At 9:42 AM 7/12/94, Mike Johnson second login wrote:

...

[Ben.Goren@asu.edu [me] wrote about generating pass phrases from true random numbers, mapping into a character set, creating mnemonics.]

I already do this -- except that I use a keystroke- timing program for the true random source, and I do the mnomonic generation with my brain instead of the program. My program just converts the random numbers to uniformly distributed printable ASCII (values between space and del), for a little more entropy than 6 bits per character.

The tradeoff is between number of characters needed (length of passphrase) and diversity of character set. I'd probably have better luck with the mnemonic if I didn't have to fit in a whole string of %*$@!, but that should probably be a user setting.

A more automated way to generate a pass phrase might be to convert every 16 bits of random numbers to one of 65536 words and names in your favorite languages. That way, you would have real words to memorize, but in a strange order. For example, a 128 bit key might be: tree elephant action roof xymurgy eight top slash.

You could try to think of some story to link the 8 originally unrelated words together and help you to remember it.

Another possibility: have a dictionary of different parts of speech and assemble them in order. For a short example, each passphrase could be in an order such as: Article adjective modifier noun verb article adjective modifier noun. Our favorite would fit: The quick brown fox jumps over the very lazy dog. This looses entropy (Mallet knows the order, and probably the dictionaries) and so you would want either a longer sentence or some other modification, like random--not decided by the person--capitalization or character substitution. Or have two sentences: The quick brown fox jumps over the very lazy dog; a lovely ermine glove fits into the hazy slumping bucket. Figure thirteen bits each with dictionaries of ten thousand each adjectives, modifiers, nouns, and verbs--your final dictionary would be 40 thousand words, total; you'd need about ten words to get 128 bits. Make that two shorter--eight word--sentences, restricted to easy-to-remember orderings, and you've more than made up for whatever entropy was lost in having a known structure. Umph. I think I need to start making time to write code, if I want to see this work. b& -- Ben.Goren@asu.edu, Arizona State University School of Music net.proselytizing (write for info): Protect your privacy; oppose Clipper. Voice concern over proposed Internet pricing schemes. Stamp out spamming. Finger ben@tux.music.asu.edu for PGP 2.3a public key.