Re: Password generator using a linguistic rule base

Congratulations, definitely a step above for the generation of passwords that are easy to remember, but hard to guess.

One thing to keep in mind. While it is hard for a person to guess, the same concept can be used to narrow the initial selection set of passwords needed to guess. Implemented in a program (a simple modification of your code) it would have a much better success ratio of guessing the passwords. In the end though they are definitely tougher to guess than standard dictionary words, so it is definitely an improvement.

I used to pick passwords of random characters that felt natural to type. Some combinations of characters are just awkward to enter quickly. Knowing that a password cracker to begin its search based on netural key combinations. This would likely shorten the search time.

Comment on Re: Password generator using a linguistic rule base

Replies are listed 'Best First'.
Re: Re: Password generator using a linguistic rule base by ginseng (Pilgrim) on Aug 02, 2001 at 03:17 UTC
Knowing that letter patterns and character distribution are based on language should make the resultant passwords a little easier to guess. Obviously, knowing that a host under attack requires passwords created with this code would narrow down the universe of possible combinations. But how much would that help? I'm not good at probabilities, but it appears to me that a program guessing passwords generated by code like this would still have a huge job ahead of it. Maybe this is the wrong forum to ask for help with such analysis. I think it's a good algorithm. Ultimately, I am hoping for a routine where an attacker, knowing that the passwords were created with this code, would not get significant advantage from that knowledge. It's probably not there, yet, and might not get there if I don't bone up on probability. Thanks for your positive comments.	[reply]
Re: Re: Re: Password generator using a linguistic rule base by bastard (Hermit) on Aug 02, 2001 at 20:56 UTC
Don't get me wrong, I think this is a great tool. I was just mentioning the pitfalls of something that excludes a set of passwords for the available selection set. (like my choosing of passwords that are comfortable to type quickly) When taken in the context of the entire net it will still be generating passwords that are probably an order of mangitude (or more), more difficult to crack than the average password out there. (on the other hand it is also probably an order of magnitude or more easier to guess than a truly random password). The only people who would really be able to take advantage of such a technique are those with some level of cryptanalytic ability. Who know a thing or two about character frequencies and the human element. Heck real cryptanalysts can take advantage of a faulty random number generator. back during wwii the germans broke the codes on a number of british one-time-pads. (Theoretically unbreakable). It happened like this. To create the one time pads someone would take balls with letters on them out of a spherical cage. After each ball was selected they would spin the cage (after closing the hatch). They were not supposed to be looking at the letters during the selection process. After a while they did indeed start looking at the balls. Sub-conciously they would pick letter combinations that they felt were random, but actually were not. Speculating that this was the case the germans did a bit of research, and discovered the the frequencies of combinations and were ultimately able to crack a number of the brittish one-time-pads.	[reply]