Edit: I was contacted by *the* guy, Mike, that invented the password grids, see his comments below. He has republished his article here: http://www.vvsss.com/grid/ I recommend reading it first!
If you are really paranoid like I am then you have a different password for every computer login and Internet site you subscribe to. Hopefully you are not one of the many people out there that use the same password for *everything*. That’s just begging to get your identity stolen.
For years I’ve struggled to come up with the perfect way to keep track of all of my 100+ passwords. Years ago I tried various free and commercial password keeping products such as Passwords Plus, Splash! Wallet and MobiPassword and I never really felt comfortable using them.
Since then I’ve used a simple solution: an encrypted OpenOffice Calc (or MS Excel) spreadsheet. I encrypt the file with a master password and then put all of my login and password information in the file. This system has its own set of vulnerabilities. For example, if I put the spreadsheet on a thumb-drive and lose it, some hacker with too much free time might turn cracking the file into a hobby. Another issue is after I decrypt the spreadsheet it is placed in RAM or a swap file as plain text. Furthermore, when I had to enter my password on a website I would often copy the password to the clipboard and paste it into the web form. The clipboard makes my password available to any other program to read.
I know this sounds like an overly paranoid PITA, but that’s what I did. Until now. I’ve decided to take a more low-tech approach to remembering passwords. I found a web page about password grids years ago and thought it was a neat idea. I wish I could find a link to the site but Google is failing me now. The closest thing I could find was a comment about it on this site. I never really adopted the system before because it seemed a bit silly at the time. After trying all of the other methods and not liking any of them, I’ve decided to give the grids a try. And so far I like them!
The basic idea behind the password grids is simple. Think of an easy to remember but hard to guess pattern on an 8×8 grid. For example, here’s a very simple pattern, the letter F:
+-------------------------------+ | | | | | | | | | |---+---+---+---+---+---+---+---| | | | | | | | | | |---+---+---+---+---+---+---+---| | | 1 | 6 | 7 | | | | | |---+---+---+---+---+---+---+---| | | 2 | | | | | | | |---+---+---+---+---+---+---+---| | | 3 | 8 | | | | | | |---+---+---+---+---+---+---+---| | | 4 | | | | | | | |---+---+---+---+---+---+---+---| | | 5 | | | | | | | |---+---+---+---+---+---+---+---| | | | | | | | | | +-------------------------------+
The pattern starts with the number 1 and ends with the number 8. Now that we have a pattern, we can generate a random password grid:
+-------------------------------+ | x | ~ | d | [ | : | j | < | @ | |---+---+---+---+---+---+---+---| | ; | , | S | K | ` | a | f | n | |---+---+---+---+---+---+---+---| | f | ! | D | ! | u | 7 | 1 | A | |---+---+---+---+---+---+---+---| | ~ | s | V | a | 5 | N | k | v | |---+---+---+---+---+---+---+---| | V | 9 | | | K | | | o | y | a | |---+---+---+---+---+---+---+---| | K | J | H | " | s | r | ] | _ | |---+---+---+---+---+---+---+---| | Q | = | y | : | s | # | x | m | |---+---+---+---+---+---+---+---| | I | k | T | t | p | ? | T | w | +-------------------------------+
With the random grid and the pattern we can derive the password. Do this by traversing the pattern on the random grid. The password for this example would be “!s9J=D!|”. Although the password is short, it is very secure. It contains upper and lower case letters, numbers and symbols, like all good passwords should! As I mentioned above, the pattern you use should be easy for you to remember, but hard for others to guess. The patterns can start at any location, move backwards, forwards, diagonal and even skip around. Edit: I’m not sure I made this clear and it may be causing confusion. You only need to remember one pattern for all of your password grids. It would be insanely difficult to remember a different pattern for each grid.
The way you manage your passwords is also simple. Print out a page of random grids, one for each login you have, cut them out into cards, and put them in your wallet. If someone sees the password grid, they cannot derive the password easily unless they know your pattern. If your pattern is ever discovered, then your password cannot be retrieved without having the grid for that password. So its a double-key system, both parts are necessary to get the password. You can also carry around blank grids in case you need to create a new login account while you are sipping coffee at the cyber-cafe.
I created a JavaScript program to generate the password grids. I chose JavaScript (and not Lisp) because it can generate the grids on the client side, not requiring a server. It also makes printing the grids easy from the browser. Here’s a link to the program. It generates 9 password grids and allows you to toggle upper/lower case alpha, numbers and symbols. When printing the page make sure you set it up to shrink to fit.
If you like the system and want to use it, I recommend you save the html file to your local machine. I also highly recommend backing up the grids you use to a text file in case your wallet is lost.
I’m not sure how secure this system really is. With a complicated pattern it seems to me to be very secure. If anyone has an opinion I’d like to hear it.
Edit: If you have a system that works for you, that’s great. One person suggested grouping sites into high/medium/low and only memorizing the passwords for the high’s. This system works good when you have a low number of high security systems. Password grids would be ideal for those high importance passwords. I agree the password grid may be overkill for most people, but for paranoid people like me, it helps me sleep better at night 
October 23, 2006 at 12:32 pm |
Seems like a lot of effort to go to when you could just divide up your sites into “high”, “medium” and “don’t care at all”
High= email, banks etc
medium = social networking, regular contribution sites, blog etc
don’t care= news sites, “require registration” sites etc
October 23, 2006 at 12:34 pm |
Is this patentable?
October 23, 2006 at 1:07 pm |
Yes. Patent this quickly.
If there isn’t a patent on it, it should be priceless to corporations/colleges. Because the password sheet wouldn’t mean anything to the IT people, and it could be distributed easily.
I say that you call it OptiPass.
October 23, 2006 at 1:31 pm |
wouldn’t it be equally secure to use _one_ random grid for all your passwords?
i mean, you would have to print the site for which the password is onto the card with the corresponding grid anyway (how else could you tell which grid is for which login?). so using the same grid isn’t more prone to be hacked by brute force than using several grids.
or am i wrong?
October 23, 2006 at 1:36 pm |
Patent wise, as Anthony says, there’s a precedence here for prior art, so it wouldn’t be _his_ to patent. I found a couple of older references…
http://www.schneier.com/blog/archives/2006/02/passlogix_misqu.html
(2nd comment fromt he end, 2/15/2006)
October 23, 2006 at 1:48 pm |
I do this on the keyboard. It is much easier to recall a “path” along the keyboard for me than to remember a string of words with weird modifications. Or sometimes I make a pattern like on a piano, going up or down the scale, but in 2-D. You can incorporate a little of the context too if you are clever (initials, etc) which makes it even easier to remember.
October 23, 2006 at 2:28 pm |
Very thoughtful system. Great for institutions as mentioned. How would someone like me benefit since I keep my passwords neatly tucked away in secret pages of my address book completely outside the environs of my computer which I do not look upon as all that trustworthy?
October 23, 2006 at 3:36 pm |
I use Firefox to store my passwords. I have the master password written down on a tiny scrap of paper tucked away in a crack in a wall in a random building — if someone finds it, they won’t know what it is.
Then I set Firefox to forget my master password 5 minutes after I use it, so that someone can’t just waltz up and start nabbing my passwords.
The password grids sound interesting, but a little complicated.
October 23, 2006 at 4:51 pm |
Great Trick, I love it…
October 23, 2006 at 4:55 pm |
For high security I use different phrases for each account (email, bank, etc.)
Just so I don’t freak out about my memory, they are written, slightly encoded,
in my address book. Never, ever, entered on a computer except to actually login.
For the rest, I have a standard phrase which I combine with the site name
- a no brainer which does not have to be written down anywhere.
October 23, 2006 at 5:13 pm |
Sounds complicated for most folks. My method is to use crossword style clues. For each site, I record my user name in plain text but my password is shown as a clue that means something only to me. For example one might use the name of friend but the answer is the street where he lives. So “Jonathan Smith with punctuation” may change into Albert;Road with a semi-colon. I use Infoselect to keep all my odd notes on sites, account names and passwords, it is a very useful tool.
Only in the USA do they allow patenting after publication. You have one year to file and then have to prove you were first to invent – provides lots of expensive work for lawyers. In the rest of the world the patent goes to the first to file and prior publication invalidates a claim – a system I prefer.
October 23, 2006 at 5:48 pm |
Don’t rush to patent just yet.
I feel like this doesn’t solve the original problem. That is, you still have 100+ non-trival things to remember, only this time it’s patterns on a grid instead of the passwords themselves.
Now you’re probably thinking “But, you only have to remember a shape instead of a 10 digit alphanumeric.”
While this is true, how long do you think it’ll be before you start forgetting and/or confusing the patterns you chose? “Wait, did the ‘Z’ start from the 3rd row, 4th column, or was it the 5th column? Was it 5 slots high, or 4? Crap, how wide was it again?”
Same cycle but different method. I guarantee after 10+ passwords you’ll be back to writing them down. Maybe it’s a little more secure, because of the two-level protection, but it’s certainly no more convenient. (And chances are it’s no more secure, too, since if you have to write the patterns down and keep them with you, and you have to keep the grid with you, then there you go– everything’s in one place, defeating the whole purpose.)
October 23, 2006 at 5:55 pm |
John,
Sorry, I didnt make it clear in the original post that you are only supposed to remember a single pattern for all of your passwords. Memorizing more than one pattern would be a pain and as you pointed out, easily forgetable. I made an edit to clear that up. Memorizing a single pattern was easy for me. I’ve been using the system for a few days now and I dont think I will ever forget it.
October 23, 2006 at 6:45 pm |
This idea has serious flaws.
1. Your 8×8 grids have only 64 characters; furthermore, due to duplications your sample only had just over 50 characters. This is no better than having a password made up of only upper&lower case letters; if an adversary held the grid they know which ~50 characters to search.
2. The number of human-memorizable paths on this grid is not very great; far less than the number of possible words on this alphabet on ~50 letters. If the general method were known, it would be quite simple to brute-force all common and easy paths (letters, smiley faces, etc).
If the big problem for you is that there are 100+ passwords to remember, here’s a simple way to fix this:
Make one computer-generated randomized master password, and memorize it. For each of your 100+ other passwords, make a computer-generated master password. However, don’t print these out; instead print out these passwords XOR’ed with your master password. You can keep a list of all of these semi-public passwords in your pocket and not be afraid of losing them, as they are useless without the master. Then, when you need to type in a password, run a little app (that you write) that XOR’s the semi-public passwords with the master password, which you type in every time. If you’re worried about the clipboard, have the app produce its output in little GIF’s; that way only your eyes will see it.
October 23, 2006 at 9:41 pm |
Re: Patentable
Yes, there is prior art.
Recently, I stopped at an RSA booth at a trade show. They were showing their version of this and say that they were granted a patent on what they are selling and other preceeding and surrounding work.
I do not have the time to do the research, but I know that these techniques date back decades and several have have names. Not sure, but I think that the last ones that I looked at were Army Signal Corps things. I may have that wrong, but I know the techniques and their implementations have been around.
Anyway, thanks for the post, code…
October 23, 2006 at 9:45 pm |
[...] Today I came across a blog entry that offers a very good method to safely manage all of your passwords with only having to remember one simple thing: a pattern on a grid. [...]
October 23, 2006 at 10:36 pm |
just use the passwordmaker plugin for firefox. it will generate a strong random password based on a single master password and the website address you want the password for. there’s even an online version of the code, so wherever you are in the world you can retrieve any password for any site by remembering one simple private password.
makes all the paper in wallet stuff a bit redundant….
just go here….
http://passwordmaker.org
October 23, 2006 at 10:39 pm |
thanks for the article. I think I’ll love this method of storing passwords
October 24, 2006 at 12:36 am |
Another trick I use is I use the domain name of the website in my password but I type the letter one row above (and for numbers, I shift-number). So for my Yahoo password, it would be 6qy99 and for Gmail, it would be tjq8o. Of course, I add on a few additional characters to the beginning and end, but those additional characters are the same for every site. So you could pick 2 characters, say your birthday (mm/dd) and put those on the end using the same method above. For instance, if your birthday is 12/31 and you’re accessing your Hotmail account, your complete password would be !@y95jq8o#! . It can be complicated, but you’ll never forget your password since it uses your birthday and the domain name and it gives you a different password for every site.
October 24, 2006 at 1:06 am |
I also use firefox and while it works great for myself but if I ever wanted to share that password it’s a pain. And the fact that I don’t know what the password is at all is a double edged sword. I can see the use of this by companies for example. Password sheets that are stored in a safe location for seldom accessed but needed things such as account passwords with vendors, web hosting logins, domain registrar management, etc etc. And only the managers or individuals who would need that information would have access to the sheets for one, and know what the pattern is for two. Great idea whoever did first come up with it.
October 24, 2006 at 1:07 am |
I ment I use passwordmaker.
October 24, 2006 at 1:21 am |
Sounds like a nifty idea. I have recently changed my approach to passwords – I now use a spreadsheet (Excel in this case) just like you used to.
Because I am a freelance web programmer I have passwords to a great many different resources. Many of the passwords I did not choose myself. Also, I have a dual-boot computer running Windows and Linux and I needed a good way to transfer passwords back and forth between the two OSs.
So I installed Truecrypt (http://www.truecrypt.org/) and used it to create an encrypted volume that is shared between the two operating systems. I keep my password file on this encrypted volume. The volume is encrypted with a long password that I have memorized and the encryption is strong enough to withstand attacks even from government agencies.
This is obviously far more complicated than most people require, and so most people would be okay with your idea. However, I would note one vulnerability in it: if someone gains possession of that sheet, they only have to crack one of your passwords to crack all of them, because getting access to just one of them would be enough to reveal the pattern which you are using for all the rest.
Of course, this same vulnerability exists in my system, however, there are far fewer break points in my system. If a hacker was determined enough, they may be able to gain access to the least-secure system where one of your passwords is stored, and use that information to get the rest of the information.
Then again, unless you work at the NSA, that’s probably not a problem!
October 24, 2006 at 2:13 am |
Anthony, really, you should jettison all those little scraps of paper and take a good look at Nik’s system. That’s very similar to the system I use. (well, almost. In my system most letters are the same, and fewer are derived from either the site name or the account name, whichever one makes more sense. This makes every password easy to remember. The passwords are always secure, always can be remembered, I don’t need my wallet or any paper or writing on walls or anywhere else, and every site gets a different password.
And I don’t have to look furtively left and right while thumbing through some dog eared little scraps of paper covered with numbers and letters. I mean, you probably do look a little bit crazed when you are doing that, you know. Did you ever see the movie “A beautiful mind?”
October 24, 2006 at 8:21 am |
Use Password Grids to Remember Passwords
Most internet users have serious troubles with passwords: they either choose to use the same password on all sites, use passwords that can be easily guessed by looking at the persons background or write all their passwords down to be able to look them …
October 24, 2006 at 12:50 pm |
I saw a blog post from a programmer a while ago on a similar topic. He simply passed the website name through a cryptographically secure hash function, to which only he knew the key (password). The hashed name became the new password. Simple and very effective!
October 24, 2006 at 1:01 pm |
[...] Remembering Passwords with Password Grids « The Blogmatic Programmer I found a web page about password grids years ago and thought it was a neat idea. I wish I could find a link to the site but Google is failing me now. The closest thing I could find was a comment about it on this site. I never really adopted the system be (tags: life reference tools) [...]
October 24, 2006 at 2:19 pm |
[...] Remembering Passwords with Password Grids « The Blogmatic Programmer (tags: security password grid) [...]
October 25, 2006 at 2:44 am |
[...] Remembering Passwords with Password Grids « The Blogmatic Programmer If you are really paranoid like I am then you have a different password for every computer login and Internet site you subscribe to. Hopefully you are not one of the many people out there that use the same password for *everything*. That’s just begging (tags: articles blogs internet privacy reference technology tips technology/software/security technology/software) [...]
October 25, 2006 at 8:09 pm |
Anthony was just talking about this here at work. He pointed out an issue with using a program to generate/manage passwords… What if the computer with the master program (FireFox or otherwise) on it is locked or you otherwise can’t get to it?
As much as we’d all like to believe that a paperless society is really possible, this is a prime example of how we’ll be needin’ pencil and paper (well, art least pencils) for a bit longer.
October 31, 2006 at 4:46 am |
Really, I recommend photographic memory. That way you don’t have to write anything down. Let’s see, what was I going to say next… oh, yeah, another good post. Keep up the good work; it is helpful and stimulating.
December 12, 2006 at 9:45 pm |
I like that method. My method is that I write the passwords and usernames on some paper and store it at the bank in my safe deposit box. Which is locked by a key and requires two keys to open. No one will steal my passwords!
If I forget my password, I tell the site to send me a new one in an email and start the process over again.
May 27, 2007 at 8:45 pm |
Hi! I just happened upon this site in a Google search for “password grid”.
I first disclosed this method in the year 2000, but I hadn’t realized that there was any interest in it so I took the page down a few years ago. I’m also the one who wrote about it on Bruce Schneier’s blog at http://www.schneier.com/blog/archives/2006/02/passlogix_misqu.html
I’ve just restored the page at http://www.vvsss.com/grid/ and added some comments at the end about the security strength, a way to make the grid more convenient to use, and an email address where I can be contacted. I’ll also monitor this blog for a while.
And no, I don’t think there’s anything worth patenting here, or indeed anything that CAN be patented. I’m just interested in sharing the idea.
Thanks for the interest!
Mike
May 29, 2007 at 4:50 am |
Mike, I’m glad you found this blog, and its good to see you republished your article about the password grids. Its been a while since I made this blog entry, but I am still using the system. I had no plans on patenting the idea, it was not my own, it is yours! I hope I made that clear enough in my blog post.
I created the javascript program to make generating the grids easy. What do you think about using a computer to make grids, as well as storing backup copies of the grids on the computer, perhaps in an encrypted vault?
November 20, 2007 at 2:08 am |
Mike, something similar has been granted a patent (looks like a copy of your system, but for pin numbers ie the grid is displayed onscreen and you read the numbers corresponding to the pattern you chose and type them in, the grid numbers changing each time you use the machine.)
It was patented in 2005 I believe, just been watching a program on tv about it, its called gridsure you may want to look into this if you have proof of prior art.
May 28, 2008 at 10:03 am |
The link to the program seems to be dead.
March 21, 2009 at 4:21 am |
Here is a simple alternative which I think is foolproof. Have a few basic very good passwords in your mind that you will never forget. Now make a list, for example in Excel, of sites and usernames. In the password column for each of these, write something like “same as email password, but ending in a $”. (You might need to do this because the site requires passwords to contain some special character.) As another example, I have one that says “husband’s brilliant invention”. I know what that is, and my husband knows what that is, but anyone else encountering my Excel file will be completely in the dark. And then there’s “husband’s brilliant invention, but starting with a capital letter”.
April 22, 2009 at 6:54 am |
I can tell that this is not the first time at all that you write about this topic. Why have you chosen it again?