Password management is challenging, even for famous magicians. Teller, of Penn & Teller, tries to conjure a viable system...
IMAGINE WE’RE at a cafe. I hand you a pencil and a pad of paper. I ask you to write your laptop’s password on the pad, rip off the sheet, fold it up and keep it safe in your pocket while I go place our orders for caffeine-laced milkshakes.
Later, I ask you to hand me your laptop. I turn it on, look dreamily into the distance, slowly type in your password and comment admiringly on your late-night browsing choices.
“That,” I say with a smile, “is why security experts tell you never to write down your password.”
I don’t need to be a computer geek or have the budget of the NSA to accomplish this prank. The method is more than a century old and was devised by crooks—specifically, spirit mediums trying to get the dope on their clients. The medium would prepare a notepad by rubbing the back of the top sheet lightly with spermaceti wax (it was a tough time for whales). Then the medium would hand a pencil to the client and ask her/him to write down a secret question for a departed loved one and keep the question secure.
Later, the rat-bastard would “channel” a message from the dead, such as, “Your dear wife says, ‘Don’t worry about our children. They will thrive without your help. Sell the house and invest in Dr. Slade’s diamond mines.’ ”
When the client wrote on the first sheet, the pressure left an invisible copy in wax (today, we use soap) on the second sheet. The medium took back the pad, left the room to “get a glass of water” (or, in my case, to fetch the frosty frappés) and secretly dusted the wax impression with powdered lead (I use something less lethal). The dusty particles stuck to the residue and revealed the writing.
Such information piracy was possible a hundred years ago, so how can I possibly defend myself from genius archfiends who are bent on stealing my passwords today? As a magician, can I use my tool kit to keep my information safe?
The overarching principle of magic is that magicians are willing to go to more trouble to pull off a trick than any spectator would think the trick is worth. We cripple our hands with years of practice just to make a dime disappear.
I could apply this too-much-trouble principle to my passwords by simply memorizing them all. That’s not as impossible as it sounds. Memory training is one of magic’s strongest methods. If I can glance at a hand of cards or the serial number of a dollar bill and commit that info to memory in the blink of an eye, I have quite a potent tool.
Memory is sometimes even presented as a trick on its own. The legendary New York magician Harry Lorayne greets his audience members—often numbering in the hundreds—as they arrive, then finishes his show by calling every single person in the theater by name. He’s written half a dozen books on mnemonics (e.g., “The Memory Book,” “Ageless Memory”), and I recommend them.
The general principle of this kind of rapid memorization is to translate neutral information into vivid images, then to recall the images and translate those images back into the information. To accomplish this with numbers, for example, we generally employ a system of letter substitution. The one I use begins:
1=l (a letter with one stroke)
2=n (a letter with two strokes)
3=m (a letter with three strokes)
The reasoning changes from 4 onward:
4=r (because R is the final sound of the word “four”)
5=f or v (“five”)
And so forth.
When presented with a string of numerals, I translate them to consonants, then add vowels to create a juicy image. For example, the number 1342 (lmrn) becomes “lamb rain,” and I picture a downpour of plump little sheep. Later, I recall the image and the two words, discard the vowels, and translate the consonants “lmrn” back to “1342.” I use this system all the time for credit-card security codes.
You can find the complete mnemonic system I use under the heading “Curriculum” on page 387 of the third edition of Jean Hugard’s “The Encyclopedia of Card Tricks.”
But, you know, I frequent lots of websites, and if I get enough of these nutty images in my head, I start to get confused. Let’s say I need to fill in my American Express card number. In the middle of my card is the famous emblem of a helmeted Roman gladiator. If I picture that head covered with buzzing insects swimming in fruit topping, will I remember whether they are “lanky bumblebees in orange sauce” (129636160242800) or “dazed mosquitoes in cherry reduction” (707309702844782)?
“That,” I say with a smile, “is why security experts tell you never to write down your password.”
I don’t need to be a computer geek or have the budget of the NSA to accomplish this prank. The method is more than a century old and was devised by crooks—specifically, spirit mediums trying to get the dope on their clients. The medium would prepare a notepad by rubbing the back of the top sheet lightly with spermaceti wax (it was a tough time for whales). Then the medium would hand a pencil to the client and ask her/him to write down a secret question for a departed loved one and keep the question secure.
Later, the rat-bastard would “channel” a message from the dead, such as, “Your dear wife says, ‘Don’t worry about our children. They will thrive without your help. Sell the house and invest in Dr. Slade’s diamond mines.’ ”
When the client wrote on the first sheet, the pressure left an invisible copy in wax (today, we use soap) on the second sheet. The medium took back the pad, left the room to “get a glass of water” (or, in my case, to fetch the frosty frappés) and secretly dusted the wax impression with powdered lead (I use something less lethal). The dusty particles stuck to the residue and revealed the writing.
Such information piracy was possible a hundred years ago, so how can I possibly defend myself from genius archfiends who are bent on stealing my passwords today? As a magician, can I use my tool kit to keep my information safe?
The overarching principle of magic is that magicians are willing to go to more trouble to pull off a trick than any spectator would think the trick is worth. We cripple our hands with years of practice just to make a dime disappear.
I could apply this too-much-trouble principle to my passwords by simply memorizing them all. That’s not as impossible as it sounds. Memory training is one of magic’s strongest methods. If I can glance at a hand of cards or the serial number of a dollar bill and commit that info to memory in the blink of an eye, I have quite a potent tool.
Memory is sometimes even presented as a trick on its own. The legendary New York magician Harry Lorayne greets his audience members—often numbering in the hundreds—as they arrive, then finishes his show by calling every single person in the theater by name. He’s written half a dozen books on mnemonics (e.g., “The Memory Book,” “Ageless Memory”), and I recommend them.
The general principle of this kind of rapid memorization is to translate neutral information into vivid images, then to recall the images and translate those images back into the information. To accomplish this with numbers, for example, we generally employ a system of letter substitution. The one I use begins:
1=l (a letter with one stroke)
2=n (a letter with two strokes)
3=m (a letter with three strokes)
The reasoning changes from 4 onward:
4=r (because R is the final sound of the word “four”)
5=f or v (“five”)
And so forth.
When presented with a string of numerals, I translate them to consonants, then add vowels to create a juicy image. For example, the number 1342 (lmrn) becomes “lamb rain,” and I picture a downpour of plump little sheep. Later, I recall the image and the two words, discard the vowels, and translate the consonants “lmrn” back to “1342.” I use this system all the time for credit-card security codes.
You can find the complete mnemonic system I use under the heading “Curriculum” on page 387 of the third edition of Jean Hugard’s “The Encyclopedia of Card Tricks.”
But, you know, I frequent lots of websites, and if I get enough of these nutty images in my head, I start to get confused. Let’s say I need to fill in my American Express card number. In the middle of my card is the famous emblem of a helmeted Roman gladiator. If I picture that head covered with buzzing insects swimming in fruit topping, will I remember whether they are “lanky bumblebees in orange sauce” (129636160242800) or “dazed mosquitoes in cherry reduction” (707309702844782)?
How can I possibly defend myself from genius archfiends who are bent on stealing my passwords?’
Kevin Mitnick—a reformed hacker who served hard time for the crimes of his youth and now fights for the good guys—attends a Penn & Teller show whenever he comes to Vegas. I recently took advantage of this to ask his advice.
He said that although mnemonics might be fun for Harry Lorayne, they’re hazardous for the rest of us.
“Get yourself a good password manager and pick a master password that no one could possibly guess,” he advised. A program such as LastPass or 1Password stores all of your passwords on your computer or smartphone and allows you to unlock them with a single master password. “Then let the program do all the heavy lifting,” he said.
OK. Now, I just need an unbreakable master password. Wait, I know what I should base it on: the Eight Kings stack.
When you arrange a deck of cards in an order that you can recognize, that’s called a “stack.” A stacked deck allows a magician to glance at the bottom card and know which card is on top.
To stack a deck, you memorize a repeating pattern for the suits (e.g., Spade, Diamond, Club, Heart, which you can remember with the phrase SaD CrotcH), then a similar pattern for the face values. When I was a kid, I learned a nonsense rhyme for this purpose:
He said that although mnemonics might be fun for Harry Lorayne, they’re hazardous for the rest of us.
“Get yourself a good password manager and pick a master password that no one could possibly guess,” he advised. A program such as LastPass or 1Password stores all of your passwords on your computer or smartphone and allows you to unlock them with a single master password. “Then let the program do all the heavy lifting,” he said.
OK. Now, I just need an unbreakable master password. Wait, I know what I should base it on: the Eight Kings stack.
When you arrange a deck of cards in an order that you can recognize, that’s called a “stack.” A stacked deck allows a magician to glance at the bottom card and know which card is on top.
To stack a deck, you memorize a repeating pattern for the suits (e.g., Spade, Diamond, Club, Heart, which you can remember with the phrase SaD CrotcH), then a similar pattern for the face values. When I was a kid, I learned a nonsense rhyme for this purpose:
Eight kings threatened to save
Ninety-five queens for one sick knave.
If you say that aloud, you’ll see how it sounds out to:
Eight king three ten two seven
Nine five queen four ace six jack
Which translates to:
8K3102795Q4A6J
That’s one strong, perfect password. And who would suspect I’d really use it, now that I’ve published it...
I’ve just flipped through “The Encyclopedia of Card Tricks” and plunked my finger down 15 times at random. Each time, I noted whatever character, numeral or mark of punctuation I happened to land on.
I have, in other words, created a 15-character password that’s totally random. It’s not the name of my dog, my favorite band or the street I grew up on. No one who knows me, however intimately, could guess it.
And I’ve written the utterly random password down. Yes, I’ve written it down—just as I advised you not to. But I’m not telling you where. It’s somewhere in my office, somewhere easy to see from my computer. It might be broken up into different parts. Some of it might be big. Some might be very small. But only I know where to look.
And now I’m tacking a bright pink sticky note onto my computer monitor screen. On it—in very thick, black marker—I’ve written PW-FOO7BA1176#. I believe with a strong pair of binoculars you could read that from the park outside my window.
The technical term for this pink note is “misdirection.”
And that—as any magician will tell you—is the strongest security you can have.
I have, in other words, created a 15-character password that’s totally random. It’s not the name of my dog, my favorite band or the street I grew up on. No one who knows me, however intimately, could guess it.
And I’ve written the utterly random password down. Yes, I’ve written it down—just as I advised you not to. But I’m not telling you where. It’s somewhere in my office, somewhere easy to see from my computer. It might be broken up into different parts. Some of it might be big. Some might be very small. But only I know where to look.
And now I’m tacking a bright pink sticky note onto my computer monitor screen. On it—in very thick, black marker—I’ve written PW-FOO7BA1176#. I believe with a strong pair of binoculars you could read that from the park outside my window.
The technical term for this pink note is “misdirection.”
And that—as any magician will tell you—is the strongest security you can have.
--Teller is the smaller, quieter half of the Las Vegas magic duo Penn & Teller and co-hosts “Penn & Teller: Fool Us” on the CW Network.