free pass phrase constructor

49 views
Skip to first unread message

Dianelos Georgoudis

unread,
Oct 24, 1997, 3:00:00 AM10/24/97
to

Introduction

MakePass.EXE v 1.0 is a freeware program that generates high quality pass
phrases. It is a very small (23 kB) self-sufficient program. You can use
it under DOS (recommended) or Windows. You are free to use, copy and
distribute this program. You can download if from
http://www.tecapro.com/free/makepass.exe

MakePass contains a list of short and common English words. Each word is
between 3 and 6 characters long. There are 4096 (2^12) different words in
the list which means each word you generate provides 12 bits of security
(or entropy). If you use MakePass to generate a list of 5 words, and you
use them in the order in which they are generated, then you create a pass
phrase with 60 bits of security, which is sufficient for most purposes.
You can generate longer lists of words for even more security.

To generate a pass phrase all you have to do is keep on pressing keys on
your keyboard until you have generated a word list of the length you need.
MakePass measures the latency between keystrokes and uses this random data
to select a word at random from its word list.


How to Remember your Pass Phrase

It is important not to forget the pass phrase you have generated. It is
easier to memorize a pass phrase if you can invent a sentence based on
the words in the pass phrase. You can always add a few extra words to
help make the pass phrase more memorable (this will actually increase the
security of your pass phrase). However, you should not delete any of the
original words as this will drastically reduce the security you achieve
with the pass phrase.

If you need to, you can vary the order of the original words to produce a
more memorable pass phrase, however this will also decrease its security.
If you plan to vary the word order in the pass phrase you generate it is
best to use a longer pass phrase. The following table will help you
choose the length of pass phrase to use (over 60 bits of security offers
good protection, over 90 bits of security is probably excessive):

Number of security at security after
words original choosing a new
order order

5 60 bits 53 bits
6 72 62
7 84 71
8 96 80
9 108 89

Another approach you can use is to generate several pass phrases and then
choose the one that is easiest to memorize. If you produce 4 pass phrases
and choose one then you diminish security by 2 bits. If you produce 8
pass phrases and choose one then you diminish security by 3 bits. For
example, if you produce 4 pass phrases of 6 words each, rearrange each
pass phrase to make it easier to memorize, and then choose one of the
four resulting pass phrases, you still end up with 60 bits of security
and, at the same time, you have a pass phrase that is much easier to
memorize. Adding a few extra words to the chosen pass phrase can make it
even easier to memorize, and will at the same time increases security.

These ideas are illustrated in the following example which is based upon
data generated by MakePass. First I generated four pass phrases:

First pass phrase: thief steep niece lucid fitful board
Second pass phrase: exact hassle ace purse ruler quaint
Third pass phrase: envoy sigma buffet movie spicy spot
Fourth pass phrase: Europe creed mile heard number mare

The easiest phrase for me to remember is the third one. If I memorize it
as it is, then I get 70 bits of security. However, if I rearrange it and
then add some extra words I can generate the following sentence:

I saw a movie at my favourite spot about an envoy from
planet Sigma eating a spicy buffet.

I can use this sentence to help me memorize the rearranged 6 words pass
phrase:

movie spot envoy sigma spicy buffet

which still has some 60 bits of security. Or, I can use the complete
sentence as a pass phrase, which would offer even better security but is
rather long if I have to type it frequently.

You can also use MakePass to generate random bytes by executing the
command: MAKEPASS BYTES


Technical Description

Your PC has several internal timers. MakePass uses the channel 2 timer
that runs at 1.190 MHz and is normally used for sound generation.
MakePass uses it to measure the latency of keystrokes. It measures the
latency of two consecutive keystrokes, compares their values and produces
1 bit of random data. The random bits are used to generate a 12 bit
random number. The generation of each random number requires at least 24
keystrokes.

This procedure will not produce random numbers if you type using a
particular rhythm (for example one fast keystroke followed by a slow
keystroke). So, MakePass generates a second independent random value by
adding (or by exclusive ORing) the value of every other latency measure.
When the twelve bit random number is complete, MakePass exclusive ORs the
two values which have been generated, truncates the result to 12 bits and
uses the resulting random number as an index to select a word from the
word list.

Here is a pseudo code representation of MakePass:

NUM is a 16 bit integer
RAND, LI1, LI2 are 32 bit integers
initialize hardware clock
NUM <- 0
RAND <- 0
repeat
start timer
wait for keystroke
stop timer and put result in LI1
start timer
wait for keystroke
stop timer and put result in LI2
(* check for good values of LI1 and LI2 *)
if LI1>50000 and LI2>50000 and | LI1-LI2 | >500 then
if LI1>LI2 then add bit 1 to NUM else add bit 0 to NUM
if LI1 is odd then exclusive-OR LI2 into RAND
else add LI2 into RAND
until 12 bits added to NUM
exclusive-OR RAND into NUM
cut NUM down to 12 bits (* now NUM between 0 y 4095 *)
use NUM as an index to the wordlist (* with 4096 words *)
display word

The 4096 words in the word list were chosen according to the following
criteria:
- each word must contain between 3 and 6 characters
- each word must be a common English word
- each word should be clearly different from each other
word, orthographically or semantically

The MakePass word list has been placed in the public domain
(http://www.tecapro.com/free/makepass.lst). You can use this word list
for many other purposes. For example, you could write a program to
capture pass phrases as they are typed and check that each of the words
they contain is from the MakePass list. In this way you will be able to
catch most typing errors without disclosing any information about the
pass phrase itself.


Integrity of the Program

MakePass checks the integrity of the program before starting to generate a
pass phrase. Of course, someone could replace the original program with a
doctored version and thus invalidate this integrity check. If you have any
doubt about the integrity of the program you are using then download a new
copy from TecApro's web site (http://www.tecapro.com) and as an additional
security measure pkzip it. This should produce a zipped file with a
CRC-32 of: 29762891.

-------------------==== Posted via Deja News ====-----------------------
http://www.dejanews.com/ Search, Read, Post to Usenet

Selom Ofori

unread,
Oct 25, 1997, 3:00:00 AM10/25/97
to

is the source available?

Dianelos Georgoudis

unread,
Oct 27, 1997, 3:00:00 AM10/27/97
to

In article <3452AF5B...@chat.carleton.ca>,

Selom Ofori <sof...@chat.carleton.ca> wrote:
>
> is the source available?
>
> Dianelos Georgoudis wrote:
>
> > Introduction
> >
> > MakePass.EXE v 1.0 is a freeware program that generates high quality pass
> > phrases. It is a very small (23 kB) self-sufficient program. You can use
> > it under DOS (recommended) or Windows. You are free to use, copy and
> > distribute this program. You can download if from
> > http://www.tecapro.com/free/makepass.exe
> > ...

Almost, Yes.

MakePass.EXE includes proprietary technology such as algorithms for text
compression. The documentation of MakePass includes pseudo-code with
which any programmer can write a similar program. The difficult part is
the word-list, and this I have already put in the public domain.

I understand though that security oriented programs should make public
their source code. As a compromise, I am posting the source of the
program MKPS that if functionally equivalent to MakePass. Non essential
parts, such as the text compression and self-validation were omitted;
this makes MKPS simpler to read. The source is in Pascal which can be
read even by people not familiar with the language.

This is the source code:

program MKPS;
(* This is a DEMONSTRATION program that is functionally identical
to MAKEPASS.EXE, a pass frase contructor. You can compile it with
Borland's Pascal compilers. It will only work on a PC. It uses
an external text file with 4096 English words. You can download
this file from http://www.tecapro.com/free/makepass.lst or
substitute it with another word list. For more information about
MAKEPASS, visit: http://www.tecapro.com/makepass
Beware: Parts of this program are copyrighted. You may compile this
source code and freely use or copy the resulting executable program
that produces pass phrases, but you may not copy the copyrighted
source code section into other programs.
Disclaimer: TecApro is not responsible for any damage, direct or
indirect, resulting from the use of this program. *)

uses dos,crt;
const
wordSize=6;
numWords=4096;
escChar=chr(27);
var
words:array[0..numWords-1] of string[wordSize];

procedure startTimer; forward; (* defined in the copyrighted section *)
function stopTimer:longInt; forward;

function makeIndex:word;
(* This is the heart of the program. It uses the keyboard latency to
return a random number of 12 bits *)
var ch:char; (* character *)
li1,li2:longInt; (* 32 bit integers *)
num,cont,rand:word; (* 16 bit integers *)
begin
num:=0; cont:=0; rand:=0;
repeat
startTimer;
ch:=readKey; if ch=escChar then halt;
li1:=stopTimer;
startTimer;
ch:=readKey; if ch=escChar then halt;
li2:=stopTimer;
if (li1>50000) and (li2>50000) and ( abs(li1-li2)>500 ) then
begin inc(cont);
num:=num shl 1; (* shift num left one bit *)
if li1>li2 then num:=num or 1;
end;
if odd(li1) then rand:=rand xor li2 else rand:=rand + li2;
until cont=12; (* 12 bits in num *)
num:=num xor rand;
num:=num and $FFF; (* use the last 12 bits *)
makeIndex:=num;
end;

(* ---------------------------------------------------------------------
Definition of the timer. This is the copyrighted section. You may use
this code only to compile this program. You may not use this code for
any other purpose without written approval from TecApro.
*)
var
tickCount:longint;
timedelay:word;
tiStart,tiStop,ti:longInt;
vStart: longInt;
scOldTimer:pointer;
scpExitProc:pointer;

Function GetFastCrono:word;
inline($b0/$80/$e6/$43/$e4/$42/$88/$c3/$e4/$42/$b1/$08/$d3/$e0/$88/$d8);

Procedure CLI;Inline($fa);

Procedure STI;Inline($fb);

procedure startTimer;
var gfc:word;
begin
CLI;
gfc:=getFastCrono;
tiStart:=tickCount + 65536-gfc;
vStart:=tiStart;
STI;
end;

function stopTimer:longInt;
var gfc:word;
begin
CLI;
gfc:=GetFastCrono ;
tiStop:=tickCount + 65536-gfc;
inc(vStart,timedelay);
stopTimer:=tiStop - vStart;
STI;
end;

procedure scExitProc;
begin exitProc:=scpExitProc;
SetIntVec($08,scOldTimer);
NoSound;
halt;
end;

Procedure StartFastCrono;
Inline($e4/$61/$0c/$01/$e6/$61/$b0/$b0/$e6/$43/$b0/$00/$e6/$42/$e6/$42);

Procedure TimerDriver; Interrupt;
Begin
inline($9c/$ff/$1e/scOldTimer);
tickCount := tickCount + 65370;
StartFastCrono;
End;

Procedure initializeTimer;
var i:integer;
sum:longInt;
begin
scpExitProc:=exitProc;
exitProc:=addr(scExitProc);
GetIntVec($08,scOldTimer);
SetIntVec($08,Addr(TimerDriver));
tickCount:=-65370;
repeat until tickCount = 0;
timeDelay:=0;
sum:=0;
for i:=1 to 16 do
begin startTimer;ti:=stopTimer;
sum:=sum+ti;
end;
timeDelay:=sum div 16;
end;
(* end of copyrighted section ------------------------------------------*)

var
ft:text; (* ASCII file *)
i,index:word;
begin (* main program *)
clrscr;
initializeTimer;

assign(ft,'makepass.lst'); (* open file with 4096 words *)
reset(ft);
for i:=0 to numWords-1 do readln(ft,words[i]);
close(ft);

writeln(' This is a demonstration program. Download the full');
writeln(' and free version from http://www.tecapro.com.');
writeln;
writeln(' Keep typing and typing until the pass phrase words appear.');
writeln(' To exit the program, press "Esc".');
writeln;

repeat
index:=makeIndex;
write(words[index],' ');
until false; (* repeat until user types "Esc" in makeIndex *)
end.

Reply all
Reply to author
Forward
0 new messages