Skip to main content
HashnodeKaizoku Dev

Command Palette

Search for a command to run...

Double Blind Passwords (aka Horcruxing)

Updated
8 min read
Double Blind Passwords (aka Horcruxing)
P
Phani Karan

Before we get into Horcruxing, here's a quick prologue on online security hygiene. You can skip to the Horcruxing section if it seems redundant.

Rules for Strong Online Security

1. Longer passwords (atleast 16 characters) are better than shorter ones

=> cutesamantha15101995 > cutesamantha

2. Randomized passwords are better than personally identifiable passwords

=> process-cancel-stingy-garnet > cutesamantha15101995

NOTE: process-cancel-stingy-garnet is technically a passphrase - basically an easy-to-remember password in comparison to randomized strings like B6fSpxMj&f6DU@5^k

3. Have a significantly different password for each account

Having the same password for different accounts is like using the same key for different locks. It beats the whole point of having multiple locks! Also, having different passwords but with only one easily guessable word different (like the ones below) still poses the same risk. The passwords should be significantly different.

bounce-unfold-stunning-chute        process-cancel-stingy-facebook
symptom-untouched-unpaid-arena  >   process-cancel-stingy-twitter
sediment-tweak-annually-koala       process-cancel-stingy-gmail

4. Use 2FA/MFA wherever possible

Both Google and Facebook offer a 2FA feature where you need the second factor only when you login from a new device or a new location, instead of needing 2FA every time. That's a rare combination of convenience & security right there! Most other sites also offer some variation of 2FA.

NOTE: Use the andOTP (or any other) app's TOTP as the second factor since it cannot be spoofed or spied on lock-screen like the SMS OTP and does not require a mobile network or internet connection. You can also use Biometrics (finger print or face recognition)

Woah! How do I create a long password for each of the bazillion websites out there, and have them significantly different and remember them? Security seems like such a pain in the ass!

[enter] PASSWORD MANAGER

A password manager helps you manage all your passwords in one place, either in the form of a browser extension, mobile app, or website. Good password managers will offer a browser extension and a mobile app with one-click auto-fill-login-page feature by removing the hassle of copy pasting or typing your login details. A few smart ones even detect phishing pages and warn you indirectly, by not showing the login details for such web pages.

They enable all the above measures for strong online security with ease. While I agree it takes some effort to set it up for the very first time. But, after that, it just flows like butter.


For example, password generator in BitWarden lets you custom design your random password in different flavours.

BitWarden's password generator

YAY! I'm Secure!

You meticulously move all your passwords and secrets to a trusted password manager. Finally, you can rest easy knowing that your digital life is truly secure. Or, is it?

What if
  • your master password (the password to your password manager) is compromised due to a security breach or you left it in plaintext on a post-it/ email/ notes app
  • someone gained temporary access to your unlocked system (computer or phone) when you stepped away to get that last coffee for the day and your password manager is still logged in for everyone to see

The answer: you're screwed. The cost of putting all your eggs in one basket is that it could all go into oblivion in one fell swoop. How do you overcome this challenge now?

Double Blind Passwords (aka Horcruxing)

For all his faults, Voldemort did one good thing for us muggles. He gave us the concept of a horcrux. For the uninitiated, a horcrux is any object in which you store a piece of your soul, putting the proverbial eggs of your soul into different baskets, to gain quasi-immortality.

The basic idea: You split your password into 2 parts - one which is stored in the password manager, and the other which is stored in your head (aka horcrux).

Basically, at any given point in time, you and your password manager know only a piece of the password. It's double-blind. In effect, just like You-Know-Who, you're splitting your password (soul) into pieces and storing them in different places.

BEFORE

# As stored in the password manager
username: rick
password: rollthepeople1732

# Actual credentials
username: rick
password: rollthepeople1732

AFTER

# As stored in the password manager
username: rick
password: roll-the-people-venus

# As stored in your head
horcrux: papel

# Actual credentials
username: rick
password: roll-the-people-venuspapel

The horcrux adds an additional layer of security that only you can unlock. It's a kind of 2FA. Again, the longer the horcrux the better. But, a simple word should also be fine as long as only you know the horcrux.

If it feels like too much effort, use a horcrux only for the most important logins - your social media, bank accounts etc.

One Last Thing

Security is never absolute. One can try to secure a system as tightly as possible, but never really say that it is fully secure (if you see someone claiming otherwise, it's mostly marketing bullshit). If we cannot make systems completely secure, the next best thing to do is to make them as secure as possible and a good way to do it is Defense In Depth - basically make sure that even if one layer of security is breached, there exist other layers to mitigate further damage - which is what we've tried to achieve all along.

Summary

1. Use a good password manager

I use BitWarden (since it is open source and costs just $10 a year for the PRO features)

2. Use TOTP/ biometrics instead of SMS-based OTP

I use andOTP (since it is open source)

3. Use a horcrux (a double-blind password) for the most important logins


P.S. Keep in mind that horcruxing only works fine until you connect your brain to NeuraLink and accidentally upload your thoughts online for everyone to see. :P

#security#passwords#privacy

Comments (19)

Join the discussion
R
Ridhik Govind5y ago

Okay so I have been using this method of making my own extra word, remembering it and adding it to password for sometime now and its been great. But honestly, I never knew this was "actually" a method that was used to give passwords an additional layer of security until I read this article. What an amazing article !

R
R. M.5y ago

This is good advice, and in fact I make and sell a line of offline password generator/recall rings, key fobs, bracelets and cards which help to do exactly this: https://www.tindie.com/stores/russtopia/

The advantage to these is that they are not software which can be hacked like password wallets, being completely offline.

A
AJ Henderson5y ago

It really isn't good advice though. Having offline generators and rings is a good idea. I suggested using 2FA and a Yubikey for exactly the same reason. Simply adding a bit of complexity to the "what you know" factor doesn't add much security because the means of compromise of one mean the other is also likely compromised, as well as some other problems I mentioned in my own main post.

R
R. M.5y ago

AJ Henderson As you correctly point out, just having a scheme to create randomness, plus a mentally-remembered 'horcrux' isn't 2FA. It serves only to keep full passwords from residing in one place.

My widgets were specifically created for people who are techno-phobic, who in my experience were resistant to using any sort of software wallet solution -- at least it gets them to stop using the same password or a trivial variant thereof, across all their accounts...

As always, defense-in-depth is important; each measure can serve to incrementally improve security.

A
AJ Henderson5y ago

R. M. yeah, to be clear, I think your devices are a good idea. My point was mostly that this original post isn't really that useful of an idea. Much better to harden the password storage instead, which is exactly what an offline device does for you.

1
A
AJ Henderson5y ago

I'm not seeing what this adds. This is the same thing as putting up 2 passwords and calling it 2FA (which it isn't). Under the vast majority of threat cases I can think of, you are either still screwed because they capture your login at the same time they capture your master password or you are stuck back with the problem of remembering a secure, non-guessable element for every account, which is exactly why password managers exist in the first place.

This is either ineffective, impractical or both depending on the threat you are trying to protect against. It's also trying to solve a problem that was already solved. This is exactly the reasoning behind 2FA/MFA and making sure that access to multiple things is needed.

It would be much better to get a Yubikey or similar and put your HOTP/TOTP secrets in to that so that it is physically isolated from your phone and the internet and thus can't be compromised without direct theft of multiple devices. You get the same advantages without the disadvantages and limitations of hanging your security on two of the same factor.

D
Dave5y ago

See https://arxiv.org/abs/1706.05085 - "Horcrux: A Password Manager for Paranoids".

J
Joseph5y ago

I had a related idea of how to do encrypted messaging: horcruxencryptedmessaging.jperla.com

1
A
AJ Henderson5y ago

For that system, you have to have a system you trust to make a cryptographically secure one time pad. If that software or hardware is compromised your entire system falls down still.

J
Joseph5y ago

AJ Henderson

Obviously that's true of any system you write your message on....

A
AJ Henderson5y ago

Joseph No, if the computer you write the message on isn't attached to the internet, you don't really care that much if it's a bad actor as long as it isn't expected that it has updates that might specifically target your scheme, but if you are going to question the security of the hardware in general, you should also be questioning the security of whatever you are using to generate your pad.

If you do accept things at the algorithmic level but not the client/protocol level, then you can get pretty close to the same by just nesting encryptions of a root key and use something like AES as well.

Mostly I was just pointing out that if you don't trust the cryptographic principles of your own clients, you still have a single point of failure on the cryptographic principles of the offline "magic wand", if you do trust the cryptographic principles of the machine, then you don't need the in-between steps necessarily.

J
Joseph5y ago

AJ Henderson

I already mention that the Magic Wand is an offline not internet connected device.

This supports the security attack profile even if the NSA for example has cheated and fixed your cryptosystem.

A
AJ Henderson5y ago

Joseph But it doesn't fix it. Even if offline, if the NSA has put a pattern in to the CNG of Windows for example and you use the randomness from that machine, they may be able to defeat it and thus defeat your one time pad.

Granted, you might be able to get around this by having multiple systems work together to form the one time pad, all offline.

J
Joseph5y ago

AJ Henderson

Please read the website. I already say the hardware should have a good random (ideally hw source) source of randomness.

P
Paul Serdiuk5y ago

This is exactly like salting hashes before storing them in a DB, quite clever.

A
AJ Henderson5y ago

Except that salting is only intended to make the use of rainbow tables inefficient. It doesn't add a security benefit beyond making it harder to attack an individual password. In this case, it's more accurate to say that in the compromised password DB scenario, this provides a very weak password as a protection against the main password being converted to effectively being a salt.

Unfortunately, that's not likely to do much if someone has both a compromised hash table and your main password and the simple "horcrux" would rapidly be found by brute force hashing given it is short and rememberable.

P
Priyank Gupta5y ago

While it is great advice/suggestion. Here is a catch that should be carefully considered. You can't have too many Horcrux phrases. Using the same one across all websites means that when a website handles your data irresponsibly and is leaked to hackers/unintended-users, then the phrase is ousted immediately and rendered useless (and leaving you under a false sense of security). So Horcruxes need to be used selectively. Not on websites that don't offer 2FA, but on websites/services where you trust them to handle your data responsibly. for example using the same Horcrux for a food delivery app and a banking app is a bad idea. They don't do the same threat modeling and possibly don't look at data privacy and security with the same lense.

S
Srinivas Kagitapu5y ago

This is cool Phani, I have an add-on technic for it. Use a fixed number like 4 or 5 along with Horcrux.After the password manager fills the password enter left-arrow 4-5 times (the fixed number that you have in mind) and start entering the Horcrux. You need to remember the number+Horcrux. Some of my colleagues were using it, I felt it super cool. Just incase anyone likes it. 2FA is a must these days BTW.

1
J
James Bartlett5y ago

Cool! I have an add on to your add on, instead of pressing the left key 4-5 times before entering the ‘horcrux’ - how about replacing part of the stored password? Eg, the first or last 4 characters?

D
Damien Murphy5y ago

Makes sense, reduces the possibility of the password manager being a single point of failure.

Also today I learned I can use a passphrase in bitwarden :-)

1
S
Szymon Adamiak5y ago

That is such a good title I had to click :) Great job!

2
P
Phani Karan5y ago

Thanks Szymon :)

More from this blog

K

Kaizoku Dev

2 posts