 All Forums
 Password Agent
 Password Agent
 Addition to PA - memorable passwords

gihrig Posted - 20 March 2003 : 09:23:47
Hi Ahto,

A concern I have about using PA's password generator is that the passwords created are so secure (random) that if I was ever away from (or lost) my computer and PA, there is just no chance what-so-ever that I would be able to get into a secured web site.

On the other hand, making up passwords I will remember out of common words found in dictionaries is not such a good idea either.

Here is a suggestion for a middle ground that I think would make a nice option for PA's password generator.

Passwords like 7h*W0r1@rB00 or 1!7m!5Muf5A7@na7uF may not be as secure as 3dbtNj&Ui"R% generated by PA's password generator, but they actually make sense to me, so I stand a change of reconstructing the password if I am away from PA.

The first two above were created as follows:

For, for example:

the worlds largest bookstore ---------- Get key phrase
theworlarboo -------------------------- Take first 3 char (group words < 3)
7h*w0r1@rb00 -------------------------- Substitute look-alike characters
7h*W0r1@rB00 -------------------------- Captialize alpha, skip 1,2,3

Another example:

little miss muffet sat on a tuffet ---- Get key phrase
litmismufsatonatuf -------------------- Take first 3 (group words < 3)
1!7m!5muf5a7@na7uf -------------------- Substitute look-alike characters
1!7m!5Muf5A7@na7uF -------------------- Captialize alpha, skip 1,2,3

If I can remember "the worlds largest bookstore" in relation to Amazon and the algorythm to generate the password, I can recreate the password without PA if needed and so stand a chance of getting into my (fictitious) Amazon account.

With a little better imagination than using a well known marketing phrase, I think this sort of password can be reasonably secure but re-creatable in case of need at the same time.

Would you consider adding this as a special template for PA's password generator?

Ahto/Moon Software Posted - 26 March 2003 : 23:15:35
Thanks Glen! I started to think that if the formula is known (e.g the same formula is used over and over), smart people may guess passwords. If they will guess your key phrase, then they can potentially construct the password. And key phrase is usually something simple that is easy to remember later, like "the worlds largest bookstore" in your sample?
gihrig Posted - 26 March 2003 : 22:20:50

Here's the detailed breakdown on the process of creating
a memorable password from a key phrase:

I'll use the (too obvious) key phrase "The Worlds Largest
Bookstore" as an example for generating a password for
a fictitious Amazon account.

1. The key phrase is forced to lower case:
-- The Worlds Largest Bookstore
-- the worlds largest bookstore

2. Take the first three characters from each word,

words having less than three characters are appended
to the following word until a string of more than three
characters results.

-- the worlds largest bookstore
-- the wor lar boo

3. Strip all spaces out of the phrase.
-- the wor lar boo
-- theworlarboo

4. Substitute look-alike characters
Replace > with

-- a > @
-- e > *
-- i > !
-- l > 1 (letter 'L' with one)
-- o > 0 (letter 'o' with zero)
-- s > 5
-- t > 7

I'm sure more similar characters exist, the idea here
is to add a few random characters without detracting
too much from the readability of the password, or
getting overly complex.

-- theworlarboo
-- 7h*w0r1@rb00

5. Now just to mix things up a little more, add a few
upper case letters. I have changed the remaining
letters to upper case according to a formula of skipping
letters in a 1, 2, 3 sequence. That is,
-- skip one letter, then capitalize the one following
-- skip two letters, then capitalize the one following
-- skip three letters, then capitalize the one following

A simpler scheme of capitalizing only the even numbered
letters (every other one) could also be used, I just
wanted to make it look a little more random.

-- 7h*w0r1@rb00
-- 7h*W0r1@rB00 - The final password

A quick summary:

The Worlds Largest Bookstore -- Key phrase
the worlds largest bookstore -- Force to lower case
the wor lar boo --------------- First 3 char (group < 3)
theworlarboo ------------------ Remove spaces
7h*w0r1@rb00 ------------------ Substitute look-alike char
7h*W0r1@rB00 ------------------ Capitalize alpha, skip 1,2,3


I would be interested in hearing any ideas on how secure
this scheme might (or might not) be. Certainly the
password is extremely difficult to crack from a purely brute
force attempt, but will humans be likely to compromise the
potential security by tending to select from only a few common

Ahto/Moon Software Posted - 20 March 2003 : 13:09:48
Good idea! Not sure how many people will end up using it, but the idea itself is cool!

How to design it into the password generator? Seems one more field needs to be added, where one can write his "key phrase". Writing it into the template field probably is not a good idea. I think the way to go is to add another tab to the password generator. The old remains "Random" and the new is titled something like "Key phrase". Should the key phrase saved in the data file, so it will appear in the password generator next time it is opened. Probably.

You can e-mail me (or posti it here so maybe someone has something to add) your proposed formula for replacing characters. Seems you have already done some homework on it .

