This project has moved and is read-only. For the latest updates, please go here.

Mutators feature request: EndOfPasssword ?

Aug 12, 2014 at 10:16 PM
Hi,

Great tool, makes strong yet "easy" one time passwords :)

I have one small feature request though, add an numeric style mutator: EndOfPasssword ?

So i can add a random length number to the password.

Grtz,

Theo :)
Aug 14, 2014 at 1:50 PM
Thanks for your suggestion, Theo.

I don't have plans to add a mutator like that just now. Although it wouldn't be particularly difficult.

I'll add it to the issues list. And if you can get a few people to vote for it, well, that's good enough for me!


Just to clarify what you're asking for, you want to go from:
the statesman will burgle amidst lucid sunlamps
Into
the statesman will burgle amidst lucid sunlamps1234
Where you'd like to control the size of 1234


Murray
Sep 12, 2014 at 10:06 PM
Edited Sep 12, 2014 at 10:13 PM
It would be better to put numbers or variable case within the middle of the passphrase, because too many unsophisticated password generator/users
do just this: 'pet's name or other dictionary word/phrase & short number' e.g, Spot1234, basketballplayer667. The password crackers know and use this pattern, so adding numbers only at the end, or Initial Upper Case, etc not only increases entropy less compared to more distributed use, but also
fits a recognized pattern that the crackers already use.

I have a counterproposal for easy to type, yet still difficult to defeat variability- instead of offering ALL/no/Initial upper case, or numbers1234 at the end,
how about:
Whole words or groups of 3+ sequential letters randomly UPPER or lower CASE AND/or a group OF DIGITS inserted in THE middle?
So you'd get passphrases like,
"how DOES a 66340spirited one ENTER" or even "how DOEs a 66340spirITED one enTER" rather than "hO7w do6ES3 a sPIriT4eD onE e2nTEr" which
induces 'shift key aversion' and aversion to mixing letters and numbers.

Or even, words with/without vowels: "how DS a 66340sprtd one" or "how DS a 66340sprtd one NTR dogwood" ? Obviously, this helps defeat dictionary attacks, so shorter phrases are more secure.
Obviously, the longer, more variable, and less predictable the phrase pattern is, the harder to guess.

Big question is, how hard is this to program? FWIW, if length is NOT limited, passphrases ofthe form "the statesman will burgle amidst lucid sunlamps" are just fine.
Thanks again for writing a great plugin!

Take a look at
https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
http://www.passfault.com/password_strength.html#menu
for password testers.
Neither perfect, but they catch fragments of words, etc.
Sep 25, 2014 at 11:34 AM
Thanks for the request, and sorry for not replying as quickly.

First thing to remember with these mutators is they exist to let a passphrase meet password complexity requirements that we hate (upper, lower and numbers). Not to increase the entropy of the passphrases. That is, when I developed the mutators, I wasn't trying to increase entropy / combinations / complexity of passphrases so they'd be harder to crack.

Now, of course, the mutators do, in fact, increase the entropy of a passphrase - it's important to remember they just weren't designed for that purpose.

With that out of the way, there really isn't much of a technical reason why different mutators couldn't be developed. They're really quite easy, so I'll give it a go over the next week or so, if I get some spare time. The hard part is how to present those options in the config screen (which already has too much on it, IMO). Tabs are probably the answer.

I'm happy to go for a whole word in capitals, or a run of capitals. But putting numbers in the middle of words or stripping vowels is making the phrase too hard to remember. But, if you really really want numbers in the middle of a word without any vowels, edit the passphrase yourself! Your post suggests you have a pretty good idea of what makes a good password, so don't let me stop you editing the phrase after its generated. The ultimate custom mutator, if you will!

I hear you about password crackers and fitting a very well known pattern. Having done some password cracking myself over the years, totally random passphrases withstand attacks very well (as in, I crack waaaay more passwords than passphrases; even when I'm actively looking to crack passphrases). And whitespace is also highly infrequent. So a long, random passphrase with spaces will put you way outside the long hanging fruit crackers usually target.

zxcvbn says "the statesman will burgle amidst lucid sunlamps" has over 128 bits of entropy. (I'd never tried rating that particular phrase in zxcvbn before). In reality, it only has ~60 bits (probably less, because it was one of the first phrases I generated when the dictionary was quite small). So its only in range of crackers with serious hardware and a lot of time to burn and specificly targetting my passphrase style (~14 days to brute force assuming 1000G attempts per second).

Murray
Sep 25, 2014 at 12:52 PM
Hi Murray,

You Are correct, i would like to add a (controllable) variable length number at the end of a passhrase, because lots of password rules i run into on a daily basis demand text AND numbers :)

Theo
Sep 25, 2014 at 1:36 PM
Hi VWFeature,

IMHO, using leet type character replacements kind of killls the idea of a readable password phrase :)

As long as the entropy and bitlength and other strength criteria are met, who cares what characters the password is made up of, besides readable? :)

Theo
Sep 25, 2014 at 1:46 PM
Oh, and I'll throw in the EndOfPhrase option for the numeric mutator at not extra charge!
Sep 25, 2014 at 4:09 PM
Wheeeee :)

thx !