Prashant's Algorithm for Password Management
IntroductionWe've seen many forms of Social Engineering Attacks (SEA). The main aim of these SEA are to exploit the human vulnerability. The biggest vulnerability in Cyber Security is the human.Consider the following:
- There's significant increase in websites and, without thinking, many people make accounts on them.
- Problems arise when we see a warning message like "Choose an unique Password" yet we keep same password for each and every site.
- This is something we can't ignore.
- We can't remember hundreds and thousands of password for hundreds and thousands of site.
- Herein lies vulnerability.
Attack Scenario - 1Let's say that I'm an attacker and I've made a website: attackshop.com. Attackshop.com is the shopping website like most other shopping websites, and we gave a good discount in order to attract our customers. Once the user registers on the website, we'll certainly have their details. We've not encrypted the password and instead, have saved the password in clear text. This is something a normal user would likely never come to know about. We'll try with the same username, email and password to login to other websites. And since most of the users have memory problems, we can easily exploit them.During the user's registration, we can also ask for security questions and answers. The security questions would be taken from another popular websites. This will also give us an edge, as we'll get extra information about the user. Attack Scenario - 2Let's find a vulnerable website, perform various attacks and try to dump the database. If the database has stored the password in plain text, then this would be an added advantage for us. If it has been stored in encrypted format, then we'll try to decrypt it with many of the available online tools. If we're lucky enough to get more passwords and usernames, then we can perform further attacks (logging in other accounts). This was the attack that was performed by attacker and they got the Mark Zuckerberg's Twitter and Pinterest credentials stored in the LinkedIn database. Prashant has a Solution:This might sound very astonishing, but I do have a solution for this. I'll call this "Prashant's Algorithm." Now, before stating this, I must remind you guys that you can't stop a targeted attack, you can only delay it.I expect that most of you must be knowing about the Caesar Cipher. We'll mix the Caesar cipher technique to implement a new set of passwords and make it unique for each websites and easy to remember.Caesar is one of the oldest forms of encryption that came into light during the World War II. It's also known as Shift Cipher. Using this cipher tool, the letter or number is rotated by some number of positions. The general Caesar Cipher form is shown in table 1.
Table 1: Cryptography of a plain text using Caesar Cipher| | ROT 1 | ROT 2 | ROT 4 | ROT 6 |
| Plain Text | PRASHANT | PRASHANT | PRASHANT | PRASHANT |
| Caesar Cipher | QSBTIBOU | RTCUJCPV | TVEWLERX | VXGYNGTZ |
E(x) = x + n (1)E(x) = x – n (2)Equation (1) and (2) both describe the ways Caesar Cipher can be set. Here, ‘n’ denotes the number of shifts and ‘x’ is the present letter order.We'll use this encryption method to modify our password combination and make it more powerful. Assuming our unique password to be very strong and for this instance, we took the password as “Prashant$4007”. This password has the combination of alpha numeric and special symbols, with a case change. This makes it very tough for a Brute-force attacker to crack it.But, since the attacker is using their fake website as a method to learn passwords, it's easy for them to know this password and use it to exploit us. What we're doing is encrypting this password with the URL of the site using the Caesar Cipher technique.Suppose we're visiting the website facebook.com, so we can encrypt our password with the URL of the site. We'll also follow the ROT 1 method of the Caesar Cipher technique to encrypt our password. The reason for following the ROT 1 method is that it's easy and fast to apply.We'll take the two letters from our main password combination then add an extra bit from the first character of the URL after shifting the first bit by 1. If we happen to encounter a symbol, then we'll keep it as is. Let’s say we're visiting certain websites and our main password combination is Prashant$4007. The results are displayed in the table 2.
Table 2: The password combination for different sites| Main Password Combination | Sites we are visiting | Final password combination |
| Prashant$4007 | Facebook | Prgasfhapntb$4c00l7 |
| Prashant$4007 | Gmail | Prhasjhanntm$4b00h7 |
| Prashant$4007 | Twitter | Pruasuhasntj$4f00x7 |
Similarly this table can be modified by using the ROT 2 or higher rotation scheme. A person can even change the position. Here, we inserted after every 2nd letter. One can enter after each letter or may be after 3.
Conclusion:There can be infinite possibilities on how you use this algorithm to setup your password.
