|
MakePass.EXE v 1.0 Written by Dianelos Georgoudis, TecApro International october 97
MakePass.EXE v 1.0 is a freeware program that generates high quality pass phrases. It is a very small (23 kB) self-sufficient program. You can use it under DOS (recommended) or Windows. You are free to use, copy and distribute this program. Click here to download MakePass.EXE. MakePass contains a list of short and common English words. Each word is between 3 and 6 characters long. There are 4096 (2^12) different words in the list which means each word you generate provides 12 bits of security (or entropy). If you use MakePass to generate a list of 5 words, and you use them in the order in which they are generated, then you create a pass phrase with 60 bits of security, which is sufficient for most purposes. You can generate longer lists of words for even more security. When we say a pass phrase has N bits of security we mean that an attacker would have to try on average some 2^(N-1) guesses in order to discover the pass phrase. With 60 bits of security the number of guesses required is about 576 quadrillion. To generate a pass phrase all you have to do is keep on pressing keys on your keyboard until you have generated a word list of the length you need. MakePass measures the latency between keystrokes and uses this random data to select a word at random from its word list.
It is important not to forget the pass phrase you have generated. It is easier to memorize a pass phrase if you can invent a sentence based on the words in the pass phrase. You can always add a few extra words to help make the pass phrase more memorable (this will actually increase the security of your pass phrase). However, you should not delete any of the original words as this will drastically reduce the security you achieve with the pass phrase. If you need to, you can vary the order of the original words to produce a more memorable pass phrase, however this will also decrease its security. If you plan to vary the word order in the pass phrase you generate it is best to use a longer pass phrase. The following table will help you choose the length of pass phrase to use (over 60 bits of security offers good protection, over 90 bits of security is probably excessive in the sense that the risk of forgetting an even bigger pass phrase becomes too large - if you are very confident about your memory feel free to memorize an even stronger pass phrase):
Another approach you can use is to generate several pass phrases and then choose the one that is easiest to memorize. If you produce 4 pass phrases and choose one then you diminish security by 2 bits. If you produce 8 pass phrases and choose one then you diminish security by 3 bits. For example, if you produce 4 pass phrases of 6 words each, rearrange each pass phrase to make it easier to memorize, and then choose one of the four resulting pass phrases, you still end up with 60 bits of security and, at the same time, you have a pass phrase that is much easier to memorize. Adding a few extra words to the chosen pass phrase can make it even easier to memorize, and will at the same time increase security. These ideas are illustrated in the following example which is based upon data generated by MakePass. First I generated four pass phrases: First pass phrase: thief steep niece lucid fitful board The easiest phrase for me to remember is the third one. If I memorize it as it is, then I get 70 bits of security. However, if I rearrange it and then add some extra words I can generate the following sentence: I saw a movie at my favourite spot about an envoy from planet Sigma eating a spicy buffet. I can use this sentence to help me memorize the rearranged 6 words pass phrase: movie spot envoy sigma spicy buffet which still has some 60 bits of security. Or, I can use the complete sentence as a pass phrase, which would offer even better security but is rather long if I have to type it frequently. You can also use MakePass to generate random bytes by executing the command: MakePass bytes The most important advice for not forgetting your pass phrase is to use it often. One idea is to have your computer ask you to recite your pass phrase(s) each time you turn it on. Never write down your pass phrase on a piece of paper, unless you are too worried about your memory - in this case put this piece of paper in a very safe place. Security is about risk - if you think that it is more probable that you will forget the pass phrase than that a thief will break your safe, then your safe is a safer place than your brain.
Here are some ways to increase the entropy: 1. Make some spelling error. For example write "movy" instead of "movie". 2. Use some upper case characters. 3. Add staff such as punctuation symbols, garbage characters or digits, etc. Here is an improved version of the pass phrase produced above: I saw a movy at my favourite SPOT,,, about an envoy from planet Sigma eating a spicy buffet!!! Beware: Any increase in the entropy of your pass phrase makes it more difficult to remember. Also it is not easy to quantify the amount of total entropy, so always start with a good pass phrase before increasing its entropy.
Your PC has several internal timers. MakePass uses the channel 2 timer that runs at 1.190 MHz and is normally used for sound generation. MakePass uses it to measure the latency of keystrokes. It measures the latency of two consecutive keystrokes, compares their values and produces 1 bit of random data. The random bits are used to generate a 12 bit random number. The generation of each random number requires at least 24 keystrokes. This procedure will not produce random numbers if you type using a particular rhythm (for example one fast keystroke followed by a slow keystroke). So, MakePass generates a second independent random value by adding (or by exclusive ORing) the value of every other latency measure. When the twelve bit random number is complete, MakePass exclusive ORs the two values which have been generated, truncates the result to 12 bits and uses the resulting random number as an index to select a word from the word list. Here is a pseudo code representation of MakePass: NUM is a 16 bit integer The 4096 words in the word list were chosen according to the following criteria: The MakePass word list has been placed in the public domain. To download a copy click here. You can use the MakePass word list for many other purposes. For example, you could write a program to capture pass phrases as they are typed and check that each of the words they contain is from the MakePass list. In this way you will be able to catch most typing errors without disclosing any information about the pass phrase itself.
Integrity of the Program MakePass checks the integrity of the program before starting to generate a pass phrase. Of course, someone could replace the original program with a doctored version and thus invalidate this integrity check. If you have any doubt about the integrity of the program you are using then download a new copy from TecApro's web site - http://www.tecapro.com - and as an additional security measure pkzip it. This should produce a zipped file with a CRC-32 of: 91424236.
|
|||||||||||||||||||||||||||||||
This page was last updated on December 28, 1998. ( webmaster@tecapro.com)