DonationCoder.com Software > N.A.N.Y. 2009

NANY 2009 Withdrawn (sorry): Iphi's Memorable Passwords

<< < (2/4) > >>

iphigenie:
Lyrics are a good idea too, although it is a bit more vague who owns them. Are there public domain Lyrics collections out there? (I know I am just using them internally, and if i do a web app it might be ok to use any lyrics, but if it is redistributed as a desktop app then I might fall under copyright/license fees)

I'm currently pondering the format for storing things - something open so it is easy to swap collections/create new collections. After all these only work in a language people are familiar with, so it is important to be able to create similar lists for french, german, spanish etc. I was surprised to find out there is no microformat for things like excepts/quotations/references, I would have thought such a format could be a good open base for the content collections I am thinking of. I guess I will have to do some very simple XML schema for it instead + associated CSV converter/importer. (What's mouser using for his collection, I wonder?, maybe I just write a password generator that uses his tool as a base :D )

Since in my last job one of our projects was a vertical search engine (foundography, never quite managed to achieve what we wanted), customising a spider to crawl things like lyrics database, project gutenberg, etc. and create databases is actually something that I would consider. Seems like a lot of spidering work for something so mundane, though...

iphigenie:
What a great idea: and you're right, I use RoboForm but the main entry point would be easy to break.

I need a little clarification though: after selecting the Title/Lyric/etc is there only one possible password returnable? That is, do you set up a generation rule, like:

* Pattern: aANSNNAA
* Min Characters: 6
* Max Characters: 8
* Repeat: True
and your selected phrase, etc is passed through that rule to create a password??
-Perry Mowbray (December 16, 2008, 04:55 AM)
--- End quote ---

The way I would see it would be that the user gives the following:
- a general keyword (optional)
- any rules they are aware of (length, number of digits, UC letters etc.). The defaults being 8-10 long, 2 digits, 2 uppercase (since that meets most requirements I have encountered)

The tool would then return several options, along those lines:

3 extracts (since it is up to the user to pick something they easily can remember), perhaps from 3 different collections (poem, folk song and famous quotations, for example)
2-3 password per extract, if enough varying patterns could be found

The passwords would be generated by:
* picking a long enough set of words, starting at a punctuation (easier to remember).
* randomly pick characters to turn in digits (say, any "a" or any "o") (experience shows that if you only picked one of the As or one of the Os to turn into a digit, the password is more secure, but you are less likely to remember which it was a year later. I don't know if that is a problem or not, since 2-3 tries should nail it. But for now lets assume we pick one letter and change all of them).
* I am less sure about the uppercase part - totally random, picking one character-type again or the "visual" option xxXXxxxx XxxxxxX (but can you remember that a year later?)

I'll probably run some of the results through password security tests to see what the memorability vs safety effect is.

Perry Mowbray:
(but can you remember that a year later?)
-iphigenie (December 16, 2008, 05:25 AM)
--- End quote ---

For me, that would be the biggest question and is why I use RoboForm. Personally, I don't want to remember any passwords, but if there could only be one result from a given group of words (with my generation rule) and the phrase is easy enough to remember, then I think I could work with that.

It's a very interesting idea non-the-less: it'll be interesting to see how it develops!

I'll probably run some of the results through password security tests to see what the memorability vs safety effect is.
-iphigenie (December 16, 2008, 05:25 AM)
--- End quote ---

That is a very good idea!! Love to see the results.  :)

iphigenie:
One of the reason I came up with a scheme like this is that I needed a large number of passwords and passphrases for servers, server certificates and the likes. They needed to be hard to crack with random attacks, and dictionary attacks, but they also needed to be memorable by more than one person, and in no way was it ok for people to have to create a list of their passwords to remember them (although we had one in the safe). Instead, one our team's computers you would have found a collection of poems and quotations, not all of which were used in passwords (people would save neat things for future use). I wonder what people might have thought of that.

So I used film names, book titles, aphorisms, quotes, films - mail servers passphrases and certificate passphrases were taken out of  "the night mail" (http://www.poemhunter.com/poem/night-mail-2/), and the one used for communication between the backup mail server was based on "Le Facteur sonne toujours deux Fois" (the postman always rings twice, in french). "I have a bad feeling about this" was used with our source control system :D

I also used total banalities like "there are 26 letters in the alphabet" and "there are 7even hills in rome" and the like. Another one was based on "all the pretty horses 1992" a book that I never even read but meant to for a while.

I works, I remember these to this day!

Wherever I worked I have suggested people that they use this kind of system, and am always surprised that most people never thought of using that more - favorite childhood books, poems you had to learn at school, plays you did, favorite movie lines - they all can be used successfully as very safe password you won't forget.

But what I noticed is that even quotes that meant nothing to people, because I had picked them, they could remember, never need to write down.

This was all created manually, never thought to create a programmatic one before. Had a simple "pronouncable" password generator for our website registration system (a simple syllable-combination system so the passwords would look less cryptic than pure random characters. It improved memorability and makes errors less likely -eg Moma71fUsi vs rtHguL16fg. The only tricky bit was removing certain letter combinations to avoid random rude words )

It's a shame more sites and systems don't allow long passwords, because using full sentences would be even safer.

iphigenie:
i for example still remember that 258512 was my phone number when i was a kid. I mean it don't always remember it, but I can pull that memory back. I also remember most of the first paragraph of Isaac Asimov's "Liar" short story (a stellar short story, by the way) (It starts with "alfred manning lit his cigar carefully, but the tips of his fingers were trembling slightly and he was frowning as he spoke. "It reads minds, no doubt about that") (i might remember it wrong, but the point is i will remember it wrong the same way. It has been 19 years since i read it in english class)

I can also remember nursery rhymes and silly songs I learned when i was a kid, plus the silly songs we sang at hockey games, and the rude version of songs we made up as teens, and bits of plays I was in, and satirical songs we wrote for the yearly review etc.etc.etc. - I suspect I will never forget any of them for a very long time. Song lyrics from the 80s? You bet!

We remember stories very well, especially if they have a meaning or connection, but even if we pick something today to anchor a password, we will remember it - generations of oral tradition have wired us that way I guess.

Navigation

[0] Message Index

[#] Next page

[*] Previous page