Dick Cappels' project pages http://www.projects.cappels.org
Return to HOME (Go to Wide Range of Topics on cappels.org)


Password ridiculous
A trick to improve Linux Password Security Via Remapping Of The Keyboard



Find updates at http://www.cappels.org/wide_range_of_topics/Home.htm
 
Contributed by Puddledud.

The Article

Password ridiculous - by Puddledud


Recently I got myself into a bind with the root password on my Linux Mint 13 Maya Cinnamon system.

I had chosen a UK keyboard mapping when I set up the installation. Then I found that a commonly used symbol - " - the quote used in specifying required search string delimiting etc. - didn't match the markings of the keyboard that I was using and so I decided to set the keyboard to the US keyboard mapping - in search of an easier life.

The net is great in this type of situation and I was able to find very helpful people making their contribution, posting their solutions to the problems they had encountered  and ready and able to tell me how to do what I wanted to do. I'm always grateful for this type of assistance.

This command string - does a nice job of changing the keyboard layout

sudo dpkg-reconfigure keyboard-configuration

It requires the entry of the root password or an administrative password before it will run. Then it is a matter of making choices and that is that.

Having made this change and feeling good about it I then discovered that I was no longer able to just type out the root password - changing the keyboard mapping had remapped one of the punctuation characters - in this case what had been the English pound sign - £ - was now the hash symbol - # - as the printed key marking on my actual US keyboard key had shown all the time.

Ah!

Suddenly I had no way of typing the root password - fortunately the base user on my system doesn't require a password so I was still able to use the system - but this state of affairs was unacceptable.

Back to the net for a solution.

There I found that the sequence CONTROL/SHIFT (held down together) and followed by the character sequence - u00a3 - typed while SHIFT and CONTROL continue to be depressed will very neatly produce the English pound character - £ - ; the decoding of the sequence is initiated by the release of the CONTROL/SHIFT combination after the unicode character sequence code for the symbol has been typed.

I know that this works because it is sufficient to enable me to enter my root password - even though I can not see what is being output.

Now all that is already on the net.

The thought I had was that people making password cracking programs could possibly shorten their task by detecting or even just guessing the keyboard layout in use on a computer before starting their cracking algorithm.

That in turn led to the thought that - fanatical or perverse people - could devise passwords to incorporate this technique for composing special characters - thereby making their own life more difficult and in so doing expanding considerably the range of characters which would need to be tested by a password cracker. I guess in one way the concept is not all that different for, like the monkeys charged with writing a Shakespearean play, given enough time, the result is the same for the symbols simply represent an extended character sequence. But in another way it is for in this situation time is of the essence.

This technique would certainly make it easier to remember an complicated password and may even tempt users to leave a copy of their passowrd in a readily accessible location in the expectation that other people would either not understand what they were looking at or not know how to enter such a password.


Following on in this train of thought, the password âåé£ß  can be entered as follows:

CONTROL/SHIFT <hold down>  u2030 <release> CONTROL/SHIFT <hold down>  u0152 <release> CONTROL/SHIFT <hold down>  u017d <release> CONTROL/SHIFT <hold down>  u00a3 <release> CONTROL/SHIFT <hold down>  u00a7 <release>

Surprise , surprise - I tested this - and it works to display the test string in gedit.

Masochists take note!

A further event led me to doubt what I have written and it took a while for me to work out what had happened for the given combination CONTROL/SHIFT <hold down> U00a3 <release> started to give me the colon - : - symbol. I was rather annoyed and puzzled - and my root password stopped working - but eventually it dawned on me that I had developed the habit of inverting the last two digits of the unicode sequence and had started to type CONTROL/SHIFT <hold down> U003a <release> instead of CONTROL/SHIFT <hold down> U00a3 <release>

Another instance of human error! - and a warning about the unforgiving nature of this technique!

Users of this process are advised to proceed with caution. It would be wise to test thoroughly on your own specific system before commiting yourself. (Interesting choice of word that - commit!) A user should make sure that they know which symbols are in fact being entering and test the whole exercise by creating a dummy user before relying on the procedure.

It is possible of course to enter a symbol combination which is only thought to be known. Such a symbol sequence can also be reproducable but at the same time it may be different from what the user thinks is being entered. I tested the actual symbols being encoded by typing the sequence in gedit so that I could see that the sequence I thought I was entering was in fact what was entered on my system.

I would expect the technique to be applicable in a wide variety of Linux and UNIX based systems. I have used it only under Linux Mint 13 Cinnamon.

Feedback on the applicability of the technique to: Mac OS X, Ubuntu and other Linux variants might be an interesting exercise if anyone doing their own experimentation is interested in providing it.


Return to HOME (Go to Wide Range of Topics on cappels.org)

Article copyright ©2012 by Puddledud. First posted on August 12, 2012 on cappels.org
Return to HOME

You can send  email to Dick Cappels at projects(at)cappels.org. Replace "(at)" with "@" before mailing. I can forward email to Puddledud.

Keywords: Linux security, keyboard remap, security enhancement, password security, Linux password,
  Liability Disclaimer and intellectual property notice
(Summary: No warranties, use these pages at your own risk. You may use the information provided here for personal and educational purposes but you may not republish or use this information for any commercial purpose without explicit permission.) I neither express nor imply any warranty for the quality, fitness for any particular purpose or  user, or freedom from patents or other restrictions on the rights of use of any software, firmware, hardware, design, service,information, or advice provided, mentioned,or made reference to in these pages. By utilizing or relying on software, firmware, hardware, design, service,information, or advice provided, mentioned, or made reference to in these pages, the user takes responsibility to assume all risk and associated with said activity and hold Richard Cappels harmless in the event of any loss or expense associated with said activity. The contents of this web site, unless otherwise noted, is copyrighted by Richard Cappels. Use of information presented on this site for personal, nonprofit educational and noncommercial use is encouraged, but unless explicitly stated with respect to particular material, the material itself may not be republished or used directly for commercial purposes. For the purposes of this notice, copying binary data resulting from program files, including assembly source code and object (hex) files into semiconductor memories for personal, nonprofit educational or other noncommercial use is not considered republishing. Entities desiring to use any material published in this pages for commercial purposes should contact the respective copyright holder(s).


Free Hit Counter
Free Hit Counter