
Hipku – encode any IP address as a haiku - gabemart
http://gabrielmartin.net/projects/hipku/
======
e12e
Two notable addresses:

    
    
        ::1
        Ace ants and ace ants
        aid ace ace ace ace ace ants.
        Ace ants aid ace apes.
    
        127.0.0.1
        The hungry white ape
        aches in the ancient canyon.
        Autumn colors crunch.
    

We can see that ipv6 adds ants to the traditionally monkey themed localhost...

------
lmm
Reminds me of
[http://en.wikipedia.org/wiki/PGP_word_list](http://en.wikipedia.org/wiki/PGP_word_list)
, which is less poetic, but designed to be unambiguous when read over the
phone.

~~~
e12e
The ideas behind that list is good, but I think they went overboard with their
machine learning approach to find words that were as far apart as possible in
pronunciation. Considering one would think that such a list will be used in
international contexts, basing it off of Basic English[1] or something would
probably have been a better idea. How many non-native speakers (that aren't a
fan of Dave Sim's "Cerberus") will know the word "Aardvark" ?

[1]
[http://en.wikipedia.org/wiki/Basic_English](http://en.wikipedia.org/wiki/Basic_English)

------
falcolas
I love it. The practical side of me, however, would recommend increasing the
name space a little bit and adding checksums; human memory is not perfect, and
having built-in error correction would help immensely.

~~~
gabemart
Great idea. Thanks. I need to find some extra space for fitting in a version
number anyway, to preserve backward-compatibility.

~~~
e12e
I've been thinking about something similar to this for secure passwords. And
your haikus neatly demonstrate both the challenge and viability. I was
thinking of encoding as a phrase, but keeping the two first letters of each
word in a 256-word set unique, so that a phrase could be used for
memorization, but you'd "only" have to type the two first letters of every
word. But 16 characters for 64 bits of entropy is still pretty long (for
password entry) -- and ideally you'd want 96 or even 128 bits. Especially for
passwords/pass phrases that are used to derive/protect encryption keys (the
goal being to avoid having the entropy of the password as the weakest link.
There are still other challenges with passwords, of course. Eg: key loggers).

I'd also thought about having a generic library, that could be used for things
like representing hashes/fingerprints etc (think: an alternative to the ssh
key ascii art).

While I'd considered poetry (especially using rhyming dictionaries) -- my main
idea so far is to just construct grammatically well-formed sentences. With a
limited vocabulary, it should be easy enough...

And as touched upon in this post, it might make a nice alternative for
verbally communicating 64-128 bits of random data -- say reading out a
password while someone across the server room types it into a console.

[edit: eg, using a random haiku:

    
    
        Hoarse dunes and slim germs
        gulp pure ripe foul dead bland sole.
        Firm trees bleed short heads.
    

This would become: "hoduslgegupurifodeblsofitrblshhe" (ignoring the and). If
anyone wonders why you'd not just type in the whole thing: it's hard, even for
a skilled typist, to get something so long, exactly right, when typing blind.
And obviously even the short form here strains typing ability. But then again,
how many can say _with confidence_ that their passwords hold 128 bits worth of
entropy? With a one-to-one mapping between word-lists (or equivalently sets of
two leading characters, and a random N bit integer, assuming the integer is as
random as your other secret/session keys -- it's trivial to demonstrate a
lower bound for the entropy of such a password]

[edit2: I should add that I considered adding a standard transform to the
final password: capitalize the first letter, and terminate with a punctuation
mark. It would add nothing to the entropy of the password, but might allow an
"insecure" lowercase-only password to pass inane "strength" requirements, by
mixing three character classes.]

~~~
Scaevolus
I made this a while back. :)
[http://rmmh.github.io/abbrase/](http://rmmh.github.io/abbrase/)

An interesting fork:
[http://bcaller.github.io/abbrase/](http://bcaller.github.io/abbrase/)

Some comments:
[https://news.ycombinator.com/item?id=8059210](https://news.ycombinator.com/item?id=8059210)

Letting users pick their passphrases from a list sacrifices a few bits of
entropy in theory, and in practice gives much more usable mnemonics.

I'm not sure grammatical models are a definite improvement over Abbrase's
naive bigram method -- part-of-speech constraints can make sentences more
awkward than freeform associations.

Having 128 bit passwords feels like overkill. I'm not sure on the precise
threat model for sites, but the worst case of someone getting your password
hash should be ameliorated by not reusing passwords between sites and the
password being stretched properly.

If you're actually deriving encryption keys directly from passwords, you'll
probably be okay with 60 bits of password entropy and 30 bits of memory-hard
stretching.

~~~
e12e
Interesting.

I should add, that my idea was to publish an RFC-style standard that worked
both ways (from the password to number and back again) -- which is why mapping
two letters to 256 bits was nice: it makes for short word lists. It might
even, with some care, allow for localizing the actual word list to at least
some other European languages (we're really only concerned with the two first
letters).

> Having 128 bit passwords feels like overkill.

I agree. However, as a user can't be sure sites properly stretch passwords,
I'd say 64-bits feels more comfortable.

For use-cases where one are protecting keys, it'd be good if the password
wasn't the weakest brute-force target with too large a margin. Obviously, if
you can manage to get 64-bits into a password suitable for everyday use,
chaining two together for the (presumably rarer case of) master passwords
should be viable.

But even 64 bits is a lot of entropy to be typing in, no matter how you encode
it :-/

------
w8rbt
Interesting concept. Somehow, humans need to be able to quickly and clearly
say/pronounce an IPv6 address over the phone when talking with Tech Support.
Not everyone knows ITU phonetics (two charlie eight foxtrot...). I bet there
are other, even simpler ways to human encode IPv6 addresses (outside of DNS
names of course).

------
101914
The idea reminds me of S/Key.

64 bits --> 6 English words

[http://www.openbsd.org/cgi-
bin/man.cgi?query=skey](http://www.openbsd.org/cgi-bin/man.cgi?query=skey)
[http://netbsd.gw.com/cgi-bin/man-cgi?skey](http://netbsd.gw.com/cgi-bin/man-
cgi?skey)

~~~
listic
Your link does not work. This S/KEY?
[http://en.wikipedia.org/wiki/S/KEY](http://en.wikipedia.org/wiki/S/KEY)

~~~
101914
Should work now.

------
aareet
This is fun! I'd have liked to have seen my IP address auto-detected and
presented to me as a Hipku so I didn't have to go figure it out and come back
to see the results.

~~~
gabemart
I thought this was a fun idea so I did this:
[http://hipku.gabrielmartin.net](http://hipku.gabrielmartin.net)

------
lachenmayer
Related: proquints (PRO-nouncable QUIN-tuplets)
[http://arxiv.org/html/0901.4016](http://arxiv.org/html/0901.4016)

    
    
        127.0.0.1       lusab-babad
        63.84.220.193   gutih-tugad
        63.118.7.35     gutuk-bisog
        140.98.193.141  mudof-sakat
        64.255.6.200    haguz-biram

------
jmnicolas
I'm looking for flaws to using this as a password remembering scheme.

Basically you remember the haiku but when it comes to typing your password you
convert it in an IP address using Hipku.

I guess an IPV6 address makes a really strong password, not breakable using a
dictionary.

Any thoughts on the validity of this use case ?

~~~
lmm
You might as well use the full length haiku - you wouldn't be exposing it to
an external service, you wouldn't need internet access or a program installed,
and you can probably type it faster than the IPv6 address. Using dictionary
words for a passphrase is actually fine as long as the phrase is long enough.
Figure out how much security you need (128 bits if you're going with the IPv6
example).

~~~
e12e
The problem with using the whole haikus, is that you must type quite a lot,
typically blindly, into a password entry field -- and not make a single
mistake.

I think the more interesting question is: if you manage to memorize the haiku
-- will you be able to retain it longer than the ipv6 address? After typing in
the address a few times a day, you'd have it memorized (at least in muscle
memory). But what if this was something you either used rarely (passphrase for
restoring backups for example). Would you remember the haiku even after you'd
forgot the ipv6 address?

~~~
lmm
If you memorize poems at all you have to remember the exact words; IMO they're
easier than memorizing numbers. (In fact, the way I can remember the first
50-or-so digits of pi is that someone wrote a poem where the word-lengths
correspond to the digits).

~~~
e12e
It's not that it's hard to remember, it's hard to type in. At least that's my
experience (I use a few 16+ character passwords/passphrases). It might be
easier if it's all lower-case, no numbers etc -- I'm not sure -- I've not
tested myself.

But in writing the above, I had to hit backspace at least once -- something
that's a bit hard to catch when you're typing blind into a password entry
field, like when typing in the pass-phrase for unlocking a LUKS partition, or
logging into a console session. Or even typing in a login password in a
graphical login manager, like the windows login prompt, or gdm/ldm/xdm etc.

And it also takes time. Especially if you only get it right on your third
attempt.

~~~
lmm
Shrug; I find it much easier to write English words than numbers and the like,
but I guess YMMV. If you don't realize when you've made a mistake, it's well
worth spending a bit of time learning to type properly, IMO; I spent a weekend
practising and while I still occasionally typo, I know when I have without
having to check. E.g. I wrote this sentence with a couple of letter
transpositions, backspaced and corrected them, all without looking at the
screen, just to check that it was possible.

~~~
e12e
Maybe. Then there is typing in the passphrase on Android [ed: ie using an on
screen keyboard] to unlock the FDE etc. Fwiw I had a year of touch in junior
high, so I do generally type pretty well - but I still end up having to type
in my pw to unlock my computer a couple of times on average. I'm not sure
which parts I miss - quite possibly I'd be better off with a slightly longer,
all lowercase pw.

------
api
The length of IPv6 addresses is a minor usability problem from a devops
perspective. I don't feel like this is a solution, but something to help ease
the pain of this would be nice.

Another issue is that nearly all terminal emulators are (so far) too stupid to
auto-highlight an IPv6 address on double-click. They all break on : --
highlighting only 16 bits of the address. Annoying.

~~~
_kst_
That's often configurable. For example, in xterm:

> -cc characterclassrange:value[,...]

> This sets classes indicated by the given ranges for using in selecting by
> words. See the section specifying character classes. and discussion of the
> charClass resource.

(I haven't tried using this myself.)

------
adg001
The hungry white ape

aches in the ancient canyon.

Autumn colors crunch.

~~~
stedaniels
The agile green ape

jumps in the ancient mountains.

Autumn colors rest.

~~~
myhf
The weary white wolf

yawns in the wind-swept wetlands.

Autumn colors blow.

~~~
ph0rque
Hey now, who downvotes

haikus? Even if random?

Must be Hacker News.

 _(not my actual IP)_

------
blfr
With IPv6, you can give each site a separate address and encode it as a haiku.
Poetry to replace DNS.

And there is no central Internet Corporation for Assigned Haiku. This is what
namecoin was meant to be.

 _Chilled apes and fat sprats_

 _aid bleak brave prone ace ace ants._

 _Ace ants aid sharp beaks._

~~~
lmm
> And there is no central Internet Corporation for Assigned Haiku.

Um, yes there is. It's an address; you get your address space from your
upstream AS (probably your ISP), they get it from their RIR, and they get
their addresses from IANA.

------
krick
I don't find this particular app very useful, but the very idea of encoding
something hard to read into redundant, but easily comprehensible format is
simply great.

