Pete Finnigan's Oracle Security Weblog

http://www.curtiscopley.com/ - (broken link) Curtis Copley emailed me to let me know about his new paper on a grammatically correct random passphrase generator and also the free tools he has created to implement this in Java and also in PL/SQL. The paper is available on http://www.curtiscopley.com/ - (broken link) his website and the tools are also available as links at the end of the paper. This is an excellent piece of work that shows how he has worked through the problem and created code to generate random pass phrases that can be remembered by people but also that have the required strength (@47 bits) using a dictionary of chosen words of around 10,000 options. The password randomness rules are based on NIST requirements. The paper ois best introduced with a sample from the first section:

A grammar-based random pass-phrase generator can help make life easier for users and system administrators by generating memorable passwords that should meet the needs of most sites. With this algorithm, users should be able to choose a password more easily. The passwords produced by the algorithm should be easy enough to type, reducing the likelihood of being accidentally locked out of the system by logon failures. System administrators may finally be able to spend less time resetting passwords and unlocking accounts, without sacrificing security.



Passwords provide much of computer and data security, but they suffer from conflicting requirements: Ideally, they would be easy to memorize and quick to type, yet they should also be able to withstand attack by an automated password cracking program. The United States Department of Defense (DOD), and the National Institute of Standards and Technology (NIST) established requirements that are intended to strengthen passwords. Unfortunately, many users (and system administrators) find it tough to come up with passwords that meet DOD and NIST requirements, and even tougher to memorize their passwords. Users forget their passwords, or mistype them and cause an account lockout. System administrators then need to come up with secure new passwords for these users.



A grammatically-correct random pass phrase generator can make passwords that are easy enough for users to memorize, yet still be secure. The program can generate over 200 trillion different equally-likely pass phrases (in security terms, a strength measured at about 47 bits of entropy). The passwords will be between 14 and 22 characters long. Since most of the password length comes from familiar English words, the length is more tolerable. The random selection of words often results in absurd phrases. Absurdity is good. Advertisers use absurdity to make their messages more memorable.



Here is a random sampling of passwords from the program, along with the words separated by spaces for easy reading:



PASSWORD
WORDS

`55ScabbyGateAromas`
55 Scabby Gate Aromas

||BroodsPaving25Ghouls
Broods Paving 25 Ghouls

``ThreatPlops45Pumas
Threat Plops 45 Pumas

To read the complete article and get the sample implementation in Java and also in PL/SQL got to http://www.curtiscopley.com/ - (broken link) Curtis Copley's website.

Excellent piece of work.