TL;DR
- One-Time Grid: Random Password Book helps non-tech users create secure passwords
- Cryptographically random-generated grids for use in password creation
- 2 Grids: Random-Grid (7x7 : 73 random chars) & Word-Grid (3x26 : high entropy words)
- New Grid Series generated and published each week for increased security
- Share passwords securely with teammates using Grid Keys
- One-Time Grid Password Cracking Challenge: Subscribe, or follow @netmux for details
**Disclaimer: One-Time Grid is intended to help non-technical family members, friends, colleagues, enterprise employees, and interweb travellers create stronger passwords. I can understand technical users will be hesitant to use this system, and can/will use alternatives.
Origins of One-Time Grid
Like all techies know, you become the default IT guy for all of your family members and friends. From simple tasks like connecting to WiFi to the most skin crawling virus-infected laptop a family or friend could own, you've been there, and this is where the One-Time Grid idea took root. While helping my Father-in-law setup his new home office computer I noticed every time I asked for a password to something he would reach for this little black book. After about the third time, with each password being worse, I asked to see this book. Inside, he explained, is where he kept all the passwords for various online accounts and home network devices. Let me be clear, I have no problem with passwords being written down; as data is only as secure as the method in which it is stored. I'd wager the probability of a home break-in to steal a notebook of passwords is WAY smaller than some home/work computer, or Equifax & Yahoo getting breached again, exposing your data. What I did take issue with, as a password enthusiast, was the quality of his password choices. After discussions with him about those password choices and alternatives (password managers), it became evident that the typical non-technical home or enterprise user can benefit from having help.
Creating "Random"
So, we need users to create random secure passwords; but how do you do that with users that don't truly understand what "random" means? Now, before all the cryptographers and security enthusiasts pounce on this method, I agree that using someone else's provided "randomness" for passwords is like buying used underwear off of Craigslist, but besides password managers, which non-techies still don't grasp, where are users supposed to get password creation help? So One-Time Grid creates the randomness needed, while giving the user the ability to compose passwords in their own unique way. As history tells us, no matter the password creation scheme or trick perpetuated through the ages, users will always take the easiest route possible. Tell them to pick random characters and they will do a keyboard run. Tell them to pick random words and they will use their name combined with family members. Tell them it needs "randomness" and they will capitalize the first word and add a year with a special character at the end. Need proof? Go check out the passwords HIBP harvested (cracked by fellow enthusiasts) or that Hashes[dot]org cracked.
What is a One-Time Grid?
Personally, I believe when conveyed in physical form, you have to provide the user the random data and give them the ability to add unique variability. Thus, I developed a grid system inspired by the One-Time Pad system, deployed in WW2 to send uncrackable, encrypted secret messages.
The One-Time Grid: Random Password Book uses two unique grid methods called Random-Grids and Word-Grids, and new grids are published each week, greatly diminishing the likelihood of another user having your exact grids. This also means an attacker would have to buy every copy published in order to have a snowball's chance of coming remotely close to cracking your password. Also similar to the One-Time Pad system, you can buy the One-Time Grid in batches to enable sharing amongst other users with "Grid Keys," (discussed later) since you'll be on the same printed Grid Series. Now, let's look at some example grids.
RANDOM-GRID
- 7x7 grids with a total of 49 cells
- 50 unique grids supplied per book
- 73 characters selected at random using Python's SystemRandom function
- RANDWRD is a randomly selected word from a unique and high entropy corpus
- PIN is a randomly generated 6 digit number
- Numbered border grid for identification and composition of "Grid Key"
Characters used:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
1234567890
-!@#$%^&*=?[](),.;{}:+
WORD-GRID
- 3x26 grids with a total of 78 cells
- 30 unique grids supplied per book
- Unique and high entropy wordlist with random toggled case
- Words selected at random using Python's SystemRandom function
- RANDSTR selected at random from 73 characters using Python's SystemRandom function
- PIN is a randomly generated 6 digit number
- Numbered border grid for identification and composition of "Grid Key"
How to use One-Time Grids
There are three suggested password creation methods when using a Random-Grid or Word-Grid:
- Basic : choosing 2, 3, or 4 straight line directions (left or right) when composing a password.
- Pattern : choosing 2, 3, or 4 unique pattern directions when composing a password.
- Scatter : choosing, at random, 12-24 (Random-Grids) or 3-5 (Word-Grids) cells.
It's also encouraged to insert the provided RANDWRD, RANDSTR, or PIN into any one of the above methods. This can increase complexity, while also making the password memorable and uniquely variable. Surely there are many more ways to use a grid and I'll leave it up to the user to find the perfect method for their use case, but these three methods should get you started.
"BASIC" RANDOM-GRID EXAMPLE
Step 1: pick two, three, or four random directions to make your password:
@cN$X%N,%040*.
Step 2: for added security include RANDWRD or PIN:
@cN$X%N adaptive ,%040*.
Step 3: Write down your new account password:
@cN$X%Nadaptive,%040*.
Step 4: Record your shareable “Grid Key” which corresponds to the Grid# and its outer numbers:
#6 23+R+16
"PATTERN" RANDOM-GRID EXAMPLE
Step 1: pick two, three, or four random patterns to make your password:
&0M&$8 N0gv@F
Step 2: for added security include RANDWRD or PIN:
&0M&$8 564068 N0gv@F adaptive
Step 3: Write down your new account password:
&0M&$8564068N0gv@Fadaptive
Step 4: Record your shareable “Grid Key” which corresponds to the Grid# and its outer numbers.
#6 24~18+P+13~2+R
"SCATTER" RANDOM GRID EXAMPLE
Step 1: pick 12 to 24 characters at random to your password:
8u4E.s0FMc0XR@
Step 2: for added security insert the RANDWRD or PIN:
adaptive 8u4E.s0FM 564068 c0XR@
Step 3: Write down your new account password:
adaptive8u4E.s0FM564068c0XR@
Share passwords securely with "Grid Keys"
Grid Keys help describe how a password was created so users on the same Grid Series can share passwords securely without sending the actual password. Instead, they can send the summarized Grid Key (for example 6-23-R-16), and the recipient can recreate the password on the other side using the appropriate grid.
Let's look at a use case. Bob and Alice are network admins on the same Grid Series. Bob is in the datacenter at the terminal but doesn't have the password for a server Alice set up. Bob can message Alice, "I need the password for the server you set up. Please send the Grid Key." Alice can reference the One-Time Grid where she created the password, or her notes, and respond to Bob, "Here you go: 6-18-27-P". Bob can now reference Grid# 6 and reassemble the password 8$&0v^Cuh@^E*radaptive, and if this message was ever compromised no attacker would be able to recreate the password from the Grid Key. Pretty cool, right?!
Advanced secure method is Bob and Alice have already agreed upon a password creation scheme when using grids and noted it in the included blank Master Grid Template. Then Bob would only have to ask Alice for the Grid # and he can reassemble the password on the other side without further information.
**The Grid Series is noted on the first page of every book.
HOW TO MAKE A GRID KEY
[Grid#]-[Part1]-[Part2]-[Part3]-...
R=RANDWRD P=PIN
Step 1: We pick three parts to make our password:
@cN$X%N adaptive ,%040*.
Step 2: Note Grid# & cell #’s that convey direction:
Grid #6 23=@cN$X%N R=adaptive 16=,%040*.
Step 3: Assembled our Grid Key equals:
6-23-R-16
Step 4: Now share or store 6-23-R-16 instead of the password:
@cN$X%Nadaptive,%040*.
Final Thoughts
I'll be the first to admit, One-Time Grid is not perfect and many compromises were made when attempting to put random material on paper and still make it viable for passwords. It's a first attempt to help the audience who refuses to use password managers or prefers non-digital/offline storage of their passwords. It's been a fun project brainstorming a solution and putting it into print, because the problem is not going away anytime soon. I'm sure many improvements will be made along the way as the community rips this apart, just be kind please :) In the end, I'm confident that my Father-in-law's, and frankly any user's passwords, will be exponentially more difficult to crack, possibly surviving the next major online breach.
If you have any suggestions to improve any of the grids, random generation, or overall concept, connect with me on Twitter @netmux. If you want to test your cracking skills, I'll be releasing a password hash challenge made with a One-Time Grid. If you crack it there will be a BIG prize involved. Subscribe at the bottom, or on Twitter, to receive updates on the soon to be released challenge details.
Command Line Password Generation
Linux/Mac
# openssl rand -base64 20
Example) YnKFUmVPYzQDrK3QT5NZ0Wh51kMBaXw=
# pwgen 10
Example) giepahl3Oy
# gpg --gen-random --armor 1 14
Example) 1Hs0a5BYKlcRY0wvPy8=
Windows
PS> $Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..9 | sort {Get- Random})[0..8] -join ''
Example) Fj-Rs!4p2z
Online Password Generation Resources
Password Managers
One-Time Grid Example Pages
