Phonetically Memorable Password Generation Algorithms

Question

Background

While at the Gym the other day, I was working with my combination lock, and realized something that would be useful to me as a programmer. To wit, my combin

Answer 1

System generated passwords are a bad idea for anything other than internal service accounts or temporary resets (etc).

You should always use your own "passphrases" that are easy for you to remember but that are almost impossible to guess or brute force. For example the password for my old university account was.

Here to study again!

That is 20 characters using upper and lower case with punctuation. This is an unbelievably strong password and there is no piece of software that could generate a more secure one that is easier to remember for me.

Answer 2

edit: After answering, I realized that this is in no way phonetically memorable. Leaving the answer anyway b/c I find it interesting. /edit

Old thread, I know... but it's worth a shot.

1) I'd probably build the largest dictionary you can ammass. Arrange them into buckets by part of speech.

2)Then, build a grammar that can make several types of sentences. "Type" of sentence is determined by permutations of parts of speech.

3)Randomly (or as close to random as possible), pick a type of sentence. What is returned is a pattern with placeholders for parts of speech (n-v-n would be noun-verb-noun)

3)Pick words at random in each part of speech bucket to stand in for the placeholders. Fill them in. (The example above might become something like car-ate-bicycle.)

4)randomly scan each character deciding whether or not you want to replace it with either a similar-sounding character (or set of characters), or a look-alike. This is the hardest step of the problem.

5) resultant password would be something like kaR@tebyCICle

6) laugh at humorous results like the above that look like "karate bicycle"

Answer 3

A spin on the 'passphrase' idea is to take a phrase and write the first letters of each word in the phrase. E.g.

"A specter is haunting Europe - the specter of communism."

Becomes

asihe-tsoc

If the phrase happens to have punctation, such as !, ?, etc - might as well shove it in there. Same goes for numbers, or just substitute letters, or add relevant numbers to the end. E.g. Karl Marx (who said this quote) died in 1883, so why not 'asihe-tsoc83'?

I'm sure a creative brute-force attack could capitalise on the statistical properties of such a password, but it's still orders of magnitude more secure than a dictionary attack.

---

Another great approach is just to make up ridiculous words, e.g. 'Barangamop'. After using it a few times you will commit it to memory, but it's hard to brute-force. Append some numbers or punctuation for added security, e.g. '386Barangamop!'

Answer 4

After many years, I have decided to use the first letter of words in a passphrase. It's impossible to crack, versatile for length and restrictions like "you must have a digit", and hard to make errors.

This works by creating a phrase. A crazy fun vivid topic is useful! "Stack Overflow aliens landed without using rockets or wheels". Take the first letter, your password is "soalwurow"

You can type this quickly and accurately since you're not remembering letter by letter, you're just speaking a sentence inside your head.

I also like having words alternate from the left and right side of the keyboard, it gives you a fractionally faster typing speed and more pleasing rhythm. Notice in my example, your hands alternate left-right-left-right.

Answer 5

When you generate a password for the user and send it by email, the first thing you should do when they first login if force them to change their password. Passwords created by the system do not need to be easy to remember because they should only be needed once.

Having easy to remember, hard to guess passwords is a useful concept for your users but is not one that the system should in some manner enforce. Suppose you send a password to your user's gmail account and the user doesn't change the password after logging in. If the password to the gmail account is compromised, then the password to your system is compromised.

So generating easy to remember passwords for your users is not helpful if they have to change the password immediately. And if they aren't changing it immediately, you have other problems.