12 Days competition: Day 12 – A tale of two passwords

The Twelve Days of Christmas - melody

Here’s the melody – click to sing along!

It was the best of times; it was the worst of times.

The best of times, because we’re cryptographically blessed these days.

There’s a zillion times as much cryptographic computing power in the chips on our credit cards as there was in the whole of Bletchley Park at the end of World War 2.

The worst of times, because we think that the way to choose a better password than password is to choose password123 instead.

So, admittedly, it was a bit of a rhetorical question when we asked:

Do we
really
need
strong passwords?

And for your chance to win an exclusive, limited edition, Naked Security T-shirt, work out the answer to Paul Ducklin’s brain teaser below…

This December we’re celebrating Christmas by giving away five of our much-coveted, limited edition Naked Security T-shirts every day for 12 days!

We’ve selected twelve of the most interesting stories from 2014 and we’ll be writing about one of them each day.

All you have to do to win a T-shirt is read the story and answer the question.

We’ll pick 5 lucky winners out of a hat (OK, /dev/urandom) each day and those who answer the most questions correctly over the 12 days will be entered into our grand prize draw for a goody bag of geeky gifts valued at up to $500!

You’ll remember that we had a simple Caesar cipher back on Day 5 (see the solution on the Day 6 page).

Well, here’s a Caesar cipher with a difference – we’re calling it a Caesar Salad cipher:

We need to know your email address so that we can contact you if you’ve won. When we contact you, we’ll need your T-shirt size, a delivery address and a contact number so we can ship your prize. We won’t use any of your personal details for anything other than this competition.

Entries close at 23:59 Pacific Standard Time (UTC-8) each day. Sophos staff, those pro­fessionally connected to the company, and their families, are welcome to submit answers for fun, but can’t win. T-shirt styles may vary from those depicted. Sophos’s decision is final, and so on. Please read our official competition terms and conditions.

What was Day 11’s answer?

Day 11 was all about data that you thought was deleted, or buried securely, yet remained behind for others to retrieve later.

If you are old enough to have made your own cassette tapes, you’ll remember the hassles involved in erasing them.

Even after running a cassette through your machine on “record” with the input unplugged, there would be parts of the tape where you could still hear faint vestiges of what was there before.

Similarly, on magnetic hard disks, even when you deliberately wipe them by overwriting the data or zapping them in a bulk demagnetiser, there’s a chance that recoverable magnetic echoes may remain of the previous contents.

This tendency for magnetic persistence is called remanence.

These days, the word remanence is used metaphorically to describe the problem of data that doesn’t go away when you tell it to, even if it isn’t stored magnetically.

So, to put the cart before the horse, the answer to the message hidden in this image…

…is the phrase REMANENCE RULES.

How to solve it?

If you check the format of the image, for example with the utility file, you get a hint that it isn’t actually pure black-and-white:

With a two-bit colour depth, it could contain up to four different colours; in fact there are three.

There’s the white background to the maze; there are the almost-but-not-quite-black maze walls (they are actually 1 part white to 255 parts black, or #010101 in HTML colour notation); and there are some pure black pixels clustered at the middle of the image, looking very vaguely like overlaid letters.

In fact, they are overlaid letters.

If you load the image into a tool like GIMP, convert it to RGB or greyscale (to give you more dynamic range for the colours), and play with the brightness and contrast to try to tease apart the black pixels and the super-dark grey pixels, you’ll soon be on the right track:

Take things to an extreme of contrast (or use GIMP’s Color Exchange... function to change, say, pure black to lime green) and the answer will become obvious:

For what it’s worth, remanence is one of the reasons you’ll hear us urging you to “ encrypt everything.”

If data is only ever written to disk after it’s encrypted, then a crook who wants to get it back after you zap it will need both the decryption key and the remanent data fragments.

Any fragments he does recover won’t be directly legible on their own.

And, of course, we’d love to show you how to Pick a Proper Password:

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.