Password Generator functionality


#1

A function of the Apple password generator in Users is the ability to choose “memorable” options that are visually easier to remember and use. The overall options that are offered make it more likely a user will use the generator rather than known passwords.

Thoughts?


#2

Hi @TheMadCow

That is certainly something we can consider adding to Codebook in the future. Thank you for suggesting the idea. Take care!


#3

This is an excellent idea. I often find myself going to the Apple generator for memorable passwords, and it would be great not to have to take the extra steps to create and save in Codebook. I urge you to implement sooner rather than later.

Thanks, and I fully endorse your product.


#4

@TheMadCow, @jhodge, thanks for the suggestion, we’ve had others like it, in particular asking for Diceware passwords. Could you give us examples of the kind of values you are looking for? Are you familiar with Diceware? I think that would be a great option for Codebook’s password generator to provide more memorable passwords in a secure way. Smashing a couple of words together with a number, however, is probably not something we will consider (e.g. boots73grapefruit).

Example

Suppose you want a six word passphrase, as we recommend for most users. You will need 6 times 5 or 30 dice rolls. Let’s say they come out as:

1, 6, 6, 6, 5, 1, 5, 6, 5, 3, 5, 6, 3, 2, 2, 3, 5, 6,
1, 6, 6, 5, 2, 2, 4, 6, 4, 3, 2, and 6.

Write down the results on a scrap of paper in groups of five rolls:

1 6 6 6 5
1 5 6 5 3
5 6 3 2 2
3 5 6 1 6
6 5 2 2 4
6 4 3 2 6

You then look up each group of five rolls in the Diceware word list by finding the number in the list and writing down the word next to the number:

1 6 6 6 5 cleft
1 5 6 5 3 cam
5 6 3 2 2 synod
3 5 6 1 6 lacy
6 5 2 2 4 yr
6 4 3 2 6 wok

Your passphrase would then be:

cleft cam synod lacy yr wok


#5

I should clarify this: we consider everything (all the things!), but personally I think the example I was citing is not a good idea :slight_smile:


#6

Why would you not consider a scheme like Diceware? From what I understand (links below) the entropy in passwords from schemes like that is more than random numbers, letters, etc.


#7

Hello @Chris_Lyttle - I think there may be some confusion, in this case @wgray is actually in favor of diceware:

This is in fact something that we’re thinking about and have discussed internally recently.

To clarify, we’re not in favor of simpler word / number schemes, e.g. apple95stapler! because they are have reduced entropy and more easily predictable.


#8

Board won’t allow image attachments otherwise I’d show the “more memorable” passwords that the native password generator that Apple uses. It uses combinations (specified complexity/length) of words, characters that are mnemonic in design.


#9

Hi @TheMadCow

You account should have the correct trust level now to allow uploading an image. Could you try again?


#10

Here’s the Apple PW generator in Users. You can choose from a variety of formats. The Memorable selection formats with words and characters. It’s a good compromise for most users because, well, they’re users.

Thanks for bumping me up to allow pic posting.

-Geoff


#11

@wgray love the idea of having diceware passwords as an option. For certain passwords I need to type easily enough, I have a script that generates a diceware password, and just use that when I need it. But it would really be great to have a native option.


#12

Hi Geoff,

Thanks for posting this! I thought that’s what you had in mind.These types of passwords, e.g. jaws7-spotted, are easier to crack due in part to their memorable nature. If we were to come up with them ourselves they’d only be marginally less secure than if the two words and number were chosen randomly, with today’s computing firepower. Doesn’t take much to crack dogs57firetruck if the attacker suspects this pattern is being used. That may be just fine for some purposes, but we’d need to carefully consider whether it should be an option in a feature that is intended to generate secure random passwords.

Cheers,
Billy


#13

Just to clarify, while that type is easier to crack, I was thinking of more complex but still mnemonic enough that you’ll remember it without writing it down. I’m considering “normal” users, not people who know better.

An infinite amount of monkeys pounded this out for me.


#14

I’m not sure I trust “memorable” passwords, as they still contain dictionary words and therefore more easily patterned. I would, however, like the password generator reorganized a bit with some additions.

  • Update the Character Set selection to use toggles for each available set to build up full character set (instead of selecting a preconfigured one):
    -Special Characters
    -Numbers
    -Uppercase ASCII
    -Lowercase ASCII

  • Add an additional exclusion toggle
    -Exclude Ambiguous Characters: { } [ ] ( ) / \ ’ " ` ~ , ; : . < >

  • Some websites only allow specific special characters. Add a text field with an associated drop-down menu to select between inclusion/exclusion:
    -Always include the following characters
    -Always exclude the following characters

You’d obviously want to filter the text field to show a unique list (remove duplicate entries) upon focus lost or password generation.

Anyway, thanks for the great product! BTW, I’m currently using Codebook on OS X and iOS.


Exclude Characters for Password Generator
#15

Just wanted to drop by and mention this in case it has been overlooked in recent release notes: the password generator has been getting some love. We introduced a Diceware option on iOS in version 3.1.0 earlier this week, and on macOS in version 3.0.8. Please let us know what you think.


#16

I’ve been using the Diceware option and I like it. I’m glad the latest version fixed the crash on sync problem. That was a PITA.

Thanks!

-Geoff


#17

Just a follow up. I’ve enjoyed using the DW option. I’m amazed in this day and age that a fair amount of websites don’t allow or recognize the DW format. You’d think making it complex is not a bad thing. Bad coding on the webdev’s part?

-Geoff