Better Security, Harry Potter Style

We all know we shouldn’t use 1234 as our password. But we often don’t do the absolute best practice when it comes to passwords. After all, you should have some obscure strange password that is unique for every site. But we all have lots of passwords, so most of us use $pock2020 or something like that. If you know I’m a Star Trek fan, that wouldn’t be super hard to guess. [Phani] writes about a technique called Horcruxing — a term taken from the literary realm of Harry Potter that allowed Voldemort to preserve life by splitting it into multiple parts, all of which were required to bring an end to his villany. [Phani’s] process promises to offer better security than using a single password, without the problems associated with having hundreds of random passwords.

Most people these days use some form of password manager. That’s great because the manager can create 48 character passwords of random words or symbols and even you don’t know the password. Of course, you do know the master password or, at least, you better. So if anyone ever compromised that password, they’d have all your passwords at their fingers. Horcruxing makes sure that the password manager doesn’t know the entire password, just the hard parts of it.

Here’s how it works. Suppose you decide your personal horcrux string will be HamNCheese. That’s easy to remember and spell. It isn’t a great password all by itself. However, the idea is to never store that string in your password manager. Instead, you store a unique prefix and you have to add the horcrux.

If the password manager, for example, creates a password of 4337feeb90210, then you’d set the actual password to be 4337feeb90210HamNCheese. This means you’d have to set the password manager to not auto-submit the login form, of course. Once it filled in its part, you’ll have to add the extra string. Now if someone compromises your password manager, it doesn’t help them unless they also know your horcrux which, obviously, you should keep super secret.

This doesn’t help if someone phishes your password from you or otherwise intercepts it using, say, a keystroke logger. But it does seem like it has some value of preventing your password database from being a useful target. You’ll probably have to figure the best way to configure not only to prevent automatic submission but also to stop the password manager from helpfully trying to update your password every time you enter the horcrux, but that’s a small thing.

[Phani] doesn’t mention it, but it reminded us of the problem with security questions, too. It is reasonably easy to research people and find things like their mother’s maiden name or where they went to high school. The best solution is to have a made-up identity that you use to answer those questions. So your mother’s maiden name might be Pfffft and your older brother’s middle name might be MiddleName. The problem, of course, is keeping all that straight. Maybe you can store it in your password manager.

We’ve talked about odd ways to generate passwords before. If you can not lose a hardware device, that’s another solution.

27 thoughts on “Better Security, Harry Potter Style

  1. “This means you’d have to set the password manager to not auto-submit the login form, of course.”

    But fill in it’s part of the blank which it will warn you about since it has no understanding of horcruxing.
    There’s also the idea of using a password fob like a Yubikey to remember it so someone would have to have that as well.

  2. There used to be a python based password manager on 4chan’s /b/ of all places that worked not too dissimilar to this.

    You had a username and password to log into the password manager which it then used to seed the password generator which was fed with the url.

    Under the hood it used sha256.

    So I might login with ARossie and password ‘hunter2’.

    key = HMAC(‘ARossie’, ‘hunter2’)

    And for website ‘hackaday.com’

    username = HMAC(‘username: hackaday.com’, key)[:8]
    password = HMAC(‘password: hackaday.com’, key)[:31]

    That’s all similified massively there was a more complex key derivation system, and it would produce multiple passwords (to meet some charset requirements) by default it had some mechanism to produce a few capital letters in each password I think it used base encoding so there was always capitals and small letters and no confusing letters that looked like numbers.

    The idea was your username is generated as well as password (although you of course didn’t need to use the provided username). So so long as you remembered the original login ‘ARossie’ and ‘hunter2’ and consistent about getting the url.

    You could always regenerate your entire account tree.

    It was a good idea in theory especially because the code base was tiny enough to be auditted by anyone who knew python. It meant you could have alternative identities that were easy to recall and importantly – mind blowingly – it randomised your login username which is such a good idea to combat credential stuffing.

    Anyways ontop of this people would recommend pre-pending your passwords with a short personal password. Instead of using the multiple generated passwords you would have like ‘.’ to meet requirements of special characters.

    1. A salt is unique per password. A horcrux (or pepper, as this technique is commonly called in server side applications) is for the entire database.

      A salt makes each saved password hash unique so that efforts to crack one hash can’t be applied to others. It has to be stored near password hashes and usernames to associate the correct salt with each password (none of this applies to a password manager, since the raw passwords are stored).

      A pepper isn’t stored with the password hashes so even if the password database is breached the passwords remain secure.

  3. There is a risk to this approach, if your password on one site gets compromised and ends up on the web (where the other gazillions of compromised passwords flock around) the strength of all your passwords is dramatically reduced (remember exponential strength you gain with every character? that works the other way too).
    So i think it’s still best to use a good password manager and create unique long & strong passwords for every site. That covers 99% of my passwords. Some very important passwords i still memorize (and use password sentences). And for every site that supports 2FA it’s enabled of course. But i hope we can get rid of passwords all together in the next couple of years.

    1. Most 2FA is bogus. Usually involves sharing more personal info than you want sitting on someone else’s poorly defended computer. Only one I liked much are portable and independently implemented software tokens like Google Authenticator. You never get a choice either, our way or the highway.

  4. Honestly for most people this is a bad idea. The use a password manager, yes. Randomly create passwords, yes. Require extra typing? no. What does this gain you? Extra security if someone breaks into your password keeper? There are fixes for that… Use a good password and use two factor auth.

    All this does is make it harder to use a keeper and more likely someone will reuse a password or use an easily guessable password.

    Easy steps to protect your logins:
    1. Never reuse a password.
    2. Use MFA / 2FA any time it’s offered
    3. Use a password keeper.
    4. Never use accurate info on recovery questions. Use randomly generated words and store them in your password keeper

    A password keeper of any type – even just a sheet of paper – is better than reusing passwords.

    1. Well, I don’t think he is telling you to resume passwords. Just the horcrux. So my bank password might be 484839481#22X-Hackaday4Ever and my Gmail password might be 3394848428@ZZ22-Hackaday4Ever. The random part comes from the password manager.

    2. two factor being beneficial is often a myth with how many people use devices now – its all on the smart phone, and that phone number is the second factor – really limits the security of having extra factors… Lost your phone and the keys to your digital kingdom are usually gone with it.

      To me this concept is no more hassle than most password managers, particularly the on paper ones. with those you still end up typing it out. So having the password as stored need the one key you have to remember added is actually quite simple – and far more secure than most, as even if you break the manager/ find the paper notes you actually need to know something that shouldn’t be recorded anywhere.

        1. Don’t see how that changes the lost your phone (or your phone is leaking) at all – its still all on the one device, and if they have said device or its data they have your second factor and your first…

          1. As you said Iphone, I’d say probably – the number of horrendous security bugs Apple has been caught leaving in for quite some time means one is bound to cross my radar that will do the job in relatively short order. (Android isn’t exactly better but much more varied so a flaw revealed isn’t as likely to work, and many of the flaws in apply stuff have been really really stupidly debug passwordless admin access type stuff that I’ve never seen mention of on a droid OS)

      1. Significantly more people have access to the login form where I enter my password than my phone where I have my 2FA app, I don’t see how blocking their attempts would be anything but beneficial.

        1. All depends on how you use a smart phone – lots of people now seem to use it for all their computing, website etc tasks. So being both the accessing device (or password manager) and second factor means all of your secrets are on it.

          I’m not saying its completely useless even with poor use practices, but the way many people use a smartphone and how most websites/services offer a second factor does limit its protection significantly. Even more so if you phone is one of the many handsets riddled with now known security bugs but receiving no updates – you don’t even have to loose the damn thing for it leak all your secrets.

          Where if all your Phone has is the 2FA end, and the passwords are somewhere else, you are logging on via a different device then its a massive gain – as even if the access device has a keylogger all they get is your login details, without the method behind the 2FA being available the captured 2FA datapoint should (though might not be) meaningless. And if your Phone lets that precious 2FA data out that is all it can leak as it doesn’t know the passwords.

          If no one device holds all the required info, then 2FA really makes sense. But just bolting it into the same device that holds all the other data anyway means a single point of failure that can leak everything required on a failure (and with Apples security flaw history and the mess Android handsets have around updates this failure is actually depressingly likely). Still slightly better than just a password and username as its one more element an attacker must find, and means security flaws between your device and the service or in the service itself might not give up everything.

          1. You’re still describing a significantly smaller set of potential attackers than without it. Even if the phone has no passcode set and is lost, it’s still just one attacker who has it.

          2. Not really – you use it connected to the web, it knows all – doesn’t have to be a local flaw that is exploited. Wireless, tap to pay and other nfc points, even cellular spoofing can be used to target large numbers of people if the right exploit is found, as can bad apps on the stores, bugs in legitimate programs the attack vector list goes on – and from what little I know of the criminal scum they don’t keep that sort of data to themselves when they get it…

            Its still another layer that even under the worst use cases doesn’t harm security (at least I’ve never seen or heard of an implementation that terrible). But its not the magic fixall its often advertised as – and if all your eggs are in your one smartphone shaped basket (which for huge numbers of people they are) its a great target group well worth the effort to attack. Not likely to be a targeted at you specifically attack, just an attack on the found flaw in x spread as widely as possible – but if all your secrets are on the one device the right attack hands an attacker everything at once, and even less compete invasions are more risky to you as all the information is in there and might be revealed as you use the device etc..

  5. I use Google chrome. Should I ever have something so secret I’m worried Google will misuse it, I probably won’t send it via some random forum or on my YouTube channel, and I suspect there is basically zero chance that someone is going to use that information in a meaningful way.

    If you have some kind of protest that you’re organizing in secret, or you’re sending nudes you don’t want them to see, or something… Then yeah, but it’s not like Google will steal credit cards. I rarely discuss anything private or personal with anyone who isn’t already on Gmail and Facebook and surrounded by IoT listening devices anyway, so it’s not like I even *could* communicate privately without convincing them to switch.

    Maybe when Jami adds group text chats I’ll see if I can convince a few, mostly because I like the resilience against servers going down.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.