Tags:
create new tag
, view all tags

How Secure is your Passphrase? Generate a Dice-Indexed Passphrase using TWiki

2015-04-20 - 02:59:41 by PeterThoeny in Development
What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
MOVED TO... Learn more.
A passphrase acts as a master password that is used to securely store other passwords. It has to be strong so that it can't be easily cracked and expose the other passwords. This blog has a dice-indexed passphrase generator. The blog also serves as an example of what can be done with TWiki's SpreadSheetPlugin functions and some HTML.

This blog post is inspired by and references the article "Passphrases that you can memorize - but that even the NSA can't guess" by Firstlook.org.

It is easy to generate a random passphrase that is secure, such as "d07;oj7MgLz'%v^", but it is very hard to remember. A passphrase is easy to remember if it contains words from a song, such as "This could be Heaven or this could be Hell" from the Hotel California lyrics. The problem is that a password cracker can easily be fed with knowledge known to men, thus a passphrase based on lyrics and other literary work can be insecure. What about obscuring dictionary words? Password crackers account for common character substitutions, such as a zero for "O", a "2" for "to", or a "4" for "for", so that is not a viable option either. Relying on a keyboard layout is also not secure, such as "qwerty" or "asdfg".

dices.png
So, how can we create a secure passphrase that is memorable? The solution is to use dictionary words in a random fashion. A five-word passphrase, which would have have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes). At one trillion guesses per second it would take an average of 5.3 month to guess this passphrase. A seven-word passphrase would take an average of 27 million years to guess. For more math details read the aforementioned Firstlook.org article.
 ...
 13545 beefy
 13546 been
 13551 beep
 13552 beer
 13553 beet
 13554 befall
 ...

Diceware.com has a dice-indexed passphrase word list. The idea is to roll dices to pick words at random from the word list containing 7776 words. A small sample of the word list is on the right side of the page.

Let's assume you roll a dice five times and get 1, 3, 5, 5, 2. You look it up and find "beer". Who doesn't like that? Now rinse and repeat until you have the number of words you want. With this approach you can create a very secure passphrase because the dictionary words are chosen at random. The more words the more secure obviously, but it also takes more time to memorize. 7 words is highly secure and is not too hard to memorize.

To make this easy, we have a passphrase generator that rolls dices for you.

Dice-Indexed Passphrase Generator:

Number of words:  
When prompted, log in with your TWiki.org account. You can register, or log in anonymously as "TWikiGuest" with password "guest" (both case-sensitive). You can also simply refresh this page to get a new 7 word passphrase.
  • Random passphrase:



































    eye tamp tick eddy skip gaur zag

  • Passphrase again for easy copy:

Now that you have generated your passphrase, the next step is to memorize it. Initially you can write down the new passphrase on a piece of paper and carry it in your wallet. When you need it try first from memory, and look it up if needed. After some days of use you will recall the password. At this point it is best to shred the paper.

To log in to websites and other servers you can use a password database that is secured with your passphrase. KeePassX is good because it's free, open source, cross-platform, and it never stores anything in the cloud. Use your password manager to generate and store a different random password for each website you log in.

Looking under the hood of the passphrase generator:

How does this dice-indexed passphrase generator work? All application logic is embedded in this wiki page. TWiki is an Enterprise Wiki and a Structured Wiki. As a structured wiki you can create TWiki applications using the TML (TWiki Markup Language), JavaScript and HTML. This generator relies on some HTML for the form, asking for the number of words, and some SpreadSheetPlugin magic to generate and show the random passphrase and dices.

Let's first look at the HTML form that asks for the number of words:

<form action="%SCRIPTURL{viewauth}%/%WEB%/%TOPIC%#PassphraseGenerator">
Number of words:
<select name="wc" class="twikiSelect">
%CALCULATE{
  $SET(wc, $MIN($MAX($VALUE(%URLPARAM{ "wc" default="7" }%), 1), 10))
  $LISTJOIN(
    $sp,
    $LISTEACH(
      <option $IF($item==$GET(wc), $CHAR(32)selected="selected")>$item</option>,
      1, 2, 3, 4, 5, 6, 7, 8, 9, 10
    )
  )
}%
</select>
&nbsp;
<input type="submit" value="Generate passphrase" class="twikiSubmit" />
</form>
What it does:

  • The action of the form tag is the current page at the anchor #PassphraseGenerator.
  • The select tag has a %CALCULATE{}% TWiki variable that is handled by the SpreadSheetPlugin.
  • We get the value of URL parameter wc (for "word count"), "7" is used as the default.
  • $VALUE() picks just the numeric value from the URL parameter; it is further constraint with $MIN() and $MAX(); finally we store the number in a variable using $SET().
  • The select options are generated with a $LISTEACH() that operates on a list, in this case simply 1, 2, 3, 4, 5, 6, 7, 8, 9, 10.
  • The result is a comma-delimited list of option tags, so we use $LISTJOIN() to convert that into a space-separated list of options.
  • For each item we generate an option tag; there is a conditional $IF() to preselect the number received in the URL parameter wc.

Now on to the passphrase generator:

%CALCULATE{
  $LIST2HASH(n2w,
    11111, a,
    11112, a&p,
    11113, a's,
    11114, aa,
    ...
    66664, ?,
    66665, ??,
    66666, @
  )

Random passphrase:
  <table><tr><td>
  $WHILE(
    $counter<=$GET(wc),
    $SET(r1, $INT($RAND(5.999999)+1))
    $SET(r2, $INT($RAND(5.999999)+1))
    $SET(r3, $INT($RAND(5.999999)+1))
    $SET(r4, $INT($RAND(5.999999)+1))
    $SET(r5, $INT($RAND(5.999999)+1))
    <img src="%ATTACHURL%/dice-$GET(r1).png" width="36" height="36" alt="" />%BR%
    <img src="%ATTACHURL%/dice-$GET(r2).png" width="36" height="36" alt="" />%BR%
    <img src="%ATTACHURL%/dice-$GET(r3).png" width="36" height="36" alt="" />%BR%
    <img src="%ATTACHURL%/dice-$GET(r4).png" width="36" height="36" alt="" />%BR%
    <img src="%ATTACHURL%/dice-$GET(r5).png" width="36" height="36" alt="" />%BR%
    $SETHASH(
      words,
      $counter,
      $GETHASH(
        n2w,
        $GET(r1)$GET(r2)$GET(r3)$GET(r4)$GET(r5)
      )
    )
    </td><td>
  )
  </td></tr><tr><td>
  $WHILE(
    $counter<=$GET(wc),
    <b>
    $GETHASH(
      words,
      $counter
    )
    </b>
    </td><td>
  )
  </td></tr></table>
}%
What it does:

  • The $LIST2HASH() creates a hash called n2w ("number to word") from a flat list alternating between the dice number and the associated dictionary word. This is directly taken from the Diceware.com word list.
  • We use a table layout to show dices and words, one table column for each generated word.
  • We start a while loop over the number of words we want with a $WHILE(); the condition is $counter<=$GET(wc).
  • We generate 5 random numbers between 1 and 6 using $INT($RAND(5.999999)+1), and store each result in a variable using $SET().
  • Using img tags, we show images of five dices stacked on top of each other based on the generated random number.
  • We concatenate the five random numbers ($GET(r1)$GET(r2)$GET(r3)$GET(r4)$GET(r5)), and use that as the key to look up the hash value using $GETHASH(); the hash value is the word associated with the five random digits.
  • For now we store that random word in a hash called words using $SETHASH(); the hash key is the while index (first run 1, then 2, etc.)
  • We end each while with a table cell end and table cell start tag (</td><td<) to start a new column.
  • After the closing parenthesis of the while loop we start a new table row to show the generated random words.
  • We use another $WHILE() to output the random words; we use $GETHASH() to retrieve each random word.
  • Finally we close the table.

This post is intended to give you some ideas to automate your own workflows and projects using TWiki. Let us know what you have in mind.

-- Peter Thoeny - TWiki.org Founder

Comments

.

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2015-04-21 - PeterThoeny
 

Twitter Delicious Facebook Digg Google Bookmarks E-mail LinkedIn Reddit StumbleUpon    
  • Help
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.