For Application in Singapore

This posting is specifically for people who reside in Singapore.  The NRIC, the organisations mentioned and the reference to the digitization practice now in use are in the Singapore context.

As a rule, we are not supposed to use personal numbers, like NRIC numbers, phone numbers, date of birth and address as passwords (PWs) and PINs.   However, if we want to make use of things we will never forget, these numbers are among them.  So, I’m going to show how we can use them without compromise to security.

The risk in using these numbers is that hackers will try with such numbers first when they want to break someone’s PW or PIN.  Actually, what the rule is meant to bar is the use of these numbers in their exact form and sequence.  If these numbers are used to construct new numbers in such a way that the original numbers are of no help, there will not be a loss of security.  These personal numbers can be easily recalled as they are strongly etched in our memory.  If we use one of them to work out a new number, we only need to remember the manner how it is manipulated.  The reality is that it is easier to remember the manner of manipulation than to think of an entirely new number that has no association with something related to us.  Numbers by themselves are difficult to remember because they have no images unless we can associate them with something known.

Here are examples how we can manipulate a number to construct new numbers from it.  To make it easier to remember the process, I’ve coined terms for some possible manipulations, such as, “pow kow leow”, two-by-two, get even, hop step & jump.

For example, from a number, say 8214043, we can derive new numbers as follows:

1. “Pow kow leow”: 22 (Adding up all the digits)

2. Two by two: 70 (8+2 x 4+3) or 3526 (82 x 43)

3. Get even: 244 (Digits in even places)

4. Take on the odds: 8103 (Digits in odd places)

6. “You tou you wei” or pow tau pow buay”: 83 (First and last digits)

7. Backward rolls one two three: 340 (last 3 digits in reverse sequence)

8. Hop Step and Jump: 17 ( 8+2+4+3) or simply 8243

Hop step n jumpFor date of birth or any memorable date, write the date into a single number.  E.g. for the date 16/07/82, write it as 16071982 and we can manipulate it in the same way.

Constant and Variables

The method of creating PWs and PINs is based on this formula:

PW/PIN = constant + variable

The constant consists of a number of characters that are applied to all PWs and PINs.  The variable, as the name implies, varies for different PW/PIN.  It can consist of characters that may be identified with the websites or organisations to which the PWs/PINs are meant for so that creating them will be easier.  The total number of characters for a PW should be at least eight, but to be really strong it should be twelve or more.  PINs are often limited to six digits.  (See the posting on ‘Create Strong and Secure Passwords Easily’ for more information.)

The use of an unforgettable number to derive a new number for PWs and PINs is for the purpose of constructing a constant.  We want the constant to be easily recalled so that there is no need to write it down.

Applications

Applying the method in the Singapore context: let me use “8103” from example 4 above as my constant.

I will split it into 2 parts for a prefix and a suffix.  It can be any one of these:

Splitting 8103This constant can be used for both PWs as well as PINs.  For the variables, in the case of a PW, I use a word.  For ease of memory, the words for the variables may actually be the names of the organisations they are meant for.  For example, to access the NTUC Income portal, the word for the variable may be Ntuc.  So, I’ll have my PWs for the various organisations, as follows, using option 3 to split the constant:

Singapore organisationsSome points to note:

  1. The name of the organisation should always have a mix of uppercase and lowercase letters.  For simplicity, the above examples have the first letter in the uppercase.
  2. Make the PWs at least 8 characters in length.  If the name is short, add a letter or number at the end.  For the CPF and UOB examples, I add a ‘z’. In the case of CDP, I add ‘$’ because it requires a special character in the PW. Using the name of the organisation is a compromise but it is for the sake of ease of recall.  However, considering that most organisations, especially banks, have a feature which will activate a lock-up after a certain number of failed login attempts, this compromise is quite acceptable.
  3. When I need to add a letter, number or special character, I will always use the same ones so that I’ll never forget.
  4. Do bear in mind that the method of manipulation you choose to work out your constant and how it’s applied in terms of splitting it into prefix and suffix, once decided, you must stick to this one particular method for all PWs.  There must not be different manners of manipulation for different PWs.  This is to make sure that there will be no problem with recalling the PWs.
  5. Actually, many organisations especially Government linked ones and banks now use the Singpass mobile app to perform verification for login without the need of a PW.  This means having to login into Singpass with a passcode or by biometric means (facial recognition or fingerprint).  Using a passcode means this has to be secure.  Biometric means is more secure and convenient, although the passcode remains a backup in case the former fails.

PIN

I will discuss this section in the context of ATM cards because the PINs are usually limited to 6 digits. Four ways of deriving the variables are discussed here.

  1. Positions of the letters of the abbreviation of the organisations on the alphabet.  For POSB, the number derived is 16151902.  Since my constant has 4 digits (taking the same example as in the above 810_ _3), I require only 2 more digits.  So I’ll take only the first 2 digits and my PIN will be 810163.  If I had chosen a shorter constant, say ‘83’, then I’ll need 4 digits forthe variable which will then be 1615 and my PIN will be 816153.
  2. Numbers associated with the letters on the ATM number pad.  POSB will give the number 7672.  If I need only 2 digits for the variable then I’ll take 76atm keypad
  3. Character counts of the words in the name of the organisations.   POSB is Post Office Savings Bank giving the character counts of 4674.
  4. Shapes of the letters  An example of associating the shapes of alphabet letters with numbersA reference list for your handphone.  Download here:

Convert alphabets to numbers

Examples

Here is a chart showing how the different conversion methods will result in different PIN numbers, using the constant from “backward rolls one two three” with no prefix-suffix split

Bank Alphabet position ATM/Phone pad Character counts Number shape
POSB 3401615 340767 340467 340905
DBS  3400402  340327  340114  340115
OCBC 3401503 340622 340777 340069
UOB 3402115 340862 340684 340209

If the converted number has more characters than required, drop the superfluous ones (shown in red fonts above)

If there is no limit to the number of digits, then set your own so that you will have no uncertainty about how many digits for this and how many digits for that.  Set a minimum of eight

Using Your Name

Another personal information that we cannot forget is our names.  It’s of course a NO! NO! to use our names as they are.  What we can do, if we are Chinese, is to use the Chinese characters of our names.  The number of strokes that make up each character will give us three numbers if your name has three characters. If we ignore the surname then we have two numbers, one for use as the prefix and the other the suffix to form the constant.

For a name, let’s say, Lai Heng with these Chinese characters:

Lai HengThe numbers of strokes are 7 and 16.  Or, in simplified Chinese characters:

Lai Heng - simplified7 and 6.

So, there’s an option which means it adds another layer of uncertainty for hackers to figure out.  Again, to emphasize, always stick to the option decided on.  Strictly use only this one for all PWs and PINs to make sure  there’s no confusion to cause problem with recall.

In fact, not only for constant, you may also use Chinese characters as a form of code for variables. Use meaningful and auspicious phrases so that it’s easy to remember. It will not be too much of a risk even if you write it down. To be realistic it is impossible not to keep a list of the variables if we want to have diffedrent PWs/PINs for different systems or organisations.

A Quick Action to Strength Your Present PWs

Before you start to reconstruct your PW/PINs to apply the system advocated here, you can take a quick action to strength your present PWs by adding a constant to them.  At once, you’ll have added more characters to your PWs.  This alone would have increased the number of permutations that will make hacking to break your PWs more difficult.  

For example, take a PW that you have now, say, it consists of 5 alphabet characters, and you add a constant consisting of 4 numerical digits to it.  A PW consisting of 5 characters is one out of 12.3 million permutations of 26 alphabet characters.  If some of the 5 characters are in the uppercase, it’s one out of 387.6 million permutations of 52 lower- and uppercase characters.  You can see how the chance of a strike is 300+ million more difficult.  If we add 4 numerical digits to it, the strike chance is one in 1.04 x1014 (a 15 digit number).  A tabulation comparing how much time required to break a PW of different lengths is shown here:

The calculations and estimates are made with the calculator in:  https://www.grc.com/haystack.htm

You can see that increasing the number of characters to include upper and lowercase letters and numerical digits (even without special characters) would increase the strength of the PW many, many times.  So, a simple way of increasing the strength of your present PWs is just to add a constant to all of them.  Making the constant longer will ensure that your new passwords will have twelve or more characters.  Work out a number from one of the examples above and add a memorable word to it and you’ll easily have six or seven characters for your constant.  

As an example, let’s say I select 340 (“backward rolls one two three” from 8214043) as the number and I add “Happy”, I’ll get “Happy340” or “340Happy” (the word must have upper- and lowercase letters to make sure that the eventual PWs will have both sets of letters) as my constant.  This already gives me 8 characters and my actual PWs (constant + present PWs) will be pretty unbreakable.  “Happy340” is surely unforgettable and does not need to be written down.

Other examples for the constant are: Peace340, Gemini340 (a Zodiac sign), Ofab340 (Old Friends are Best – first letter of song titles), Hdaha340 (Happy Days are Here Again), Abc340 (initials of favourite relative’s name), etc.

PINs usually require a specific number of numerical digits.  Hence it’s not possible to simply add more digits to them.  It will be necessary to reconstruct them completely.  PINs are mostly used in a Two-Factor Authentication (2FA) process.  They are used in conjunction with another distinct device/system such as ATM cards, apps on a mobile or programs on a computer.  A 6-number PIN can be broken in 19 mins in the case of an online attack and in less than a minute in offline brute-force attack.  This means the need to keep the ATM cards safe and the mobile phone login authentication well protected although there are safety features that safeguard against unauthorised use.  Remember ATM cards can be cloned and a mobile phone can be subjected to phishing and other cybersecurity attacks to steal personal/confidential information and credentials as well as allowing the attackers to take control of the phone (which enables them to intercept one-time passwords sent by the bank to authorise transactions).  In the case of bank apps in mobiles, wherever possible use biometric means (fingerprints or facial recognition) for login and authentication purposes.  

Lim Jun Han

Introduction

Passwords and PINs

Are you using one of those passwords that are described as weak here? http://www.pcworld.com/article/187354/Study_Hacking_Passwords_Easy_As_123456.html

Below is a list of 500 worst passwords identified by security consultant, Mark Burnet as being used by a lot of people.  (Perfect Passwords: Selection, Protection, Authentication by Mark Burnet and Dave Kleiman)

worst-passwords

These passwords are well-known to hackers and they will be in their database to check against when they perform a first attack to crack a password.

Why are these passwords weak?  The reasons are that they consist of:

  • common names, fully or partly
  • words in the dictionary
  • common swear words
  • characters in sequence or forming a pattern, either in numerical digits, alphabets or keyboard entries
  • only of one character set, either all alphabet letters or all numerical digits
  • many of them consist of only 4 characters and none has more than 8.

Many people use those easy-to-crack passwords because they have difficulty creating passwords that they can remember if they are long and complex.  It becomes a real problem if they try to use different passwords for different websites or portals.  They end up either using the same password for different systems or writing them down which put them at risk of compromise.

Personal Indentification Number (PIN)

PINs are another bugbear we have to live with in this world of technology and computer.  At the least, we need them at the ATM to draw money.  Or, if you do not like to carry money, then at the shops to make payments through direct deduction from your account with a bank.  Again lots of people end up using easily-guessed numbers.  Nick Berry, a data scientist at Facebook, made an analysis of the most and the least common numbers used as PINs. (http://www.datagenetics.com/blog/september32012/)

For 4-digitop-20-worst-pins-4-digitst PINS, he found that the most popular number is 1234.  In the pool of 3.4 million 4-character passwords gathered for his study, almost 11% of them are 1234.  This means with just one guess with this number, there is a 10% chance of making a hit.

Here is a table showing the top 20 most popular numbers being used:

 

They add up to 26.83%.  Like passwords, we can see why these PINs are weak.  They are digits in sequence or in patterns like aaaa and abab.

 

Nick also found that a popularly used method to generate PINs is to follow a convenient sequence of keys on the keypads.

convenient-key-sequence

 

Convenient key sequence for numbers:

2580

2046

1397

2486

 

http://www.sleuthsayers.org/2013/08/pins-and-passwords-part-1.html

 

PINs can range from 4 to 10 digits.  Similar weaknesses are found in PINs of more digits.

top-20-worst-pins

In fact, PINs requiring more digits pose even more problem for people.  For 9-digit PINs, 35% of people use 123456789.  To them, they probably find a random number of 9 digits difficult to remember.

So we can see that memory is the root of the problem.  Strong and secure ones are not easy for the memory, especially when they are not used frequently. Try to remember this:

dabtflTS5/~UN

Difficult?  Well, you will not find it so if you know how to construct it.  I’ll show you how in the posting “Creating strong and secure Passwords”.

Here are the links to it and other postings:

Creating strong and secure Passwords

Creating strong and secure PINs

Others Ways of Converting Words to Numbers

Red Herrings

Other Ways of Converting Words to Numbers – old

Two ways of converting words to numbers are pointed out in the Method page (para 8 and 14).  In this post, I’m showing three more ways of doing it.

First, we can use the telephone keypad configuration which has the numbers  2 – 9 associated with letters of the alphabet as shown:

Phone keypad

For example, “honesty” will be represented by 4663789.

The easy availability makes this a very convenient way.  One shortcoming is the non-occurrence of ‘0’ and ‘1’ in the numbers.  However, this may be turned into an advantage.  Insert them into the numbers to serve as red herrings.

The second way is the system used in mnemonics (memory techniques) to remember numbers.  The phonetic number system uses consonant sounds to represent the ten digits as follows:

Number Consonant Sounds Memory Aid
0 s, z, soft c zero starts with a Z
1 t, d, th t has 1 down stroke
2 n an n has 2 legs
3 m an m has 3 legs
4 r r is the 4th letter of four
5 l the 5 fingers of the hand make an L
6 j, ch, sh, soft g a script j has a lower loop like 6
7 k, q, hard c, hard g, ck k looks like two horizontal 7’s
8 f, v, ph a cursive f looks like a figure 8
9 p, b p is a mirror image of 9

W, h, y and the vowels have no value.  They are, however, needed for words to be made. ‘h’ modifies the values of ‘c’, ‘s’, and ‘p’ if it comes immediately after these letters.

In mnemonics, numbers are converted to words and a memorable story or sentence is made up containing those words.  The story/sentence will help the words to be recalled and thus the number they represent.  In applying this system, the pronunciations and the sounds are what determine the values and not just the letters per se.  Hence there are rules concerning silent letters, double letters and on dealing with the letter ‘x’ due to peculiarity of pronunciations.  For a better idea, please see http://www.memorizeeverything.com/core_skills/numbers/

The advantage of using this method, sometimes referred to as the major system, is that there is no counting involved.  When we look at the word, the number it represents will come to mind immediately.  Some amount of practice is required.  What it requires is a good understanding of English pronunciations.

The third method I am introducing is an adaption of the phonetic system to help those who have difficulty with English pronunciations.  Instead of sounds, we can devise a system based on the shapes of the numerical digits and the alphabets.  Here is an example:

Number Consonant Memory Aid
0 z, r zero contains these 2 consonants
1 l it looks like 1
2 n, h, v these letters have 2 legs/horns
3 m, w they are 3 lying on its sides
4 x, y 4 has lines that cross
5 s round up the kinks and 5 looks like s
6 c, j c curls in the same way as 6, while j is a mirror image
7 k, t k looks like two horizontal 7’s & script capital T looks like 7
8 f a cursive f looks like a figure 8
9 g, b, d, p, q 9 looks like g and we put all the lollipops here.

Here, all the consonants have values.  Vowels again have no value.

Some examples:

Carpenter is converted to      609270

Computer                                 63970

Telephone                                71922

Football                                     87911

Chrysanthemum                     6204527233

Wonderfulday                          32908194

Dancing                                    92629

Positive                                     957

You can see that it is quite easy to get a hang of it and the number comes very quickly.  This adaptation also suggests that we can create our own codes.  If you assign a different value to some of the letters, and it is quite easy to rationalize for them, you would have your own unique code.  Any variation will raise the odds against hackers and this will indirectly make the system stronger for everybody because the hacking program will have to deal with additional factors.

Red Herrings

This blog is for the purpose of sharing a method of creating passwords and PINs that are easily recalled yet not easily hacked.  Unfortunately, this blog will also be read by hackers.  A well thought out and well-protected constant is perhaps the best defence.  There may be other strategies that can help make life more difficult for hackers.  I would like to offer a few here.

First, let’s look at the listing of variables.  Some may not be comfortable with the idea of putting the variables in a list.  It may be seen as a give-away.  But, think about it, it can also be used to mislead hackers.  Here are some of the ways to do it:

  • Only the first, say, 5 letters of the variables are applicable.  For example, the variable “I am a great guy”.  It becomes “mgrtgy” when the vowels are left out.  The real variable is “mgrtg”, the first 5 letters.  It can of course be the last 5 letters instead.   Also, instead of 5, it can be 3 or 4, or whatever.  Set your own rule and apply it to all cases.
  • List some of the letters in CAP, like “I am a GReat guy”.  The uppercase letters may only be a deception and do not mean anything.  Or, it may mean there is an uppercase letter somewhere.  Again, set your own rule what it means, i.e. the letter at which position shall be in the uppercase.
  • Make some exceptions to the rule of dropping the vowels.  Two examples of what we can do:
    1. Only vowels in one part of the constant-variable components are left out
    2. Only certain vowels are dropped.  For ease of application, keep only one, the rest are dropped
  • If you know the written scripts of another language other than English, you can add a few such other language scripts in your entries.   For example, I can add the Chinese character for flower to my entry of “beautiful” to become “beautiful 花”.  It may be partly or fully significant, or not at all.  If it is to be significant, you can encode it as follows:
    1. 8 by stroke count
    2. 4421 by the 4-corner dictionary code
    3. 11 by adding  the 4 digits in “4421”
    4. 4 by recognizing only the first digit in “4421”

So “beautiful花”can be any of these:

  • Btfl (the Chinese character is only a red herring)
  • btfl8
  • btfl4421
  • btfl11
  • btfl4
  • 4421 (when there is a Chinese character, ignore the English word)

 

Second, change the CONvariablestant format.  I can mix the components about like these:

  • variaCONstantble
  • CONvstantariable
  • Cvariableonstant, etc

 

Third, encode one part of the constant + variable components into a number.  The main article suggests two ways to do it.  The letter positions in the alphabet method (para 14) can be used to convert both the constant and the variable.  The number counts of the letters in the words method (para 8) is suitable for a memorable phrase.  We can always use this method to create statements even referring to the particular website/portal so that it is easier to construct and remember.  Here are some examples:

  • I like to bank with Hongkong Shanghai Bank – (convert to 14244884)
  • We can get good bargains on ebay – 2334824
  • Amazon.com is my favorite online store – 922865
  • Thanks Google for Gmail, I can communicate with the world – 66451311435

Again, to make it more difficult for hackers, use only, say, the first 4 or 5 digits (similar idea to the first bullet point in para 2 above).

 

The above examples are essentially to make the method more hack-proof even when the hackers know the method.  As for applying the system, we will have to set our own rules so that we know exactly what to do when we have to think of a password and then when we need to recall it.  I have given several examples how to go about encoding the passwords but you have only need to decide on one combination of two methods – one for the constant and one for the variables – and use just this one combination throughout.   Do not use more than one combination to prevent confusion and uncertainty when you have to recall them.

I would like to invite contributions from readers if they have other strategies for encoding.  The more varieties of ways there are, the more we are making the job of hacking difficult.

The more we share, the more we gain!