2011-09-04

Keymap-independent passwords

On my job I have to remotely administer a lot of servers, using every kind of access method: VNC, rdp, avocent, vmware remote console, PC Anywhere, even one nested into another.
Every server might have a different keyboard, based on the country it's in.
Nested remote consoles and tools that gives access to the physical console of a server often misbehave the caps lock key.
Pair a faulty caps lock with an unknown keymap and a rigid lockout account policy and one more try to enter the correct password may result in a locked account.
Sometimes, even trying the password before in the clear-text username field is not an option, because of people that might see the console at the remote site.
So I've begun thinking about passwords that are unchanged between different keymaps.
Rules are:
1) you can't use keys that are different from one keymap to another
2) only lowercase letters, because the shift and caps lock keys can't be trusted

I've checked all the most used european keyboards (Italy, Germany, UK, Spain), plus the default US keyboard (here Wikipedia is our friend: http://en.wikipedia.org/wiki/Keyboard_layout)

The invariant keys are:
!$%
1234567890
QWERTUIOP
ASDFGHJKL
XCVBNM,.

If you add the France keyboard to the mix, the list will be even shorter, as french people like to distinguish themselves:
1234567890
ERTUIOP
SDFGHJKL
XCVBN


But how much security do you give up by using keymap-independent passwords?
A commonly used policy of 8 chars password, using all the standard ASCII characters (32-126 for a total of 94) leads to 6.095689385×10¹⁵ different passwords.
Using the reduced charset of the non-french keyboard mix you have only 39 chars: to obtain a similar complexity you will have to use a 10 chars password, with 8.140406085×10¹⁵ different words.

No comments:

Post a Comment