Idea for a UI that "grandmas" could use in order to create entropy

[CIYAM]

I have been trying to think how it might be possible to create a UI to supply (at least part) of a hash that is somewhat like a password but nothing typed and nothing difficult to remember and came up with this idea:

Picture a specific memory that is significant to you and let's go and find it:

Code:

beach #-- party
park      sunbathing #-- music
home      swimming       book
lake      volleyball     clouds
snow      ...            water #-- swimmer
office                   ...       shartk
school                             dolphin #-- summer #-- early morning  #-- happy
...                                whale       winter     mid morming        sad
                                   boat        spring     late morning       surprised
                                   ...         autumn     early afternoon    amazed
                                                          ...                alarmed
                                                                             ...

Has this already been built (if so is there an open source version) and if not is anyone interested in doing so (for bitcoins of course)?

[casascius]

What's this for?  Brainwallets?  Passwords in general?

[CIYAM]

I was thinking of using this as an input mechanism for creating salt for a secure offline GPG key pair actually but I guess it could have a number of similar applications.

[Roger_Murdock]

"shartk"? I'm not sure which way that typo was supposed to go, but I suppose either would make for a pretty vivid memory. 

[CIYAM]

"shartk"? I'm not sure which way that typo was supposed to go, but I suppose either would make for a pretty vivid memory. 

Yup - I think a "shartk" attack would be a very scary thing indeed!

[Melbustus]

Interesting. Reminds me of how memory-athletes memorize huge sequences of numbers or quickly remember a 52-card deck's ordering, etc... Might be worth a quick look at some of those techniques too since they're essentially solving the same problem of mapping things that are meaningful to humans (and therefore easier to remember) to things that are random or appear random (or at least unpredictable).

[CIYAM]

Am now thinking that it can actually be even simpler than I first thought.

Consider the following:

1) Extract a list of international airport codes for all major countries (there are over 2000 to choose from but perhaps half of these would be sufficient).

2) Extract lists of ISBN numbers for books and UPC codes for DVDs (no idea how many but obviously a lot).

The user is prompted to remember a film they saw or a book that they read from a holiday that they took (or break they were on) that sticks in their mind (but not so much because of the film or book itself) and after picking the relevant UPC/ISBN by selecting the title of the film/book (where they could also filter the titles by year) they would then next from a map of the world select the country and city (effectively choosing an international airport code).

Now they are instructed to write down an obvious (to them) clue about the occasion that they were watching that film/reading that book which does not include its name nor the name of the city.

Here is an example (taken from my own memory):

Code:

Clue: Home of the Shart
Code: PEK794043554223

Even if you knew me very well I very much doubt from that clue that you would be able to get that code (my wife doesn't get it at all and my family would have even less of a chance).

P.S. It is quite interesting that the typo pointed out from the OP is in my clue - it was no doubt this (Freudian?) slip up brought up a recent memory which I used to then then link back to a more distant one.

[odolvlobo]

I think the problem with this (which is the same problem with brain wallets) is that the search space is rather small. In your example, an airport code followed by an ISBN number, there are only probably only a few million likely combinations, because most keys will be a combination of the most memorable cities and the most popular books and movies.

Brute force guessing using the top 100 cities and the top 10,000 ISBNs stands a good chance of guessing a key very quickly.

[CIYAM]

Brute force guessing using the top 100 cities and the top 10,000 ISBNs stands a good chance of guessing a key very quickly.

Note that the idea I have with this is for some "salt entropy" and not for a whole password - the idea is to do something the following:

Code:

real_password = hash( harden( small_password + salt ) )

so the address space of the salt doesn't need to be that huge to make brute forcing quickly become too costly assuming that the password is say 5 characters (and we could also have the user put in some other less important information such as a phone number email address or the like to increase the entropy against a "blind" brute force attacks).

So for the specific attack of 100 cities and 10,000 codes we get 1,000,000 combinations which (without any additional entropy being added) would need to be tried against all possible 5 character passwords (so say 2 billion) where each "hardened hash" takes say 1 second.



Also this is only a starting point - many long lists of things could be added (apart from just films and books) and easily navigated to via a simple UI.

[odolvlobo]

"Salt" is a random value added to a password, so that even knowing the password is not enough to unlock something. That is not not what you are describing. You are proposing combining one password with another password. A brute force attack would repeatedly guess "small_password + salt", applying harden and hash, until it found the real password.

Or is there something that I am missing?

On the other hand, any method that prevents someone from using "password" as their password is a step in the right direction.

[CIYAM]

Sure - let's call it a "second password" - in any case as the competition I ran recently showed it really doesn't take very much (in that case just a very small and to me obvious math equation needed to be supplied rather than some difficult to remember "passphrase") to make brute force attacking impossible and it can be done in a way that does not require trying to remember hard random things but instead simply recalling memories that are very clear.

(btw - I had seen it stated that the previous password hashing used on this forum used the lower case "user id" as "salt" so maybe that's why I get confused with the terminology as I don't see that as really being anything different)

[Phinnaeus Gage]

Although not knowing what the demographics are of Sudoku solvers, I fathom to guess that many are up in their years. There are a myriad of Sudoku puzzle books on the market, all having the solutions in the back. All that a person would have to do is have access to only one of those books, selecting any solved puzzle in the back to glean a password from. Even if they lose the book, as long as they somehow remember the books title, its edition number, or ISBN, they should have no problem getting another copy. The safest solution is to hide several copies of a solution page.

From the image above, a 70-year-old woman would have 64 easy passwords to chose from: 16 rows left-to-right; 16 rows right-to-left; 16 columns top-to-bottom; 16 columns bottom-to-top. Thus, the first password would be 16A4BFCE8975302D.

In fact, one doesn't even to purchase a book. Simply go to http://www.e-sudoku.fr/sudoku16x16.php and generate a random solved puzzle from there like below, where the first password choice would be ADF58B314G67C92E.



I just realized that there's 16 inner grids from which another 64 easy passwords could be cleaned, the fist being ADF5C8G79462BE13.

A hacker would need to know that Sudoku was used to generate a password, after somehow determining that a minimum amount of bitcoins protected would be worth their efforts to steal.

~Bruno K~

[CIYAM]

Thanks Bruno - I think you're getting it.

Now let's add "Chess Boards", "Cooking Recipes", "Knitting Patterns", "Sporting Events", "Wines and Beers", "Rock Concerts", "Foreign Words", etc., etc.



If we can then combine a few such choices (as an "off the cuff" example perhaps what wine or beer you remember eating with what meal/meat/vegetable you were eating with which friend's first/last name when on holiday at what place during what time of year and what the weather was like at the time).

Am thinking we could call this idea a "memory wallet".