Posted by: Ken Harthun
GRC.com, LastPass, Password, Perfect Paper Passwords, Secure Computing, Spinrite, Steve Gibson
I wrote this article back in 2007. It was relevant then, and it’s relevant now, particularly in the light of the Comodo SSL compromise incident I reported in my last post. While I have gone on to using LastPass to generate and securely store my passwords, I still occasionally use Perfect Paper Passwords to generate secure passwords when I don’t want to clutter up LastPass with things I may never use again. Steve has never mentioned this particular use of PPP, but I think it’s pretty cool.
So, here in all it’s glory is my original article entitled, “Perfect Passwords…On Paper:”
Steve Gibson, creator of Spinrite and winner of the Third Annual People’s Choice Podcast Awards in the Technology/Science category for his Security Now! podcast with Leo Laporte of Twit.tv, has just come up with a super-secure multifactor authentication system. Steve calls it “Perfect Paper Passwords” and you can read all about it on his web site. Be sure to read all of the pages, but beware — it’s pretty geeky stuff. Here’s a simple excerpt:
GRC’s “Perfect Paper Passwords” (PPP) system is a straightforward, simple and secure implementation of a paper-based One Time Password (OTP) system. When used in conjunction with an account name & password, the individual “passcodes” contained on PPP’s “passcards” serve as the second factor (“something you have”) of a secure multi-factor authentication system.
I feel like a kid turned loose in Toys-R-Us with a thousand-dollar budget. This is truly an amazing system and I’m just now starting to figure out how to implement it in my own environment. But using it as Steve designed it isn’t the subject of this post. Most network environments are still based on the username/password model, not a multi-factor authentication model. Until the PPP system becomes a standard (and it should!), why not use the passcards to create super-strong passwords?
I know, I know, he already has the Ultra-high Security Password Generator and I’ve been using that, but the idea of breaking long strings of characters into simple, four-character snippets makes things a bit simpler and it also allows you to take some control over generating your passwords. It adds another random factor into the mix by letting you choose the order of combination, something no computer or person anywhere can possibly know. Putting them into a seven columns by ten rows grid in a format that you can fold and stick in your wallet makes it even easier.
Using the web site, you print out three passcards, each containing 70 four-character passcodes for a total of 210. Now, if you randomly combine three passcodes to make virtually unbreakable 12-character passwords, you’ll have a resource of 70 passwords right at your fingertips. Circle the ones you’re using for your current password and cross them out when you change it. Better yet, write down the columns/rows and keep that separate from your passcards. No one’s going to know that A1F4D10 translates into Cai?DCGX@xBt, but you do.
Tell your clients about it. I do.