MIMPS : The Meet In the Middle Password System
The system I am about to explain is designed to help you generate and recall complex passwords that are different for every website you use. This increases both your safety and that of your computer.
Writing down your passwords on a sticky note and sticking it on your desk is probably one of the worst ideas in the world when it comes to computer security. Nevertheless, there is something that can be said for having a password system that also incorporates a physical factor like a piece of paper.
How the big guys do it
Advanced systems use a principle called “Multi-factor authentication” which is deemed much safer than a single password that relies on the sole basis of you remembering it. Or you guessing it. Or somebody else guessing it…
These “multiple factors” are most commonly chosen from this list:
- Something-you-have (a cell phone that can receive SMS text messages, a number generator, …)
- Something-you-know (a password, a swipe pattern, …)
- Something-you-are (your fingerprint, the sound of your voice, an iris scan of your eye)
The rest of this paragraph gets a little bit technical, so if you’re not comfortable with that, just skip to the next one, titled “There is hope, however”.
These advanced systems I mention, are often also secured with randomization and a time based factor. I will give you a real-life example to illustrate this.
An electronic device that you have in your possession (the first factor) allows you to push a button to generate a random 6-digit code that changes every 30 seconds. Below is a picture of such a device (the Vasco Digipass GO6) that I carry around for use with one of my employers:
These six digits do not make up your entire password though. You have to precede it with five digits that are in your head (the second factor) and make it into a 11-digit password.
For example, let’s say that my memorized code is 12345. in this case, my so called “One Time Pass”, or OTP is 12345052605 (but only for 30 seconds, after that, the last 6 characters change).
This makes the password safe, even though it has only ten digits. Again: the strength lies in the fact that the last 6 of those 10 digits change every 30 seconds. There is not enough time to attack this system by brute force, because best-case you have 30 seconds to try 100 billion combinations (10^11). This number is reduced to 1.000.000 (10^6) if you happen to know the five “secret digits”, but that’s still far too much for any login system to be able to process in 30 seconds. Also that system will probably have locked the account after 5 or 6 wrong attempts making it impossible to log in, even with the correct password. Generating those combinations is not the issue, because you can do that beforehand. After all it’s just all combinations between 000000 and 999999. It is the fact that the authentication mechanism takes a few seconds to let you know if your login succeeded (0.0001%) or not (99.9999%).
Unfortunately, this grade of login paranoia comes with a price and hassle that the average website owner doesn’t want to implement, unless there’s a big enough community demanding it and willing to pay. For example, Battle.net who used the Vasco DigiPass GO6 for people who play World Of Warcraft.
Google also offers two-factor authentication that is called “2-step verification”, which is a synonym for two-factor authentication. I highly recommend setting this up when you use GMail. It doesn’t require a big investment, because they send SMS text messages to your phone as the something-you-have factor. Read all about it here. Twitter and Facebook also offer these extra layers of security. Of course this principle leans very heavily on the security of your (smart)phone. In this regard I always recommend to set it to NOT display (part of) text messages on your lock screen, but smartphone security is a topic on its own, so let’s not get into that here 😉
For most other web sites, you are left with only a single password that protects your private content.
There is hope, however
If multi-factor authentication is such a great thing, we can definitely learn something from it. Factor 1 will still be, like I explained above, “something you have”.
In our case it’s not going to be a fancy electronic device, but a simple piece of paper… I am aware that is’t not a true something-you-have, because if you take a picture of it, multiple people can “have” it so it counts more as a “something-you-know-but-wrote-down-because-it-is-too-hard-to-remember”
Factor 1 : Something you “HAVE”
Imagine a grid with three columns and 13 rows. In every cell of the outer columns, there is a word that represents a letter of the alphabet (A-M on the left, N-Z on the right). Each word should not be less than 6 letters; the longer the better. The middle column holds a random collection of two numbers and two punctuation marks or other non alphanumeric symbol 
Generating random words or gibberish can be done online with websites you can easily find in Google. To keep everything as random as possible, I’m not going to recommend any of them. I’d like to urge you to search Google for “random word generator” “random text generator” or “random character generator” and pick any service that is not on the first result page.
Below is an *example* MIMPS table I came up with. I used words that make some sense in the outer columns to illustrate, but these can be any random combination you desire. Having english (or your language)-sounding words will make you remember them in the long run, but I let you decide if that’s something you would want. I also used lowercase for all the words. Capitalization of 1 or more characters can be something you add to the what-you-knows:
Congratulations! You now have a MIMPS!
Let’s move on to the next bit.
Factor 2 : Something you KNOW
I recommend first coming up with a fixed rule for capitalization. For the sake of having something, I will use the following rule as the first something-you-know:
- Whenever I use a word, I capitalize the first and third letter before I use it.
Now for the variable per-website rules.
The website you are logging in to has a name that starts with a letter. Take the word from the MIMPS-table that corresponds with that first letter. 
Match up the MIMPS-word you found with its opposite word in the MIMPS-table and add the gibberish from the middle column as well. You can fit the gibberish either in the beginning, between the two MIMPS neighbors or at the end. It doesn’t matter where it goes, just be consistent. If you put it in the end or the beginning, you can separate the two MIMPS-words with a fixed character or phrase. This just adds more to the complexity of this factor. You could also take the word below the word that’s opposite. Please do get creative, but only up to the point where you can remember. So for example the algorithm could go like this:
- Take the first letter of the website domain (excluding the www) and look up the word in the MIPS table that corresponds
- Apply your capitalization rules
- Add a “.”
- Take the word opposite to the first word
- Apply your capitalization rules again
- Add the symbol-number-mix from the middle column
- (something else, but I need to make a point first)
Example : Come up with a password for Facebook.com
Ok, so Facebook starts with an F. I will thus create my Facebook password like this:
There is however a flaw to this approach, being that you will only have 26 different passwords of which some may overlap. Your password for www.facebook.com is going to be the same as that for www.fruitoftheloom.net, because they both start with an F.
This definitely needs to be tackled, because we want a unique password for every website.
Factor 2 revisited : something you KNOW that CHANGES between websites.
An idea of what you can do to tailor the password so that it is different for every website, is to incorporate other letters for that specific domain. For example in the above example I could use the second and third letters from the domain (again : something I know) that I’m creating a new password for:
FrAccupino.StIllskin_#24AC (for Facebook.com)
FrAccupino.StIllskin_#24RU (for Fruitoftheloom.net)
Of course, theoretically, the overlap can still be there, but the likelihood just decreased a lot by adding additional information. You could for example add more to the something-you-know by adding “CO” if it’s a .com, “NE” if it’s a .net. You can also incorporate the last letter(s) of the domain in there. Just get creative with it, but again: please don’t make it so overly complicated that you’ll forget, which would put you in a *very* awkward situation. Imagine the despair in your eyes as you try to stare a hole into your MIMPS card… 😉
The important bit to remember is that there is a system, that its composed of a complex word structure on paper and information that’s inside your head.
I highly recommend keeping a copy of this MIMPS card on you (in your wallet or on your phone) and have one or two copies in a safe place at home or in an envelope in your work locker. You don’t have to keep the card a very big secret, because you are the only one who knows how to use it. I wouldn’t leave it roaming around my work desk though ;-).
This specific implementation, if used in its most basic form already produces passwords with an entropy of roughly 136, which is a LOT. . A good website to check the strength of any password can be found at http://rumkin.com/tools/password/passchk.php. This site also allows you to download the password checker to your hard drive and use it off-line if you don’t trust using such a utility on the internet.
- you can tailor this column to suit your needs if you expect to experience keyboard layout problems or if some keyboards you use simply don’t have them↩
- If you were as smart to think of “9gag.com” as an exception, feel free to add a 14th row for those exceptions. Personally I would just use the top row for those if I’d ever need one, but feel free to add any complexity you like↩
- Entropy is a mathematical way of measuring how hard it is to guess a password.↩