I'm finding more and more "e-commerce" sites that ask me to set up an "account" with a password, before I can make even the simplest one-time purchases. This means that I need an unlimited supply of secure passwords, and a way to remember them forever, just in case I might decide to to business with the same site again someday. Of course the best passwords are random strings, which are the hardest to remember.
A while ago it occurred to me that I needed a machine-readable one-time pad (in the sense that each password would only be assigned to one site, and would be a random string), and that the best way to do that would be with barcodes. Each time I assigned a password to an account, I would write the name next to the barcode, and store them in some kind of (paper) file. I've now tried this, and I can report that it works, and that a barcode reader can be purchased for as little as $70 (about half of what they cost a year ago).
After I started thinking about this, I ran across this paragraph in Bruce Schneier's book "Secrets and Lies" (chapter 9, p147):
"There is a knee-jerk reaction to writing passwords down in the security community, but if done properly this can improve security considerably. Someone who writes his password down turns something he knows (the password) into something he has (the piece of paper). This trick does allow him to use longer passwords, which can make passwords actually secure again. It does have all the problems of a simple token: It can be copied or stolen. It doesn't work if Alice writes her password on a yellow sticky attatched to her monitor. Much better is for her to put her passwords in her wallet; this can be secure. Probably the best solution is to have two parts to the password: one part remembered by Alice, the other part written down in her wallet."
Schneier's book doesn't address the issue of typing long random strings without making mistakes, which is where the barcodes come in. But he later wrote a free program called "passwordsafe" that encrypts all of your passwords and stores them on your hard drive, so you only have to remember one "master" password (the "safe combination"). The appropriate password is then copied to the clipboard, and from there to the application requesting it.
An encrypted password file has the advantage that it's secure against someone snooping around in your wallet. But your master password unlocks the whole thing, so it had better be hard to guess. Information on passwordsafe is available at: http://www.schneier.com/passsafe.html and http://sourceforge.net/projects/passwordsafe/. Passwordsafe is currently maintained by Jim Russell.
It's a good solution, but I still like the barcode idea :-). In particular, I prefer scanning a barcode to going clicky-pointy all over the desktop to retrieve a password, and someone would have to break into my apartment to be able to steal the (paper) file. If you kept the barcodes in your wallet, they'd have to steal your wallet, in which case they'd also have your credit cards. I'd be interested in anyone's comments about this.
Other things I've learned along the way:
* Most barcode readers use a "keyboard wedge" interface, which means they connect between the keyboard port and the keyboard, and their output appears as keyboard input. PC-AT, USB, ADB and RS232 interfaces are available. Laptops usually allow external keyboards, but in a few cases they might require an actual keyboard to be plugged in along with the barcode reader.
* Recent versions of Windows can treat RS232 input as keyboard input. See the control panel under "Accessibility Options", click on the "general" tab, and look at "serialkey devices".
* "Wand" type readers require some practice to use, because they have to be moved across the bars at almost-constant speed. CCD type readers are easier to use and cost about the same, but the wand type might be preferred for laptop users. Laser scanners are more expensive and are intended for industrial use; some of them can read barcodes from 30 feet away.
* A number of sites advertise "inexpensive" barcode readers, but they seem to have wildly varying definitions of "inexpensive". There are several models available for less than $150, so I wouldn't bother with anything that costs more than that unless you have a specific need for it.
* I ended up buying the ID Tech "Econoscan" CCD scanner for $70 from http://www.totalbarcode.com/. Like most readers, it can be programmed by scanning special barcodes from the user manual (which appears to have been translated by someone whose native language was not English). ID tech is at http://www.idt-net.com/.
* By default the "Econoscan" appends a CR to the data, but this can be disabled ("Group 11" in the manual), and you probably don't want it for filling in web forms.
* A list of shareware and "demoware" programs to print barcodes can be found at http://www.barcode-1.net/pub/russadam/share.html, including GNU-Barcode which is free. I'm using a commercial program called "Label Magic" from http://www.digitalcandle.com/ , which only costs $25 if you download it from their website, and which can read data from a text file and print it out as barcodes (some other programs don't allow variable data in barcodes). Generating a list of random strings is left as an excercise for the reader :-).
* I got good results from my cheap inkjet printer by using glossy "premium inkjet paper" and setting the printer to its highest quality mode. I did NOT get good results on plain (matte) paper. (Later note: plain paper works OK with a laser printer.)
* Most barcode symbologies encode only numbers or numbers and uppercase letters, but "Code 128" encodes the entire ASCII set. This would appear to be the best choice for passwords.
* I planned to store the barcodes on business-card-sized slips of paper, stored in vinyl sheet protectors made for that purpose. I found that I could read the barcodes easily through the vinyl if it's clear, but not if it's frosted. Note that the toner from laser printed pages sometimes sticks to vinyl; I don't know about inkjet ink, but I'll know in a few years...
* More general information on barcodes is available at: http://www.barcode-1.net/pub/russadam/barcode1.cgi and http://www.barcodeman.com/index.php
* I have no connection to the companies mentioned above, except as a customer.
Click here to contact me