Alien Isolation Passcode List

[Pelagio Bosch]

Inparticular I just ran into a site that used auto-generated codes but the codes it made were impossible to tell if a letter was a D an O or a 0. I i l 1 can also be indistinguishable depending on the type style.

This would seem like it should be a common UX guideline, never generate codes with those characters. Maybe even U V u v should be removed. g q and 9, 6 and G as well. Next to each other sometimes these are more obvious but in a random code it's not always clear.

Note: this question is not about passwords, it's about passcodes (maybe there is another name). A password is something a user can possibly create. A passcode is something a computer creates like emailing you a 6 character code to type in.

For example Apple will popup a 6 digit number, a passcode, on an registered Apple device when you try to log into icloud.com. Apple doesn't have the UX problem above because their passcodes are only digits, no letters.

Note: Obviously if you have 0 and O next to each other you can probably tell them apart. But if you the passcode it shows you is Z35O96 it's not going to be obvious to large percentage of users if that's a letter O or a number zero.

Based on this question and answer it appears that they chose to reduce the possible characters to reduce confusion. Some like O & 0, S & 5 were probably dropped for visual similarity, while others like E & N may have been dropped for audial similarity with other letters when spoken.

This is the golden solution to eliminate ambiguity and reduce short-term memory load. The character count and ambiguity of the numbers and letters don't matter if the user can use the passcode without memorizing it.

There are no standard guidelines of which I am aware; what I've observed most often is that, when dealing with issues of security like this one, companies prefer to evaluate their own security model and implement what they feel is best for their interests, rather than adopt a one-size-fits-all standard model.

Conveniently, this same problem is present in another common use case: automobile license plates. Much like the passcode your mention here, the alphanumeric sequences 1) appear to be just a random assortment of meaningless characters, and 2) must be unambiguously legible.

There is some variation in license plate implementations (e.g. each state in the United States determines its own manner in which it issues license plates), however, most states will omit the letters I, O, and often Q to help mitigate some of the ambiguity.

There is another solution to consider: if you do not want to limit the character set of the generated code (which, in my opinion, is probably the easiest solution), simply accept both I/1 and O/0 in each others' places. This is sacrificing only a hair of entropy for the convenience of automatically resolving ambiguities in the passcode. Whether or not this increases or decreases the mental load of your users could be the topic of some quick user testing.

To consider: You need to put in balance where you will display this code too. For smaller sizes screens you might still have a problem with any font you choose. Also, this is not great when you need to send the user an email with that code, you will need to use a system font for that and you hit this problem again.

The only published guidelines I know of are about making sure that any text displayed is legible by appropriate choice and usage of fonts, contract, size, etc. The guidelines are intended to make sure all text is legible and require you to have a fairly high degree of control over the final display. If you are printing 5x7 dot matrix characters in red on a black background, you are going to have serious problems no matter what symbols you use.

Side note: it still bugs me that images on the "Golden Record" sent out on Voyager to introduce ourselves to some alien culture use the same glyph for zero and capital oh. Like it was not hard enough to figure out an alien alphabet, you had to also figure out that one of the characters was actually 2 different ones.

If possible use BOTH a font that makes the characters as distinguishable as possible such as a font intended for software development like JetBrains Mono AND colour code the character classes (alphabetic, numeric, other) NEITHER is a is a perfect solution by itself and even BOTH together is less than ideal, but it should give the user the best chance possible given a generator that produces potentially ambiguous characters. As with any colour based UI you should consider colourblindness.

Even with other solutions that alter the generated string, its still a good idea to use a font optimized for individual character recognition. Especially important, if the digit zero is possible, even if the capital letter O is not, use a font with a dotted or slashed 0 glyph, preferably dotted. It would also be a good idea to use a font with lining rather than old style digits if the string contains digits.

A very simple solution would be to just use hexadecimal. Just about any platform you might be using should have the ability to produce a hex representation of a number easily and many people have seen it before even if they don't recognize what it is so you gain at least some potential familiarity. If you use hex, make it case insensitive.

A curated character set that eliminates potentially confused pairs and is case sensitive using characters readily typed on most keyboards can be notably shorter but it much less friendly to a human. This set is 50 characters for instance but it requires the user type random capitalization correctly.

If using numeric codes, make sure to use a font with a dotted or slashed zero to be safe. For hex or curated characters it might still be worthwhile to highlight the character classes in different colours just to provide a bit of additional context for the random string of characters.

Use a string of randomly selected words. This is conceptually no different from a string of random character except using a dictionary of words in place of an alphabet of characters. Fewer words are needed than characters provided the number of words in the dictionary is larer than the alphabet. The overall length of the string will still be longer than a comparable "character" based string though.

If you see the word "call" that's obviously two lower case 'L's even in a font that makes 'l', 'I', and '1' hard to distinguish. This is a particularly useful approach if the string might need to be dictated to another person.

You can improve the human friendliness by giving the random string a grammatical structure to mimic a sentence. "adjective noun(plural) verb(plural 3rd person simple present) adverb" works well for English. It could be extended with "preposition adjective noun(plural)".

Besides length, the downside of this approach is it's more complicated to create, and if you need to handle different languages they each need their own dictionaries and if used, grammar templates. You also need to be aware of homonyms and other easily confused words and words with multiple spellings (their/there, colour/colour, accept/except)

Examples of this idea in slightly different contexts are the Diceware password scheme, the Jitsi Meet conference software which generates nonsense sentences as meeting IDs, or the PGP Word List for dictating key fingerprints over the phone. The EFF also provides alternate word lists for Diceware that could be leveraged for your use case.

Turn each byte into a word from a list of 256. You could use the PGP Word List or use 4 lists of 256 (Adjectives, Plural Nouns, Verbs, Adverbs) and fit them into the template "adjective noun verb adjective"

You can send both and instruct them to use whichever they prefer, or have a toggle to switch which is displayed to them, or make it an option they set ahead of time depending on the situation. Similar word lists of 256 could be made for other languages that need to be supported and the hex provides a fallback for unsupported languages.

"When you reach the Schimed Tower, find Samuels and an injured Taylor in the main lobby. You'll need to find supplies to heal her, so whip out your Motion Tacker to see what direction you need to head in. Start heading towards the Medical Facility through the door on the right, keeping an eye on the Motion Detector.

"Meet with the Doctor Kuhlman at his window to figure out a deal. Since both of you need supplies, you'll find the passcode for the elevator, then both of you will go down to get the supplies. Hit the Emergency Override switch and head into the hallway. Follow the marker on your Motion Detector.

As you make your way over to the locked door across from the Day Room, the alien will drop from above. Throw a Noise Maker to distract he alien or stay hidden to have it walk in the other direction. Once you reach the locked door and that you know the Alien is not near, punch in the code and head inside.

From that room, walk back into the hallway and go to the right. The room on the right has a save station. There is a vent you can use to skip through the hallway, something especially needed if the Alien is nearby.

Enter the next hallway to find a giant circular hallway with rooms attached all around it. If you're just looking for the Keycard and don't care for the collectibles, head for room A-29. Search the body on the floor for the Keycard.

If you are looking for collectibles, your best way to do so is through room hopping. The Alien will wander the hallway, but it only comes into a room if it hears a noise. When you know the Alien is in the other direction, leave the room and walk into the next one. Do this until you have all the collectibles you want.

Return to Kuhlman and give him the passcode. Go all the way to the left end of the circular hallway and unlock the door. This will take you back to his office. He'll activate the elevator and start heading your way. But wait, no, he gets killed by the Alien. Make a run for the elevator on your left.

3a8082e126