Tattoos for Informaton Security

So, I was listening to Security Now Podcast #110 while blogging the last hour or so.

At the end of the podcast I heard something weird in the context of remembering a TrueCrypt password:

Here is the transcript (the bolding is my own):

Leo: Well, we’re going to get them now. This is from an anonymous listener in Arkansas because we don’t want to name names: I’ve been thinking about this since your TrueCrypt episode. After I heard that episode I downloaded and installed TrueCrypt. We recommended it. It’s a free encryption program for Windows. While going through the process of setting up an encrypted volume, TrueCrypt complained that my standard password wasn’t long enough. Okay. I complied. I created a longer password I thought I could remember. And there’s a big word, “thought.”

Weeks later I went back and tried to mount the volume I’d created, and I wasn’t able to remember the password. Now, fortunately there wasn’t anything of value in that volume. But it got me thinking, how do I go about securing my digital documents with some kind of securely complex password that I wouldn’t be able to forget? Also, what if I have head trauma and can’t remember? Or worse yet, what if I die and my family needs access to my documents? Which is a really important question. Here’s what I came up with. Oh, boy. A tattoo.

Steve: He really wrote this, Leo. I’m not making this up.

Leo: Not just any tattoo, my friends, a blacklight tattoo. My idea is to take one of your generated passwords and have it tattooed on a rarely exposed part of my body with ultraviolet ink. This would – talk about a private key. This would allow me to always have my password with me, but it wouldn’t be visible in normal light. I also thought it would be good to split the password up into eight eight-character chunks. All over his body. And then he could create passwords out of different chunks. And all he’d have to remember is, like, wrist, toe, ankle. And he’d have a good password.

Steve, what are you talking about? This is a brilliant idea. He says: I know it’s not good for a spy or someone hiding from the government. But I’d like to hear what you think for your average Joe that wants to keep his tax return private. Love the show. Now, I’m sure it’s a little tongue-in-cheek. But that’s an interesting idea.

Steve: Okay.

Leo: Well, the problem is you can’t change it…

Steve: Can you imagine, you go to the GRC Perfect Passwords page and get one of those 64-character nightmares, and then chop it up into eight eight-character chunks…

Leo: See, that’s what’s inspired to me.

Steve: And then maybe like an eight-by-eight block. And then you go to your local tattoo parlor…

Leo: Yeah.

Steve: …and say, okay, do you have any UV ink?

Leo: Here’s what I want. Now, you have to trust your tattoo guy.

Steve: Oh, you sure do.

[Talking simultaneously]

Leo: …you go to eight different tattoo guys.

Steve: What kind of a lun- oh, yeah, good point, because you – no, but the problem is the eighth tattoo guy, in order to tattoo you with UV ink, you need to do it under black light. So he’d be seeing…

Leo: Well, you keep your pants on.

Steve: Ah, that’s – no. Now this is a reason – you’re right, Leo – for putting them in different locations. So you say, okay, now, I want you to tattoo these eight characters on the bottom of my left foot. And the other guy does it on the bottom of my right foot. And in my left armpit – I guess you’d have to shave for this…

Leo: I’m not thinking it’s such a bad idea, Steve Gibson, I might just do this.

Steve: Quite strange, Leo.

Leo: Better than getting a Nike swoosh tattooed on your hip.

Steve: Oh, god. And then when it comes to actually, you know, mount your TrueCrypt volume…

Leo: Oh, wait, excuse me, I have to take off my pants here.

Steve: Depending upon how secure your password is, you might have to completely disrobe in order to get access.

Leo: And find an ultraviolet light.

Steve: Yeah, that’s a very good point.

Leo: Might be easier just to write this down.

Steve: Yes. Anyway, it’s an interesting thought.

In case you wondering, Information Security Engineering remains my profession of choice.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: