Steve Gibson of GRC.com has created yet another masterpiece of technology. His “Off the Grid” paper-based password generation system is amazing and once printed out, amazingly low-tech, even to the point of being effectively no-tech, as it requires only a piece of paper with the specially generated and one-of-a-kind grid printed on it (I would suggest laminating it with something that is friendly to dry-erase or erasable markers/highlighters). You trace out the path of, to use his example, ‘amazon’ to shorten the URL of amazon.com, using a finger, or something else convenient and which won’t mark-up your grid (thus my suggestion of laminating it).
Here’s one of the unique grids that his system generates:
Now, seeing that somewhat daunting image above, you’re probably thinking “How the hell do I use that?”. I know at first-glance it is daunting. But, if you follow the directions given HERE (I can’t give clearer instructions than the guy who invented it, so I am not going to try), you’ll pick it up quickly. Go ahead, I’ll wait 🙂
Now that that’s done… You DID go and look at that site, right?… We can go through and look at what happens when we take ‘amazon’ as an example on the grid above.
First, we go across the top set of blue letters and look for the ‘a’ (note that we’re ignoring the letter’s case, for now), finding that, we go vertically to the letter ‘m’, then horizontally to another letter ‘a’, then vertically to the ‘z’, horizontally to ‘o’, then lastly, vertically to ‘n’. No changes here so far, right? Right.
Here’s what we have so far:
Next, we’ll go through and spell out ‘amazon’ again, also ignoring case, but paying attention to the case of the letters that we capture after we find our key letters. For example:
Now, what you see above is not including what Steve refers to as ‘overshoot’ zones. These are the ‘key’ (probably a pun intended there) to the encryption process that he recommends. I’ll show those below:
Now here’s the fun part. Based on what we have done so far, by pathing this out as we have, is we’ve developed a key for ‘amazon’. What is the key? Follow with me through the grid above, along the green path, pay attention to how the overshoot is read, it’s read according to what you cross first for each one. For example the first ‘a’ in ‘amazon’ has the letters ‘vh’ after it, and read in the order of encounter… I’ll explain further in the next step.
Continuing on to the letter ‘m’ in the green path we see the letters ‘dI’ following it, again note the order that we read those, it’s important for later where I add to this scheme.
Now, if you keep going and following the green path and reading the overshoot letters properly, you’ll get the following results: ‘vhdIKWMpFRLr’. I’ll break that into pairs for you: ‘vh-dI-KW-Mp-FR-Lr’.
Now, using just what we’ve done so far, you already have a very strong encrypted password for use on amazon.com.
What I’ll be presenting from here on is an additional layer to that encryption scheme, using the password that we just generated as the key to that. We can use this additional layer as ‘salt’ for the password, or as a kind of substitution code for the password that we have already.
Here’s how what I have in mind works:
Take each pair of letters as broken down above as a set of coordinates. For example, we’ll take ‘vh’ as the first set, since that is what it is. Then we plot those coordinates using the first row of blue letters on the grid as the X axis, and the first column of blue letters on the grid as the Y axis. We should get the following:
I’ll post each path result separately, so that you can follow my logic and reasoning for this idea. Be ready for a lot more images: 🙂
As a result of plotting out ‘vh’ on the grid above, we get the letter “Q” as the output. Write that down below where you have ‘vh’ written on your paper, if you do.
Now, let’s do the same with the next set ‘dI’:
Note that for our purposes, the initial coordinates are ignored as to case, this is ok, since the 26×26 grid can’t cover both upper and lower case. We DO want to maintain case sensitivity if using the password as-is without these additional steps. We also want to keep them case-sensitive when using with these additional steps when we go to finally add the ‘salt’, which we’re in the process of generating, to them.
Now, I’ll go ahead and give you the remaining grids, next is KW:
Now for Mp:
Next is FR:
Finally, we have Lr:
Now that we have all the letters that we need, we need to do something with them…
Remember the password that you originally generated using the grid? No? Well, here it is again: “vh-dI-KW-Mp-FR-Lr”, also we have the results of our salt generation using the password as a set of coordinates: “Qyqcnp”.
What can we do with the salt? We can append it to our password: ‘vhdIKWMpFRLrQyqcnp’
We can replace every other letter of the password with a letter from the salt, to further obfuscate the password we originally generated: ‘vh-dI-KW-Mp-FR-Lr’ becomes ‘vQ-dy-Kq-Mc-Fn-Lp’.
We can try any number of other alternatives, which I leave to you to discover.
Thank you for reading this and I look forward to any feedback on this little variant I have on Steve Gibson’s amazing ‘Off the Grid’ paper password generation system.
Until next time, surf safe 😉