topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Wednesday December 4, 2024, 10:02 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: NANY 2009 Withdrawn (sorry): Iphi's Memorable Passwords  (Read 19692 times)

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
NANY 2009 Withdrawn (sorry): Iphi's Memorable Passwords
« on: December 15, 2008, 11:34 AM »
(please fix this if i am doing it wrong)
I can't quite make it fit the theme, but it seems more potentiall useful than my "count your blessings" idea.
This is a tough call as I am gone abroad for the holidays, but I figure I ought to be able to fall back to a web based service option.

Application NamePermanent Persistent Toothbrush (codename, for now)
Versionnone yet
Short DescriptionPhase 1: generates passwords that are both strong and easy (for 1 person) to re-create.
Supported OSesnot sure yet, could be web based only
Download Link
Author 

The premise:

We all have to come up with a phenomenal number of passwords both online and offline. More than we can remember. Current solutions are:
1) use the same 2-3 usernames and 2-3 passwords. Rather insecure in that once someone has one
2) use a strong password generator, and store these in a password manager. More secure but has a single point of failure
3) central ID systems like openID - great, but not widely used

I always preferred finding passwords that were easy to remember/trigger but strong. Then all I would need is a reminder manager - no need to store my passwords, just reminders that are only useful to me.

The key idea is that we remember sentences and stories far better than we remember random combinations of characters. And we remember patterns/processes fairly well too.

I will give an example - say I am joining the book site librarything.com and I need a password.

I start with the trigger "book", the program will then find a poem or quote about books (if it can) in its database (not sure whether i will store it all or use openly available content sites online in the background).

Books to the ceiling
Books to the sky
My piles of books are a mile high
How I love them
How I need them
I'll have a long beard by the time I read them

~Arnold Lobel

or

Outside of a dog, a book is a man's best friend. Inside a dog, it's too dark to read -- Groucho Marx

Now several passwords can be generated, but by either taking a sub sentence or first letters of words, swapping 2 to numbers and swapping 2 to upper case, you have a strong password.

And strangely enough, it is easier to remember this whole sequence than it is to remember something like "1aD1tDtr" or "Ih4lbbttIrt", and a trigger such as "outside of a dog" or "books to the ceiling" can be all you need even after not using it for a year.

The name comes from a memorable quote:

Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
Clifford Stoll

The plan:

Phase 1: password + password reminder generator

- keyword/topic based database of quotes and poem
- supports contraints such as length, number of uppercase or digits required
- option to search online in open content
- supports the option for multiple language-specific source databases
- can save and export lists of generated passwords

Phase 2: reminder manager

either: (maybe, not happening within NANY): web widget to show password reminders on website log in forms - javascript bookmarklet perhaps?
or: (maybe, not happening within NANY): modification of open source password manager to be a reminder manager.

Feedback more than welcome, even if it is "don't bother, already been done, cant be useful" :D
« Last Edit: December 23, 2008, 05:25 AM by iphigenie »

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Note: This is very much an exercise for me, and not that easy, as in the past 2 years I have mostly told other people what/how to build applications, and not written much myself beyond refactoring, I dont know how to start something from scratch anymore! I have no idea where I am going with this at the moment, hopefully having taken a step I will force myself through that feeling of reluctance into actually doing something, even something ugly.

Even though I am unlikely to take a job where I am that hands on anymore, it's good for me not to loose touch.

Perhaps I should call it Persistent Toothbrush - a more geeky name :D
« Last Edit: December 15, 2008, 11:48 AM by iphigenie »

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
I will try to post my progress/ideas/thoughts here - this is because I learn a lot by doing, and reading of others doing - and I learn most by my mistakes. But most tutorials, work diaries etc. are expunged of all the dead ends, mistakes etc.

I figure all my mistakes will probably be more useful to someone than my final solution (I have no illusion of being anything special when it comes to produced code), and besides, if I don't finish anything at least I will have shared something :D

Oh and any comments increase motivation  :-*

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Rather than a quote or poem, I like using lines of lyrics from obscure songs.

And there are plenty of lyrics databases on the web that you could draw from, with many of them accepting user submissions and expanding in size, daily. You will never run out of song lyrics to base them on. A lot of them are even used in various media player plugins to display lyrics of currently playing song.

You could start with a base word(s) supplied by the user, and find songs containing that word in the title. Allow the user to select a song from a list and load the lyrics, and at the end of every line, present a password made from that line of lyrics, color coded from red to green, representing the strength of that password.

This will give the user a lot of choices from a single song and show them how good one phrase is over another.

And here is another name idea, based on the song lyrics concept:

singing toothbrush.jpg

edit: attached image + name idea
« Last Edit: December 15, 2008, 05:48 PM by app103 »

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
What a great idea: and you're right, I use RoboForm but the main entry point would be easy to break.

I need a little clarification though: after selecting the Title/Lyric/etc is there only one possible password returnable? That is, do you set up a generation rule, like:
  • Pattern: aANSNNAA
  • Min Characters: 6
  • Max Characters: 8
  • Repeat: True

and your selected phrase, etc is passed through that rule to create a password??

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Lyrics are a good idea too, although it is a bit more vague who owns them. Are there public domain Lyrics collections out there? (I know I am just using them internally, and if i do a web app it might be ok to use any lyrics, but if it is redistributed as a desktop app then I might fall under copyright/license fees)

I'm currently pondering the format for storing things - something open so it is easy to swap collections/create new collections. After all these only work in a language people are familiar with, so it is important to be able to create similar lists for french, german, spanish etc. I was surprised to find out there is no microformat for things like excepts/quotations/references, I would have thought such a format could be a good open base for the content collections I am thinking of. I guess I will have to do some very simple XML schema for it instead + associated CSV converter/importer. (What's mouser using for his collection, I wonder?, maybe I just write a password generator that uses his tool as a base :D )

Since in my last job one of our projects was a vertical search engine (foundography, never quite managed to achieve what we wanted), customising a spider to crawl things like lyrics database, project gutenberg, etc. and create databases is actually something that I would consider. Seems like a lot of spidering work for something so mundane, though...

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
What a great idea: and you're right, I use RoboForm but the main entry point would be easy to break.

I need a little clarification though: after selecting the Title/Lyric/etc is there only one possible password returnable? That is, do you set up a generation rule, like:
  • Pattern: aANSNNAA
  • Min Characters: 6
  • Max Characters: 8
  • Repeat: True

and your selected phrase, etc is passed through that rule to create a password??

The way I would see it would be that the user gives the following:
- a general keyword (optional)
- any rules they are aware of (length, number of digits, UC letters etc.). The defaults being 8-10 long, 2 digits, 2 uppercase (since that meets most requirements I have encountered)

The tool would then return several options, along those lines:

3 extracts (since it is up to the user to pick something they easily can remember), perhaps from 3 different collections (poem, folk song and famous quotations, for example)
2-3 password per extract, if enough varying patterns could be found

The passwords would be generated by:
* picking a long enough set of words, starting at a punctuation (easier to remember).
* randomly pick characters to turn in digits (say, any "a" or any "o") (experience shows that if you only picked one of the As or one of the Os to turn into a digit, the password is more secure, but you are less likely to remember which it was a year later. I don't know if that is a problem or not, since 2-3 tries should nail it. But for now lets assume we pick one letter and change all of them).
* I am less sure about the uppercase part - totally random, picking one character-type again or the "visual" option xxXXxxxx XxxxxxX (but can you remember that a year later?)

I'll probably run some of the results through password security tests to see what the memorability vs safety effect is.

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
(but can you remember that a year later?)

For me, that would be the biggest question and is why I use RoboForm. Personally, I don't want to remember any passwords, but if there could only be one result from a given group of words (with my generation rule) and the phrase is easy enough to remember, then I think I could work with that.

It's a very interesting idea non-the-less: it'll be interesting to see how it develops!

I'll probably run some of the results through password security tests to see what the memorability vs safety effect is.

That is a very good idea!! Love to see the results.  :)

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
One of the reason I came up with a scheme like this is that I needed a large number of passwords and passphrases for servers, server certificates and the likes. They needed to be hard to crack with random attacks, and dictionary attacks, but they also needed to be memorable by more than one person, and in no way was it ok for people to have to create a list of their passwords to remember them (although we had one in the safe). Instead, one our team's computers you would have found a collection of poems and quotations, not all of which were used in passwords (people would save neat things for future use). I wonder what people might have thought of that.

So I used film names, book titles, aphorisms, quotes, films - mail servers passphrases and certificate passphrases were taken out of  "the night mail" (http://www.poemhunte...m/poem/night-mail-2/), and the one used for communication between the backup mail server was based on "Le Facteur sonne toujours deux Fois" (the postman always rings twice, in french). "I have a bad feeling about this" was used with our source control system :D

I also used total banalities like "there are 26 letters in the alphabet" and "there are 7even hills in rome" and the like. Another one was based on "all the pretty horses 1992" a book that I never even read but meant to for a while.

I works, I remember these to this day!

Wherever I worked I have suggested people that they use this kind of system, and am always surprised that most people never thought of using that more - favorite childhood books, poems you had to learn at school, plays you did, favorite movie lines - they all can be used successfully as very safe password you won't forget.

But what I noticed is that even quotes that meant nothing to people, because I had picked them, they could remember, never need to write down.

This was all created manually, never thought to create a programmatic one before. Had a simple "pronouncable" password generator for our website registration system (a simple syllable-combination system so the passwords would look less cryptic than pure random characters. It improved memorability and makes errors less likely -eg Moma71fUsi vs rtHguL16fg. The only tricky bit was removing certain letter combinations to avoid random rude words )

It's a shame more sites and systems don't allow long passwords, because using full sentences would be even safer.
« Last Edit: December 16, 2008, 06:05 AM by iphigenie »

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
i for example still remember that 258512 was my phone number when i was a kid. I mean it don't always remember it, but I can pull that memory back. I also remember most of the first paragraph of Isaac Asimov's "Liar" short story (a stellar short story, by the way) (It starts with "alfred manning lit his cigar carefully, but the tips of his fingers were trembling slightly and he was frowning as he spoke. "It reads minds, no doubt about that") (i might remember it wrong, but the point is i will remember it wrong the same way. It has been 19 years since i read it in english class)

I can also remember nursery rhymes and silly songs I learned when i was a kid, plus the silly songs we sang at hockey games, and the rude version of songs we made up as teens, and bits of plays I was in, and satirical songs we wrote for the yearly review etc.etc.etc. - I suspect I will never forget any of them for a very long time. Song lyrics from the 80s? You bet!

We remember stories very well, especially if they have a meaning or connection, but even if we pick something today to anchor a password, we will remember it - generations of oral tradition have wired us that way I guess.

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #10 on: December 16, 2008, 06:23 AM »
For me, that would be the biggest question and is why I use RoboForm. Personally, I don't want to remember any passwords, but if there could only be one result from a given group of words (with my generation rule) and the phrase is easy enough to remember, then I think I could work with that.

You're right, the pattern is a key one - if i can come up with a set of patterns that are easy to remember/retrieve, yet are safe (let the user choose as configuration, i guess) then this will work better.

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #11 on: December 16, 2008, 06:34 AM »
i for example still remember that 258512 was my phone number when i was a kid.

So can I!  :-\ :-\

OK, lets see how common that is: How many others can?

Dormouse

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,952
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #12 on: December 16, 2008, 04:32 PM »
i for example still remember that 258512 was my phone number when i was a kid.

So can I!  :-\ :-\

OK, lets see how common that is
No, I had a different number

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #13 on: December 16, 2008, 06:56 PM »
maybe this app idea will be reinvented as the memory trainer  :P

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #14 on: December 17, 2008, 05:42 AM »
As far as copyright issues are concerned, you wouldn't be distributing the lyrics with your application, nor would you be hosting the lyrics yourself on your own server (unless you want to go double purpose on this project and start your own lyrics site, too).

You would tap into already existing lyrics databases, just like media player plugins do. (I would also include multiple sites to search, just in case one of them dies or becomes unavailable for some reason.)

The bonus in this is that foreign words, as well as English, would be covered in many existing databases outside of the US, due to foreign song lyrics being listed (music is universal).

What a great idea: and you're right, I use RoboForm but the main entry point would be easy to break.

I need a little clarification though: after selecting the Title/Lyric/etc is there only one possible password returnable? That is, do you set up a generation rule, like:
  • Pattern: aANSNNAA
  • Min Characters: 6
  • Max Characters: 8
  • Repeat: True

and your selected phrase, etc is passed through that rule to create a password??

Here is a visual that might help illustrate what I meant:

SNAG-00015.png
(colors do not represent real password strength quality, except in the cases of obvious bad passwords in red)

You just give the user a list and let them choose which they would like. Storage of the choice selected wouldn't even have to be included if you don't want to do that.

This could be a very simple application that just parses the results from a lyric site's database and inserts the additional characters at the end of each line. If the user decides they want to store it somewhere, that could be left up to them and what application they use would be their own choice. Then they could store the phrase and not the actual password in it, in the notes section of it, like this:

SNAG-00016.png

The user could even fill in the password box in the application with bogus info, as long as they are not using the application to automatically fill in passwords on sites (shouldn't be doing this any way, for security reasons).

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #15 on: December 23, 2008, 04:08 AM »
I alas must put this on hold as I have done something to my shoulder and just cannot sit at a computer for very long at the moment.
 :mad:


ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #16 on: December 23, 2008, 04:27 AM »
Sorry about your current state -- I hope you have success in recovery soon!

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
Re: NANY 2009 Teaser: Permanent Toothbrush, i.e. Iphi's Memorable Passwords
« Reply #17 on: December 23, 2008, 04:36 AM »
That's such a shame -- rats about your shoulder: you've got to take more care of yourself. Your Teaser has done such a good job on my interest  ;)

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: NANY 2009 Withdrawn (sorry): Iphi's Memorable Passwords
« Reply #18 on: December 23, 2008, 05:28 AM »
I will revisit this in the new year - I think for me this could be a great learning exercise of having a webapp coupled with a desktop app. I have written frameworks and CMSes and other website engines, but never many "self contained" complete little apps. So fun to learn, and perhaps it can be useful. And I wont let myself get sidetracked by the crawling and indexing of source material (which i did 10 days ago, mostly because it is again familiar terrain for me), I will build it next time :D

I've had the shoulder thing a while, fell over the dog. I thought it would get better. But instead of getting better it keeps getting worse, and sitting at a computer holding my arm at these kinds of angles is just painful.

I also just noticed I can't lift my arms above my head as much as the other - doesnt hurt but won't go further. Clearly will need to see a doctor after the xmas break.
« Last Edit: December 23, 2008, 05:30 AM by iphigenie »

Perry Mowbray

  • N.A.N.Y. Organizer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,817
    • View Profile
    • Donate to Member
Re: NANY 2009 Withdrawn (sorry): Iphi's Memorable Passwords
« Reply #19 on: December 23, 2008, 05:43 AM »
I also just noticed I can't lift my arms above my head as much as the other - doesnt hurt but won't go further. Clearly will need to see a doctor after the xmas break.

Physio's are a wonderful invention! I remember when my eldest son fainted when he heard about 9/11 (he's 6' 7") and landed flat on his jaw, we had our physio friend look at it. She'd never treated a jaw before, but after 15 minutes of investigation and finding out what the muscles were doing, she just got him to stretch a bit here and there and it was all fixed. Absolutely amazing.

That experience also demonstrated why you ask people to sit down when you've got some bad/shocking news.