Chinese Passwords

First published: 18^th May 2012

Allan Dyer

Sitting on a panel at an information security conference in Hong Kong recently, we were discussing our view of the security challenges that Asian businesses face, including cloud services, mobile devices, Bring Your Own Device (BYOD). Then we had a question from the audience, "Why can't we use Chinese (and Japanese or Korean) characters in our passwords?" This was a change of gear, we were debating enterprise strategy, and parts of the audience were down at the grass roots.

The question is easy to dismiss as naive, but we should listen to our users, and try to understand the deeper meaning and requirement. Perhaps the message behind that question is that users know they can choose stronger, more memorable passwords in their own language. I would be sceptical about that as a general rule - if someone uses their pet's name as a password it is not going to be any more secure by typing it in Chinese, but helping some users become more secure is an improvement.

My initial reaction was that there are serious practical constraints. Chinese users usually enter text by multiple keystrokes based either on the pronunciation of the words, or on the components of the written characters, but there are many different schemes or input methods. If you have ever tried entering your password without realising Caps Lock was on, you will have some idea of the confusion that could result when the user needs to choose between multiple input methods. Also, the final selection of the character is often from a pop-up list, making shoulder-surfing easy. An alternative is written entry, using a touchpad, but the strokes are often displayed on-screen, again allowing shoulder-surfing. In any case, most systems are simply not set up to accept Chinese text entry at password prompts. A system administrator would be wise to carefully consider all the implications of doing that, would it enable shoulder-surfing?; would there be excessive support calls?; what are the compatibility issues?

End-User Approaches

What if an end-user wants to use a Chinese password, but their systems administrator has, for whatever reason, not provided a method? One way would be to use the keystrokes for an input method, and ignore the final character selection, but this would significantly reduce the entropy of the resulting password: several characters would map to the same keystroke sequence.

One method I sometimes use for simple 4 to 6 digit PINs is to remember the shape the digits make on the keypad. Six digits is probably the limit for this, I'm not good at remembering complex shapes. But, of course, Chinese readers have already memorised thousands of complex shapes, could they use those?

A Suggestion

This is not a method I would use, and it would probably need more refinement before being usable, but I invite feedback from anyone who wants to try it.

1. Choose a phrase of several Chinese characters
2. Take the first character, and imagine it drawn on your keyboard, press the keys corresponding to the stroke ends, for example, 人 could become 4z4v, or, if you chose a different starting point, 6c6n or p,p/
3. Repeat for the remaining characters of the phrase.

The passphrase then depends on the characters chosen and where they are placed on the keyboard.

Naturally, more complex characters like 米 or 馬 can be used, becoming, perhaps, 4cwt3e5rrzrv and 707h8juouohl,bnm, respectively.

But some characters, like 麟 seem just too complex.

The advantages and disadvantages:

• Easy of memorisation: a few characters and positions on the keyboard
• Good length: a three character phrase might become 48 keystrokes
• No dictionary words
• The stroke order of Chinese characters might make some key sequences much more likely, reducing the entropy of the final password
• Because the user does not remember the actual keys pressed, changing to a different keymap (e.g. QWERTY to Dvorak) would prevent user access

Well, that's the idea, let me know if you try it.