Computer: Security: Password
Spy Phrase Mnemonic Password   (+2)  [vote for, against]
The angry elephant stamps on the bitter apple

So passwords are hard to remember. Pass-phrases are better, but may still be forgotten.
However, it seems to me that sequences are easily remembered, particularly with a gentle prompt.

I propose an interactive system for generating and entering passwords.
The basic idea is to select passphrases from a restricted vocabulary. The start of the phrase is supplied as a prompt. You then successively pick the next word (or few words) from a displayed list, until you've entered enough choices to provide the required security. The device then aggressively hashes the phrase[1] before communicating with the server for verification.

The options in each list are designed to be orthogonal - that is, easy to distinguish. For example, a list of animals wouldn't include both a weasel and a stoat.

The phrases constructed would resemble the random phrases used in fictional spy-spy handshaking protocols.

Note that the list supplied may depend on the previously entered data. This allows for more memorable phrases - that is, more prompting to occur, at the cost of needing more lists[2].

It is also desirable to be able to change password. To avoid interference with previously memorised passphrases, the starting prompt should be changed to open up a completely different tree of options.

When it comes to entering the password, one would be able to type it in in the traditional manner. Alternatively, the user would be able to select each position from a drop-down list, or select an 'I need help with my password' option which would display a visual prompt of the phrase built up so far.

[1] The phrase is combined with username, salt etc and hashed multiple times in a computationally expensive manner, to avoid certain attacks.

[2] For example, if a position has a list of animals, then a subsequent list of actions could vary depending on the animal chosen.
It is obvious that this can't be taken too far, that is, the combinatorial explosion of lists must be managed. While it's clear that one can simply not split off every entry to its own list, it may be possible to re-use lists at different positions.
-- Loris, Nov 27 2013

Known phrases can be cracked easily http://arstechnica....-password-cracking/
[Loris, Dec 05 2013]

$5 wrench password attack http://xkcd.com/538/
[hippo, Dec 05 2013]

The system works. http://www.theregis...ssword_say_boffins/
It's as near as damn it. [Loris, Oct 09 2014]

Weird thing, but I seem to remember someone coming up with a program with a 10x10 grid of words, the user makes a sentence, then the program digs out the one of 10 billion passwords from those word combinations.

I wonder who it could have been?
-- not_morrison_rm, Nov 29 2013


The quick brown fox jumps...
-- RayfordSteele, Nov 29 2013


Aren't they more red-ish? Don't put the colourblind guy in charge of the spy phrases is the moral.
-- not_morrison_rm, Nov 29 2013


//The quick brown fox jumps...//

//Aren't they more red-ish? Don't put the colourblind guy in charge of the spy phrases is the moral.//

It's actually the start of a well known phrase - a short sentence which includes every letter of the alphabet.
Which is interesting, because such widely known phrases were the starting off point for this idea - but also because they're not in themselves appropriate as passwords.
This is because they are susceptable to dictionary attacks, where the dictionary is content scraped from the web (see my link).
-- Loris, Dec 05 2013


Strong password generator: Strong passwords are random strings of letters and numerals, but it's difficult to remember these, so you need a way of generating them.

1. Take the first line of your favourite song - e.g. the Bee Gees "Stayin' Alive": "You can tell by the way I use my walk I'm a woman's man"

2. Take the first letter of each word: "yctbtwiumwiawm"

3. Write the letter 'i' as a 1 and 'o' as a 0 and capitalize the first letter: "Yctbtw1umw1awm"

Viola! - A pretty strong, memorable password.
-- hippo, Dec 05 2013


Yes, except no.

The link I gave shows why not. The process described is essentially:

1) scrape wikipedia or other web-accessible source. In your example the lyrics of all Bee Gees songs would be acquired.

2) extract subsets. In your example the first letter of each word of a phrase.

3) apply other filters. In your example, character substitutions.

So your approach is vulnerable.

The key things to realise are that users can't apply too many processes (as otherwise they could just remember a random password), there are a limited set of fairly standard variations, and large groups of them can be processed in parallel.
-- Loris, Dec 05 2013


Sure, but it's a trade-off. You get a password which is less susceptible to dictionary attacks but which is easier to remember than a *really* random password.
-- hippo, Dec 05 2013


That's a good link [Loris]. And having read it and the discussion I tend to agree about the vulnerability of your method [hippo].

It reminds me of a feature in New Scientist a while ago about artificial intelligence work that was similar in method, scraping culture and pattern-matching. Commentators commented that it wasn't “real” AI because it wasn’t parsing content in a logical way to create meaning, it was merely recognising pattern and recombining imitated combinations. I think that was the whole point.
-- pocmloc, Dec 05 2013


Yes, it is vulnerable, but probably less vulnerable than the other password methods mentioned in the article. After a certain point password strength doesn't matter because it's just guarding against one kind of attack, and doesn't do anything to prevent attacks by phishing or $5 wrenches (see link).
-- hippo, Dec 05 2013


I've been working on a procedurally generated password heuristic. I've a couple of different ones.

The first is to remember a famous mathematical formula - say the roots of a quadratic - then break it down into a single-line, as it might be written in latex so for example : r=-b+-sqrt(b^2-4ac/2a)
Then capitalise as appropriate/drop any unacceptable characters and you're off.

The other one is to take an easy old-school word, say "password". Then, construct a square 6x6 and fill it in with numbers/letters of the alphabet. You can choose any pattern you like, as long as you can remember, and reproduce it. Then, use the grid to lookup your easy password and hop up, down, left, right or across to look up a character substitution.

So for example - my word is "password" and my grid looks like this (this particular arrangement is a clockwise spiral starting at a in the middle, but could be anything)

u v w x y z
t g h i j 1
s f a b k 2
r e d c l 3
q p o n m 4
0 9 8 7 6 5

And my substitution rule is "one down", then "password" becomes "9drrh8qo".

Between the original word, the arrangement of the grid and a substitution method (I could have gone "up and left 1") there's a million bazzilion different choices I could make. Each of which is relatively simple to remember, and if necessary recreate on (edible) paper, should I need to regenerate a forgotten password.
-- zen_tom, Oct 09 2014


Interesting - two things that have passed my notice in the last 24 hours that I couldn't figure out how to bring to the 'bakery, and then here we are.

First, in the latest Niven collaboration "Shipstar", there is mention of pulsar emanations being recognized as encrypted communications.

Secondly, I was thinking about how to communicate with a family member when you're evading intelligence agency pursuit, and looking through my daily spam summary I considered the methodology of communicating via spam.

Okay, so neither of those two things relate to this idea. Carry on, as you were.
-- normzone, Oct 09 2014



random, halfbakery