CyLab’s Manuel Blum advises: “Never memorize passwords. Compute them.”

Daniel Tkacik

Feb 1, 2017

“I never memorize passwords,” says Manuel Blum, a Turing Award-winning faculty in CyLab and a professor in the School of Computer Science at Carnegie Mellon University. “I may go to every other day, but I do not know my Amazon password. When I need it, I compute it.”

Blum presented his ideas on password-computing algorithms at this week’s USENIX Enigma Conference in Oakland, California.

During his presentation, Blum shared a story involving his wife, Lenore Blum.

“Lenore asked me for my password for REI, and I could honestly tell her, ‘I don’t know if I’m even registered with REI, but if I am, here’s my password,’” Blum said. “She called back later to say, ‘Yes, you’re registered!’”

I told her, ‘I don’t know if I’m even registered with REI, but if I am, here’s my password.‘ She called back later to say, ‘Yes, you’re registered!‘

Manuel Blum, Professor, CyLab and School of Computer Science, Carnegie Mellon University

Passwords shouldn’t be thought of as words or strings of letters, Blum suggests. Rather, they should be thought of as functions. The algorithm to compute the function is public, but the key to its use is private: only the owner of that key can produce their personal passwords. This can enable Internet users to have a completely different password for every online account, and they’ll never need to write anything down.

What allows these user-generated schemas to produce secure passwords is a unique and secret “key” such as a random 10-digit (phone) number. One schema involves shifting the ith letter in a website’s name by the ith digit in the key.

For example, suppose the telephone key is 246-135-0189. Simply shifting the letters in “EBAY” by this key would generate the password “GFGZHGAZMH.” To increase complexity without much mental effort, one could then replace every letter before “J” with a 0-9 digit, turning the password into “656Z760ZM7.”

In this manner, one may compute any unique, secure password for any website with (1) knowledge of the alphabet, (2) simple addition, and (3) a memorized key. And some practice.

Of course, many websites require that passwords have numbers, letters and symbols. For this, Blum suggests starting or ending every password with the same string of letters and symbols, like “aA1!” or “bB2@.”

“It doesn’t add to security, but that’s not why you need it,” Blum says. “You just need it to pass the password check.” And if you attach it to every password, then that string will be self-rehearsing.

Although users still have to put forth some effort, the point is that all of the work is done up-front, and just once. With practice, Blum believes that people who use this technique will never need to memorize another password again, and their passwords will be more secure.  Blum has a theorem asserting that an adversary would need to see seven website-password pairs on average in order to figure out the user’s private key.