. #1
    Join Date
    Dec 2004
    Location
    UK
    Posts
    7,709

    'Hashing' with a paper and pencil.

    If one were to come up with a simple, but effective, way of hashing two inputs to produce a unique password, what would be the easiest?

    Say you might end up stuck somewhere with a computer that needed a password, so you could access your bank account, but you had no calculator, or apps; all you have is a pencil and paper, and the necessary two, or more inputs for an algorithm.

    What would be a simple algorithm, that was easy to remember? I was thinking an iterative procedure........
    ᗧ · · · · · ·

  2. #2
    Join Date
    Dec 2004
    Location
    UK
    Posts
    7,709
    I suppose you don't need two actual inputs, just one, and the algorithm.........

    For example: you bank with JumboJim

    How would be the best way to turn 'jumbojim' into a strong password?
    Last edited by Frog march; 2017-Jul-17 at 08:21 AM.
    ᗧ · · · · · ·

  3. #3
    Join Date
    May 2007
    Location
    Earth
    Posts
    9,507
    Use a Vigenère cipher: http://www.cs.mtu.edu/~shene/NSF-4/T.../Vig-Base.html, so encrypt jumbojim with a key that's memorable, but not obvious, and just keep a few keys.

    Information about American English usage here and here. Floating point issues? Please read this before posting.

    How do things fly? This explains it all.

    Actually they can't: "Heavier-than-air flying machines are impossible." - Lord Kelvin, president, Royal Society, 1895.



  4. #4
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    9,776
    I think that the main use of stolen passwords is to try and access multiple accounts, which is why it is good to have unique passwords for each account. But, I believe that this is done automatically by bots so the hashing you mention does not need to be particularly complex. I don't think a human is going to spend any time trying to analyse possible patterns in millions of passwords. So you could probably do something like just increment each letter by one (kvncpkjn) and then add some digits (also based on the website, somehow) and some punctuation.
    (I hope my assumption about no human analysis is correct as I use a very simple version of this - even less encrypted than the shift cypher above!)

    The other thing to do is use a different email address for each account. With some email services, you can do this using the + sign. So, for example, if your email is frogmarch@gmail.com you could use frogmarch+jumbojim@gmail.com for your bank. Google will send all such email addresses to your email account.

  5. #5
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    9,776
    Quote Originally Posted by swampyankee View Post
    Use a Vigenère cipher: http://www.cs.mtu.edu/~shene/NSF-4/T.../Vig-Base.html, so encrypt jumbojim with a key that's memorable, but not obvious, and just keep a few keys.
    That is obviously a much better idea!

  6. #6
    Join Date
    Dec 2004
    Location
    UK
    Posts
    7,709
    Thanks!

    I wanted something I could program with my rusty BASIC..and that looks like it should be easy enough.

    When setting a password, for me, it is best to try to get a program to do it, or else I'd end up in a pickle by making a mistake. Working out a password to access a system is less critical, as you can have a few attempts.

    I saw a website called passwordchameleon that does a hash, but can one trust it!?! Plus I wouldn't know what they did so couldn't use a pencil and paper.
    Last edited by Frog march; 2017-Jul-17 at 10:35 AM.
    ᗧ · · · · · ·

  7. #7
    Join Date
    Dec 2004
    Location
    UK
    Posts
    7,709
    Here's a program that does that Vigenère cipher:

    10 REM Vigenère Cipher Encryption
    20 PRINT"Use CAPITALS and no spaces."
    30 INPUT"Word to be encrypted:";E$
    40 INPUT"Key word:";K$
    50 LE2=LEN(E$)
    60 K2$=K$
    70 LE1=LEN(K2$)
    80 IF LE2>LE1 K2$=K2$+K2$ GOTO70
    IF LEN(K2$)>LE2 LE2=LE1
    90 K2$=LEFT$(K2$,LE2)
    100 PW$=""
    110 FOR L=1 TOLE2
    120 X=ASC(MID$(E$,L))-65
    130 Y =ASC(MID$(K2$,L))-65
    140 PWL=Y+X:IF PWL>25 PWL=PWL-26
    150 PW$=PW$+CHR$(PWL+65)
    160 NEXT
    170 PRINT '"Password is: ";PW$'
    180
    190 RUN

    You can run it on this: http://www.bbcbasic.co.uk/bbcwin/download.html

    Now that's open source!
    ᗧ · · · · · ·

  8. #8
    Join Date
    Jun 2006
    Posts
    4,441
    Looks nice. I'll try it later. Thanks.

  9. #9
    Join Date
    Sep 2012
    Posts
    1,360
    I'm going to guess a little here, but since you suggest two inputs, let's say one of them is the key, and is always the same, such as "PASSWORD" and the other is the userid or the site/company name, such as "Frog March". Change all of the vowels to digits, such as "O" to number "0" and "E" to "3", "I" to 1, etc. Changes any "S" characters to dollar signs or hashtags. and put the userid and key together to make the password - "Fr0gM8rchP#$$W0RD". Looks hard to remember, but all you need is the userid, the key, and the substitution rules, so you could easily do it as you type.
    Depending on whom you ask, everything is relative.

  10. #10
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    9,776
    Quote Originally Posted by mkline55 View Post
    Change all of the vowels to digits, such as "O" to number "0" and "E" to "3", "I" to 1, etc. Changes any "S" characters to dollar signs or hashtags.
    Note that these types of substitutions are standard in any dictionary search, so are not enough by themselves. But they can help with further obfuscation and fulfil the need for a mixture of letters, numbers and other characters.

    You could defeat the dictionary search by interleaving the key/password/username with the website name; e.g. FrogMarch + JumboJim -> FJruomgbMoaJricmh (and then do the letter to number substitution).

  11. #11
    Join Date
    Mar 2004
    Posts
    15,528
    Yeah. See Wikipedia: Dictionary attack.

    Note that the attackers don't just use a published dictionary, but a generalization of the concept that includes all words modified by regular substitutions (and they are way more creative than you).
    0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 ...
    No ATM forum is better than our ATM forum.

  12. #12
    Join Date
    Jun 2009
    Posts
    2,065
    This seems like the right place to insert a good XKCD comic:
    https://xkcd.com/936/

  13. #13
    Join Date
    Dec 2004
    Location
    UK
    Posts
    7,709
    It surprises me that any website software, these days, would allow a brute force attack. Surely after 100 attempts at someone trying to logo on, would be a sign that something was up.

    Does CQ allow unlimited attempts?
    ᗧ · · · · · ·

  14. #14
    Join Date
    Dec 2004
    Location
    UK
    Posts
    7,709
    Quote Originally Posted by ShinAce View Post
    This seems like the right place to insert a good XKCD comic:
    https://xkcd.com/936/
    but that would just succumb to a dictionary attack....?
    ᗧ · · · · · ·

  15. #15
    Join Date
    Sep 2007
    Posts
    15,371
    Quote Originally Posted by ShinAce View Post
    This seems like the right place to insert a good XKCD comic:
    https://xkcd.com/936/
    Because of that comic, I now try to make my new passwords long sentences on sites that will allow it.

  16. #16
    Join Date
    Jun 2009
    Posts
    2,065
    Quote Originally Posted by Frog march View Post
    but that would just succumb to a dictionary attack....?
    Which dictionary? English, french, spanish, german?

    If you're going to use a computer to do a brute force attack, why would you limit yourself to certain words?

  17. #17
    Join Date
    Dec 2004
    Location
    UK
    Posts
    7,709
    Quote Originally Posted by ShinAce View Post
    Which dictionary? English, french, spanish, german?

    If you're going to use a computer to do a brute force attack, why would you limit yourself to certain words?
    why dictionary I just mean a database of whole words; doesn't have to be a specific language.
    ᗧ · · · · · ·

  18. #18
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    9,776
    Quote Originally Posted by ShinAce View Post
    Which dictionary? English, french, spanish, german?
    All of them. And more.

    If you're going to use a computer to do a brute force attack, why would you limit yourself to certain words?
    Because a lot of people use normal words (sometimes with small additions) as their passwords (because they are easy to remember).

  19. #19
    Join Date
    Mar 2004
    Posts
    15,528
    Dictionary attack is way more efficient than brute force, given the way most password creation occurs, non-randomly. Brute force tries too much that will never work.

    If passwords were random, a dictionary attack would not be a win.
    0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0 ...
    No ATM forum is better than our ATM forum.

  20. #20
    Join Date
    Sep 2003
    Location
    The beautiful north coast (Ohio)
    Posts
    45,864
    Quote Originally Posted by ShinAce View Post
    This seems like the right place to insert a good XKCD comic:
    https://xkcd.com/936/
    I remember that comic, and wondered how many people now use "correcthorsebatterystaple" as their password.
    At night the stars put on a show for free (Carole King)

    All moderation in purple - The rules

  21. #21
    Join Date
    May 2007
    Location
    Earth
    Posts
    9,507
    I used to use old license plates as pieces of the password. When I really want a secure password though, such as for my bank, it's time for a little Perl...

    Information about American English usage here and here. Floating point issues? Please read this before posting.

    How do things fly? This explains it all.

    Actually they can't: "Heavier-than-air flying machines are impossible." - Lord Kelvin, president, Royal Society, 1895.



  22. #22
    Join Date
    Feb 2003
    Location
    Depew, NY
    Posts
    10,317
    A friend of my would use an old FASA game book and combined call numbers of Federation Ships with their name.
    Solfe, Dominus Maris Pavos.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •