Phonetically Memorable Password Generation Algorithms
Background
While at the Gym the other day, I was working with my combination lock, and realized something that would be useful to me as a programmer. To wit, my combination is three seperate sets of numbers that either sound alike, or have some other relation that makes them easy to remember. For instance, 5-15-25, 7-17-2, 6-24-5. These examples seem easy to remember.
Question
How would I implement something similar for passwords? Yes, they ought to be hard to crack, but they also should be easy for the end user to remember. Combination Locks do that with a mix of numbers that have similar sounds, and with numbers that have similar properties (7-17-23: All Prime, 17 rolls right off the tongue after 7, and 23 is another prime, and is (out of that set), the 'hard' one to remember).
Criteria
- The Password should be easy to remember.
Dog!Wolf
is easy to remember, but once an attacker knows that your website gives out that combination, it makes it infinitely easier to check. - The words or letters should mostly follow the same sounds (for the most part).
- At least 8 letters
- Not use
!@#$%^&*();'{}_+<>?,./
These punctuation marks, while appropriate for 'hard' passwords, do not have an 'easy to remember' sound.
Resources
This question is language-agnostic, but if there's a specific implementation for C#, I'd be glad to hear of it.
Update
A few users have said that 'this is bad password security'. Don't assume that this is for a website. This could just be for me to make an application for myself that generates passwords according to these rules. Here's an example.
The letters A-C-C-L-I-M-O-P 'flow', and they happen to be two regular words put together (Acclimate and Mop). Further, when a user says these letters, or says them as a word, it's an actual word for them. Easy to remember, but hard to crack (dictionary attack, obviously).
This question has a two-part goal:
- Construct Passwords from letters that sound similar (using alliteration) or
- Construct Passwords that mesh common words similarly to produce a third set of letters that is not in a dictionary.
Solution 1:
You might want to look at:
- The pronouncable password generation algorithm used by apg and explained in FIPS-181
- Koremutake
Solution 2:
First of all make sure the password is long. Consider using a "pass-phrase" instead of a single "pass-word". Breaking pass-phrases like "Dogs and wolves hate each other." is very hard yet they are quite easy to remember.
Some sites may also give you an advice which may be helpful, like Strong passwords: How to create and use them (linked from Password checker, which is a useful tool on its own).
Also, instead of trying to create easy to remember password, in some cases a much better alternative is to avoid remembering the password at all by using (and educating your users to use) a good password management utility (see What is your favourite password storage tool?) - when doing this, the only part left is to create a hard to crack password, which is easy (any long enough random sentence will do).
Solution 3:
I am surprised no one has mentioned the Multics algorithm described at http://www.multicians.org/thvv/gpw.html , which is similar to the FIPS algorithm but based on trigraphs rather than digraphs. It produces output such as
ahmouryleg
thasylecta
tronicatic
terstabble
I have ported the code to python as well: http://pastebin.com/f6a10de7b