Score:2

What's an algorithm for laypeople to make personal passwords

bo flag

I'm going to be teaching an audience about algorithms. I'd like to give them one to create unique personal passwords for websites.

  1. They could start with the domain name of the site and their own secret "word".
  2. The algorithm would be simple enough to memorize. Failing that, they could sketch out my flowchart on the back of a business card or something else that fits in a wallet.

There are similar questions on this site; the given answers were, to me, even more opaque than a cryptographic hash.

But several have pointed to Blum's Human Computable Machine Unbreakable Hash Function (HCMU), as implemented here. The problems are (a) Blum said it would take an hour to memorize the algorithm, and (b) I can't read Python.

Is there a method that fits these criteria?

MAJOR EDIT: It occurs to me that I'm getting the wrong answers because I'm asking the wrong question.

My intent is not to give the class (adults, not children) a password algorithm. It's to show them how to create their own algorithms. That might mitigate the "leaked algorithm" problem.

I could say something like:

"You could use domainname.MySecretWord. That's a bad example, because [several obvious reasons]. A better way would be DomainName.MySecretPhrase.NumberOfLettersInDomainName, but ____

Ultimately, I'd end with something like

"Take these elements; decide if you want to add any additional elements; arrange them following these steps, but first decide the order you want to follow them in."

Is that better?

Score:4
in flag

No, because any easy to memorize algorithm would fail the Kerckhoff's principle. You'd basically have one secret algorithm that if it's leaked, all your passwords would fail. Very likely multiple people would choose about the same algorithm.

Instead, use a validated password manager that shows the (probable) amount of entropy and generate randomized passwords. You'd still rely on one password in all likelihood (although 2FA-enabled password managers exist), but at least you'd only use it on a limited number of devices and applications.

DocWriter avatar
bo flag
How would the leaked algorithm fail if it depends partly on a secret word chosen by each individual?
Maarten Bodewes avatar
in flag
Because that secret word is not likely to have enough randomness to withstand a standard dictionary search / brute force attack / targeted social engineering attack.
DocWriter avatar
bo flag
Okay. But telling the class to "use a validated password manager" won't help me teach them about algorithms. What should I do instead?
Maarten Bodewes avatar
in flag
You could go into generation of random passwords instead and the algorithms used for that I suppose.
Score:2
cn flag

A common technique is Diceware with one of the new Electronic Frontier Foundation's word lists.

But you clearly need dice. And that's the thing, you need some 'device' that can provide a good degree of uncertainty (entropy). You could pick the words at random, but with a whole class of kids, they'll probably just cluster in the middle.

Alternatively you can use the use three random words approach, which is now recommended by the UK government for home use. Pick three totally random words or numbers of your choice. A nuance is to think of three descriptive words for something memorable, like your favourite pet spider. That way you can avoid the expense of the dice.

Not initially complex algorithms to be sure, but that then falls on you as a teacher to flesh out the mechanics as you see fit. Entropy measurement is as good a place as any to start...

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.