Strengthen your Password: Mnemonic MotoMem Passphrase

June 20, 2014 01:34 UTC

In last week’s article we explored Passphrase Interception and how this eventuality reveals our conscious (or subconscious) scheme for constructing passwords. The article made the case that discovery of one of our passphrases is almost certainly a gateway to all the rest – including the secrets (and cryptocurrency) they protect. We also explored how MotoMem strings are invaluable for adding bulk and character variation to our passphrases, even if our core passphrase is weak, or worse, a dictionary word.

This week we’ll combine everything we learnt from “time-to-crack” best practice, academic and official password strength research, as well as MotoMem techniques. Firstly, we’ll consider a passphrase generation method that obscures our passphrase source by hiding it in clear sight. Next, we’ll bulk out the resulting passphrase using MotoMems, resulting in the strongest passphrase scheme explored to date: the Mnemonic-Motomem Combination scheme. In the next (and final) article we’ll raise the difficulty of our passphrases to the highest level possible by introducing a centralized passphrase manager that can generate extra long random character passphrases on the fly.

First, however, we’ll define a scheme whereby we can reliably generate a strong, memorable and easily reproducible master passphrase to safeguard our passphrase manager.

[divider]CCN[/divider]

To Remember, a Mnemonic You Must Use

As humans, our primary mode of interaction is rooted in language, and seeing that passphrases need to be typed, we’ll use language text as the basis of our passphrase scheme.

We will obscure any language content by reducing sentences and words to mnemonics. This meets both our objectives of aiding recall and of creating a passphrase that does not contain dictionary words. Large arrays of text can be distilled down to mnemonics in a variety of ways and readers are encouraged to explore the interesting and powerful mnemonic techniques applied in Japanese Yodai Words. For this article, we will simply grab the first letter of every word as well as any punctuation and numbers we can find.

Considering the central significance of our master passphrase, as well as the regularity with which we will use it, the writer suggests that readers consider using an existing sentence such as a motivational quote, a meaningful sentence from a favorite book, the title of a painting or image, or a mantra for attainment.

Text Source

The benefit of using existing text is that it is in abundance all around us. When creating a new passphrase it’s simply a matter of choosing from the bookshelf or submitting a quick internet search and then jotting down the text and the login account it is associated with.

The text itself does not need to be hidden because our character selection rule (mnemonic) will mangle it. A physical observer of the base text has no clue how we mangle the text, and a keylogger or session snooper has no idea where the mangled version is derived from. Hence, this part of the scheme remains obscure, and other passphrases created by the same scheme cannot be inferred. The reminder note that associates base text with a login account should, however, be hidden to provide security by obscurity.

Examples

Apply the following mangle rule to the source text below:

Use the first letter of each word, preserve case, include punctuation marks and the letter immediately following them.

Text: "Money is better than poverty, if only for financial reasons" (Woody Allen)
 Mangled form: Mibtp,ioffr
Text: "There's no one thing that's true. It's all true." (Hemingway, For Whom The Bell Tolls)
 Mangled form: T'snott'st.I'sat.
Text: Nam-Myoho-Renge-Kyo. Devotion to the mystic law of Lotus Sutra.
 Mangled form: N-M-R-K.DttmloLS.

Notice that each of the resulting passphrases:

  • is longer than our minimum requirement of 9 characters
  • includes mixed case and symbols
  • offers no hint as to how it is derived – a snooper has no clue how to extrapolate additional passphrases generated by this scheme
  • greatly benefits the user in that the original source text can be written down and hidden in plain sight – stuck to the monitor or pasted on the wall

Image Source

Consider again that the objective of this article series is to enable you to create long, highly variant passwords that can be typed when needed. Any difficulty in remembering a password only discourages its use – and we will tend to revert to “easier” and, therefore, weaker passwords. This is the reason for sticking a long piece of text on the wall and using it as a source of characters. It’s visible and convenient, but in certain circumstances such blatant display of base text may be inappropriate and pose too much risk.

In the interests of greater security one may well advise users to memorize the source text. Difficulty in remembering a long piece of text, however, presents both discouragement to use and threat of forgetting it. Hence, the recommendation of a mantra or some other phrase that has been ingrained in long-term memory.

Alternatively, instead of displaying the source text, an image can serve as a visual clue to the base text from which we derive characters for a passphrase.

Example:

Painting: Author Hunter S. Thompson, writer of Fear and Loathing in Las Vegas - pictured with Wild Turkey 101
Text: Hunter S. Thompson - Fear and Loathing in Las Vegas Wild Turkey 101
Mangled form: HS.T-FaLiLVWT101

The diagram below summarizes both textual and image source schemes for password derivation:

Mnemonic MotoMem Passphrase Scheme

We now have all the components necessary to create our strongest passphrase to date:

Components

a) key 1: `1q
b) key 2:  |}?}{>{P<
c) mangled Woody Allen quote (see source in the above diagram): “Mibtp,ioffr”

MotoMem key 1 (magenta) and key 2 (brown) are generated as follows:

Rules

1) start with key1
2) mangled quote
3) end with key2

Output

Passphrase = `1q“Mibtp,ioffr”|}?}{>{P<
Length: 24 chars
Unique chars: 18
Theoretical Time-to-Crack: at least 44,000 years

This combination of Mnemonics and MotoMem patterns generates passphrases that are:

  1. trivial to create
  2. easy to reproduce
  3. of above average strength, and
  4. near impossible to deconstruct.

Consider the following benefits:

  • Neither of the motomem keys repeats a sequence of symbols – each is unique
  • Key 2 repeats a finger key pattern, so it is easy to generate (and reproduce) but there is no obvious character sequence
  • Nothing about the obscured quote (which is a strong passphrase in its own right) reveals where it was derived from
  • The combined passphrase is not the longest possible, but it is more than double the minimum required length with a majority of unique characters
  • Cracking this passphrase by brute force will take a theoretical minimum of 44,000 years
  • Should a malevolent obtain this passphrase via snooping, they’d be no closer to finding another passphrase generated by the same scheme, because the absence of repetition means that our components cannot be visually discerned
  • Meticulous key-stroke analysis of the passphrase would strip away key 1 and key 2, but the remaining component does not present a cracker with an easy task to decypher
  • Assuming an attacker discovers the likely origin of the phrase to be a Woody Allen quote, they could only assume that other passphrases are based on Allen quotes – but we wouldn’t make such a rookie mistake!

Next week: Passphrase managers and Random Character strings of unlimited length

Passphrase Series Articles:

Part One – Strong Passwords
Part Two – Motor Memory Passphrase
Part Three – Passphrase Interception

Sources:

Ius mentis – Law and Technology Explained
Carnegie Mellon University, School of Computer Science – Password Strength Research
Strong Passwords – A New Approach
Japanese Yodai Words – Research Paper

Featured image by Shutterstock.

Last modified: June 20, 2014 01:38 UTC

More of: security
@venzen

Market analyst and Open source developer with a keen interest in blockchain technology, consensus mechanisms and the decentralizing effect. He has found a solution to the PKI mechanism. Email me to discuss.

Show comments