Re: Paper & pencil password algorithm

Guy Macon <> wrote:

James Taylor wrote:

I don't accept your belief that the entire system is useless
because sometimes websites change their domain names.

You are, once again, putting words in my mouth. I never said
or even implied that "the entire system is useless."

Then I have misjudged you. That did appear to be your attitude.

Why can't you just accept the fact that your method either fails
on some sites or requires per-site memorization?

Yes, in that sense, it does require you to remember something per-site.
You have to remember the name you used to make the password and, by the
way, you also have to remember the version number you appended to the
name if you've changed the password. The point is that these things are
much easier to remember than long random passwords, and they *can* be
written down in plain view because they are not in themselves sensitive
to disclosure.

One of the systems that you rejected early on also makes it fairly
easy to generate very long, very random passwords from nice simple
short names.

Oh look Guy, I'm really really sorry I rejected your Nihilist cipher
suggestion. It was a very good suggestion, and I was extremely pleased
to receive it at the time, but I had what I thought were good reasons
for seeking something better. I did not mean to bruise your ego, really
I didn't. Please accept my sincere apologies.

You don't need a hash to do that. A stream cipher can
generate random-appearing passwords of any length.

Then maybe you can educate me. My understanding of stream ciphers is
that they generate a pseudo-random sequence which is combined (often
XORed) with the plaintext. The problem I see with this is that the
pseudo-random sequence will be the same every time, and this is as bad
as repeatedly re-using a one-time pad, which we know is vulnerable to

The usual way around this is to use a nonce to initialise the stream
cipher's pseudo-random sequence differently each time. The problem with
that is it will produce a different result each time, which is not the
property we want in this case because we want the password to be the
same every time for a given site name.

Perhaps I've missed something, or perhaps you have a better stream
cipher than I know about. If so, I would love to hear it.

you abandoned two of your stated constraints (nothing written down,
no per-website memorization).

Yes, I like the idea of not having to write anything down, or at least
not *needing* to carry around bits of paper. I have striven to achieve
that goal where possible. I do not recall excluding memorisation of
website names. I believe that should easy, but if I start to doubt my
memory capacity I can still write the names down as a fallback.

Given your new set of constraints, one of the early suggestions
(using a cipher instead of a hash) that you rejected based upon
your now-abandoned constraints appears to be viable.

You mean the Nihilist cipher? The straddling chequerboard it's based on
does some fractionation, but probably not quite enough. I think the
Polybius square gives better fractionation, and its more consistent
length of output is convenient for the hashing step, which I also
believe to be necessary for reasons explained at length elsewhere in
this thread.

Perhaps you can present a modified Nihilist cipher that addresses these
things and expands on the checkerboard to include a full set of
characters. I'd be interested to see that.

I liked Maaartin's hash idea because it mixed and diffused well. I have
made some improvements to his idea (not yet described here) which I
think make it a perfectly viable solution. I want to publish the method
here for review, but I keep thinking of things to test, writing Perl
code to test it, and making minor tweaks to the algorithm. This has
delayed me from finalising what I want to publish.

Clearly you don't want any help, having already decided what
the answer is long before you ever asked the question.

I think I'm just not good at communicating with you Guy.
I am sorry for that.

James Taylor