Bright Stove

Reflecting information risk journey

Why not localize your password

with one comment

Having moved to a new residence over the weekend, the first thing that happened then was to also move the broadband connectivity so that I could continue to have a Cyber life from my new residence. As usual, the last mile is always the challenge. I have to first get an ADSL account with the new residential phone number, and at the same time figure out the phone/data network in the new place. The ADSL account was subscribed by the landlord, and unfortunately, the password that was given couldn’t get the connection authenticated and established. Working into the wee hours, I finally called the ISP’s helpdesk. The helpdesk guy has to do a password reset for me, since he could not see the actual password to verify if what I have was the correct one. In fact, to digress a little here, this practice is actually a discrepancy since doing a reset would enable him to know the new password. So the security control to prevent the helpdesk from helping doesn’t really stop the guy from knowing, as he could always encourage every customer to do a reset.

After verifying the necessary information, the support guy at the other end of the phone started to form a new pseudorandom password and read it over the line to me. He was speaking Mandarin, and his pronunciation of every other alphabet along with some numbers in Chinese got me rather confused. I thought I heard a “s”, followed by a “4”, and after re-confirmation, then realized that there was just one “s” without a “4”, but “s” was pronounced with the extra end-tone that sounds like a separate “4”, in Mandarin 😦 We finally used the keyboard layout to verify each alphabet since words such as “Singapore” for “s”, “Malaysia” for “m”, etc., doesn’t really help as my pronunciation sounded equally foreign to him. 🙂 When I finally thought I got the entire password spelt out correctly and hung up, then I realized that there was actually a “t” that I also mistaken as a “7”. It seems that many Singaporean Chinese, who use English (or Singlish) more often than Mandarin faces the challenge of decoding spoken alphabet characters from our Chinese friends in China.

As I reflected, the question then is why wouldn’t the locals use Chinese words and phrases to form localized passwords? I don’t really know why not—maybe it has to do with the security education and contents translation—but there are in fact many benefits to gain from such a practice. By using Chinese phrases, one could select phrases of quotes from famous or favorite authors, celebrities, politicians, or make them up themselves, which many are capable of doing actually. With just four Chinese characters, for example, encoding them into PinYin (in English alphabets), they could easily form passwords of more than 10 characters long. Given that the PinYin has four tones for each character, the tones can be encoded as numbers or special characters at the end of each word. A simple localization in this manner would produce long passwords (actually, passphrases) which will be so much more difficult to guess, especially by foreign attackers, and easy to remember, encode, and more importantly, when need to communicate over a support line (when absolutely necessary to do so), it is a simple step, since most foreigners in China will learn the PinYin system, and most locals already know it well since young. I believe the same localization method would also work (in slightly different manner) for many other languages. All in all, such an approach would improve security and ease of use at the same time—a rare combination.


Written by mengchow

January 19, 2009 at 3:11 pm

Posted in Awareness

One Response

Subscribe to comments with RSS.

  1. This is a really nice idea. Actually I know some guy uses the first pinyin letter of the charactoers of Chinese poems as his password system. If a systematic methodology has been developed from this point, can it be patented?



    March 1, 2009 at 3:58 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: