But look at what we've done: we've created “noise” and then carefully wrote it down. A better way to get noise is to deterministically create it every time!
Mdpass takes your master password, combines it with a web site name, and uses MD5 to convert the result to a random number. The first 40 bits of that number are then converted to an english-sounding password (the total password space is about 100 billion).
Don't store passwords, "look them up" inside a big bin of random numbers!
The beauty of this approach is that the passwords are never stored on any physical medium. Instead, they reside in the mathematical space of the MD5 function, and you “look them up” them by providing the master password and the password name.
You can keep mdpass on a thumb drive without worrying about anyone stealing your passwords. You can store it in multiple locations, and the passwords won't get out of sync. mdpass is a function, it has no state or memory. You can re-download it when you need to. I will never change the algorithm (this will break all passwords generated with the utility). Instead, when and if I come up with an improvement, I'll make a new web page for the new version.
The generated passwords look like this: tree-lyrid-19 or shetwamais-416. They're always a series of letters separated by dashes, plus a number at the end. Don't worry, this doesn't make them any more guessable, there is still exactly 40 bits of information in them. It makes them easier to hold in your short-term memory while you copy the passord, and because they are somewhat pronounceable, it's easier to memorize them.
Download: mdpass.exe
Using: When you type in the web site name and hit enter, a password is generated and shown for 10 seconds. To show it again, simply hit Enter again.
To copy the password to the clipboard instead of showing it, hit Ctrl+Enter.
Important Discussion: Make sure the master phrase is impossible to guess using brute force methods. This means that if your pass-phrase is alphanumeric, it MUST be at least 11 characters long. Why is that? Let's figure out how long it will take the bad guys who are running a web site xyz.com to try all 11-character master phrases (assuming they have guessed the web site name), and run them through the mdpass algorithm, comparing the result with the password you provided. If they succeed, they can guess all your present and future passwords made with this utility. So, assuming they can try 1,000,000 passwords per second it will take them 36^11 / 11e6 = 1.3e10 seconds. Divided by the number of seconds in a year (31 million or 31e6), that's 424 years. Note that even with 9 alphanumeric characters this number already goes down to 4 months! To be safe, you must use long passphrases, no matter how clever they are.Notes on the algorithm: I used the freely available "Myths and Legends of All Nations" from the Gutenberg project. All words that occured more than 5 times in the text were broken up into vowel and consonant clusters. For example, the word "children" consists of clusters ch-i-ldr-e-n and "keep" consists of k-ee-p. Then, for each cluster, the program wrote out the clusters that follow it. The final result is a "transition map". Armed with a 40-bit random that we need to convert to engl-ish, we do the following (pseudo-code follows):
cluster="";
while (number>0) {
next_array = transition_map.LookUp(cluster);
index = number mod size(next_array);
number /= size(next_array);
write(next_array[index]);
cluster=next_array[index];
}
Additional notes: most online password checkers assume that english letters alone aren't random enough, the algorithm always adds some dashes and a number at the end. The number at the end is simply the variable number once it becomes less than 1000. The dashes don't add randomness but satisfy the password checkers. Again, please note that it really doesn't matter than this algorithm doesn't use weird characters like ^ and % -- if it did, the resulting string would be shorter but less readable.
Complains about size: yes, I know the executable is 900K, that's because it contains "way too much" library stuff that it never uses.
This this a trick?: no, it doesn't send all your passwords to me!
What if I don't like the password it generated? Fine, instead of "nytimes", use "nytimes2" as the password name. Or "nytimes3". You'll just have to remember this next time you look up the password.
But if someone finds out my master password, they'll know all my other passwords! That's true of any other password keychain as well. This one is actually more secure , because the person will have to provide an additional string before they'll get the password, and they won't know if it's the password you are using until they try it.
Changing passwords periodically: If your company requires you to change your password every month, you can append a date to the second line, for example instead of xyz, use "xyz may 2008".
I want a blackberry version! You are welcome to write one. Here is enough code to reproduce the functionality of this program: mdpass.cpp
