

Haddock: Built because I want web apps to make passwords fun - stephencelis
http://stephencelis.com/2009/03/29/whats-the-password-haddock.html

======
nostrademons
The name is unfortunate. Haddock is Haskell's documentation generator, which
may be familiar to the same techie crowd.

Also - something I learned from working at a big company: For secure memorable
passwords, it's better to take a phrase and abbreviate it than to take a
couple words and concatenate them together with numbers and symbols. So from
"Haddock: Built because I want web apps to make passwords fun", you might get
"H:Bb1wwa2mpf", which looks like random noise to any password cracker yet is
still reasonably memorable to anyone who remembers the original phrase.

You can get a lot of use out of song lyrics for this, say "Bbmap,dmc2tlbtlwd"
from American Pie or "Yccatyl,bycnl" from Hotel California or "Mhfjl2b" from
Comfortably Numb. Long, line noise, completely unrecognizable - yet you'll
never forget the underlying lyric.

~~~
stephencelis
It's unfortunate that Haskell's Haddock wasn't Haddoc or Hadoc. "Haddock" made
the most sense to me as a name for a blathering password generator (with those
nods to the Marx Bros. and Hergé). I've named the command-line utility "ha-
gen", though, to avoid collisions.

And "H:Bb1wwa2mpf" may be more secure than a similar-length haddock password,
but its pseudo-acrostic nature is much less digestible to your average user.
Meanwhile, with a few potential modifications I outlined, haddock would still
be more memorable _and_ just as secure:

<http://news.ycombinator.com/item?id=537562>

~~~
nostrademons
The point's to remember the phrase, not the password. :-) The password is
trivially reconstructible from the phrase.

Actually - since any good programmer won't put a maximum length on their
passwords, I wonder if it'd be better to get users into the habit of picking
really long phrases as passwords. Type in "Haddock: Built because I want
webapps to make passwords fun" in the password prompt. Maybe that'll just take
too long to input though, each time you want to login.

~~~
stephencelis
I have vague memories of acrostics I formed for study in college...and not-so-
trivially muddling them ;)

I still agree with you that this kind of phrasal munging is a good method, but
I also think haddock has the slight, memorable edge :)

------
pingswept
Haddock seems like a brilliant way to generate passwords with a great
memorability to length ratio, but it's not clear to me that they have a great
memorability to security ratio.

Haddock uses the UNIX wordlist with a known algorithm for password generation:
words = %W(#{random_word} #{random_symbol}#{random_word}) if I'm reading the
source right. It seems like it's reducing the search space drastically for a
gain in memorability that is difficult to quantify. Might be a win, but might
be a loss.

But I don't really know this stuff so well-- any real crypto folks care to
comment?

~~~
RossM
I'm no security guru but with a little sensibility on the website itself could
lessen the security risk from dictionary attacks. If you allow 3 login
attempts before requiring a captcha, or set a maximum number of attempts per
hour, giving your users more memorable passwords shouldn't be too much of a
risk.

~~~
stephencelis
A very good point, though I would encourage something closer to 25 or 100
login attempts. Don't punish clumsy users for having a secure password, but
prevent brute-forces by all means.

~~~
nx
25 or 100?

First attempt: quick typing, conscious mistake.

Second attempt: quick typing, wrong password again.

Third attempt: _okay, I'll type it in carefully now_. Wrong password.

Fourth attempt: _oh, yes, that was my Yahoo! password_. Remembers password and
enters it cautiously, because he/she knows that he has a maximum of 5 login
attempts.

Five are enough for me. Or at most 10. 100 seem ridiculous. How often does it
happen that you mistype your password 99 times and get it right on the one-
hundredth, before you're tired of being shown the "wrong password" message and
click the "forgot password" link?

~~~
stephencelis
I'm only suggesting an implementation that is transparent for the user. 10
would probably be just fine, but 25 would be closer to an impossible situation
without significantly increasing the odds of a successful attack.

------
lucumo
Hmmm... Using the UNIX word list for password resets may lead to passwords
like "oversexed#asshole". May not be the best password to send to your users.

I would suggest trimming the wordlist before use, if you plan to use it for
handing out passwords.

~~~
stephencelis
Yeah. I addressed that in the post. The odds are low, though, and come on,
most users would have a good laugh ;)

~~~
aristus
Nope. There is no such thing as an average sense of humor. At a company I
worked for we got a lot of crap for sending out passwords like
"invisible*negro" and "murdered#pakistani". The odds are not as low as you
think.

Hell, we got crap for adding the tags "Russian" and "Jew" to people who were,
in fact, from Russia and Jewish.

~~~
stephencelis
Agh! Good point! Some kind of regex should definitely be included.

------
jwilliams
I use song lyrics as passwords. I pick a song, then take the first letter from
either each word, or each line (depends what works best).

------
sr3d
gotta start stopping my own password generating algorithm based on
temperature, first name of the first person pops in my head, and crazy md5/sha
hash of whatever something like

45john5hit

------
seahostler
completely solid.

