A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people. Learn more.
A passphrase acts as a master password that is used to securely store other passwords. It has to be strong so that it can't be easily cracked and expose the other passwords. This blog has a dice-indexed passphrase generator. The blog also serves as an example of what can be done with TWiki's SpreadSheetPlugin functions and some HTML.
This blog post is inspired by and references the article "Passphrases that you can memorize - but that even the NSA can't guess" by Firstlook.org.
It is easy to generate a random passphrase that is secure, such as "d07;oj7MgLz'%v^", but it is very hard to remember. A passphrase is easy to remember if it contains words from a song, such as "This could be Heaven or this could be Hell" from the Hotel California lyrics. The problem is that a password cracker can easily be fed with knowledge known to men, thus a passphrase based on lyrics and other literary work can be insecure. What about obscuring dictionary words? Password crackers account for common character substitutions, such as a zero for "O", a "2" for "to", or a "4" for "for", so that is not a viable option either. Relying on a keyboard layout is also not secure, such as "qwerty" or "asdfg".
So, how can we create a secure passphrase that is memorable? The solution is to use dictionary words in a random fashion. A five-word passphrase, which would have have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes). At one trillion guesses per second it would take an average of 5.3 month to guess this passphrase. A seven-word passphrase would take an average of 27 million years to guess. For more math details read the aforementioned Firstlook.org article.
Diceware.com has a dice-indexed passphrase word list. The idea is to roll dices to pick words at random from the word list containing 7776 words. A small sample of the word list is on the right side of the page.
Let's assume you roll a dice five times and get 1, 3, 5, 5, 2. You look it up and find "beer". Who doesn't like that? Now rinse and repeat until you have the number of words you want. With this approach you can create a very secure passphrase because the dictionary words are chosen at random. The more words the more secure obviously, but it also takes more time to memorize. 7 words is highly secure and is not too hard to memorize.
To make this easy, we have a passphrase generator that rolls dices for you.
Dice-Indexed Passphrase Generator:
When prompted, log in with your TWiki.org account. You can register, or log in anonymously as "TWikiGuest" with password "guest" (both case-sensitive). You can also simply refresh this page to get a new 7 word passphrase.
Passphrase again for easy copy:
Now that you have generated your passphrase, the next step is to memorize it. Initially you can write down the new passphrase on a piece of paper and carry it in your wallet. When you need it try first from memory, and look it up if needed. After some days of use you will recall the password. At this point it is best to shred the paper.
To log in to websites and other servers you can use a password database that is secured with your passphrase. KeePassX is good because it's free, open source, cross-platform, and it never stores anything in the cloud. Use your password manager to generate and store a different random password for each website you log in.
Looking under the hood of the passphrase generator:
Let's first look at the HTML form that asks for the number of words:
The $LIST2HASH() creates a hash called n2w ("number to word") from a flat list alternating between the dice number and the associated dictionary word. This is directly taken from the Diceware.com word list.
We use a table layout to show dices and words, one table column for each generated word.
We start a while loop over the number of words we want with a $WHILE(); the condition is $counter<=$GET(wc).
We generate 5 random numbers between 1 and 6 using $INT($RAND(5.999999)+1), and store each result in a variable using $SET().
Using img tags, we show images of five dices stacked on top of each other based on the generated random number.
We concatenate the five random numbers ($GET(r1)$GET(r2)$GET(r3)$GET(r4)$GET(r5)), and use that as the key to look up the hash value using $GETHASH(); the hash value is the word associated with the five random digits.
For now we store that random word in a hash called words using $SETHASH(); the hash key is the while index (first run 1, then 2, etc.)
We end each while with a table cell end and table cell start tag (</td><td<) to start a new column.
After the closing parenthesis of the while loop we start a new table row to show the generated random words.
We use another $WHILE() to output the random words; we use $GETHASH() to retrieve each random word.
Finally we close the table.
This post is intended to give you some ideas to automate your own workflows and projects using TWiki. Let us know what you have in mind.
-- Peter Thoeny - TWiki.org Founder