Nice solid simple passwort generating pattern

[Kowin]

Hi There,

Thanks very much for Keepass.
This discussion is especially if you (sometimes) are not able to copy/paste passwords digitally.

What password do you prefere to type or write manually
twv aro ygy OR wvuaroaygy
ADF.GRP.BMW OR ADFGRPBMW
osk.xjw.lps OR +ÕãÙ p¯4ß^Ë
lis wfj.svc.MY.dmc OR lazily avoid chapter untrue bootie snorkel
snh dhc.vth DD.nng qcs jdw OR snhdhcvthDDnngqcsjdw

This generator is also to help those (millions of) people who have to fill in passwords manually, e.g. because they cannot afford themselves a pc/laptop, but they can afford a paper and a pencil or perhaps a mobile. Amidst them those who have difficulties in reading/writing/spelling.

With this generator people can generate on a trusted guest pc/internetcafe (a list of) userfriendly secure passwords using (once) the Keepass passwordgenerator. Afterwards they can use their own digital devices or on paper to fill in these passwords.

So feel free to use this password generating pattern below and/or the attached spreadsheet in MS Excel format.

The pattern
Based on LOWERcase letters
l{3}[\.\ ]l{3}[\.\ ]l{3}[\.\ ][A\@^\1\^\0][A\@^\1\^\0][\.\ ]l{3}[\.\ ]l{3}[\.\ ]l{3}

Based on UPPERcase letters
u{3}[\.\ ]u{3}[\.\ ]u{3}[\.\ ][A\@^\1\^\0][A\@^\1\^\0][\.\ ]u{3}[\.\ ]u{3}[\.\ ]u{3}

The usage
Using this password generating pattern or the likewise spreadsheet you have only to remember three simple thoughts:

=> for ONLINE passwords: use at least the first three groups, including separators.

=> for OFFLINE passwords: use all groups with or without separators, but at least 20 characters.

=>for mandatory special characters: if not generated, add them EXTRA as a separated last group. Because it is security-overkill, any manual not-random selection for this group is okay.

Background
= time to guess according the password zxcvbn-test:
+ for (un)throttled online attack, first three groups with separators, it takes centruries
+ for (un)throttled online attack, first four (4) groups without separators, it takes centruries
+ for (un)throttled offline attack, fast hash, many cores, all characters or with at least 20 characters, it takes centruries

= easy to type password because implicit logic:
+ especially when manual typing passwords or writing them on paper, this is easier to do
+ good to pronounce / remember because the rhythm of 3-characters-groups and use of only two separators (space or point).
+ To copy a password in parts works easier than try to remember shortly a complete complex password and better than every time to search in a complex password the startingpoint of the next part to copy.
+ with only use of the "at first site/type available characters" (incl. fixed caps-lock) seen on every standard keyboard (also mobile)
+ no second fingermovement is necessary e.g. for typing %^&# etc. or "hidden" charactersets
+ but on purpose a little noise is generated in the separators and also in the fourth two-digit group
+ look-alikes numbers one and zero are not present in fourth two-digit group
+ because you can type your passwords better and faster, others have less chance to cheat off the password when typing

= even if one knows how this pattern is built or estimate it is being used, this knowledge will bring not much help to crack the password. So boring brute force attacks and a lot of time are always necessary.

= The amount of false online logins to sensitive (bank)accounts is mostly limited for good security reasons. Guessing a with the patern generated password of only three groups is hopeless, despite that other often obliged characters are not used in the password.

= you can create in Keepass a password list via >Tools>Generate Password list.

Spreadsheet
I added a MS Excell sheet (Open Source License) with this specific password generator. It is works according the same principles as mentioned above.

Algorithm : SHA256
Hash : BF3C577D78F03DFCB45242885FDEDCC7BAAD279C336C737CBC256A483968795F
Path : Passwordgenerator 3-2-3 v4.xlsx

Storage of passwords
Above all: store your passwords secure, consult the internet. E.g. use a password manager like Keepass or if you have no digital choise: keep your password-paper secret in a secure(d) place.

Website
At last I made a simple website about the spreadsheet on Google sites: https://sites.google.com/view/easy-typewrite-pword-generator/homepage .

Inspiration
I was inspired by this positive critical ludocode blog and I judged the passwordstrength on zxcvbn-test.

[Paul]

Why go to all the trouble when KeePass can enter the password for you?

cheers, Paul

[ReadyPlayerOne]

Your over doing the password protection. All you need to do is create a "Master" password to the keepass database so only the person using the database can enter it. The only one that will have trouble with something like that is you the mentioning this and will get yourself locked-out of keepass database login and only have one to blame for this. So the harder you make it the faster you will forget it.

[Kowin]

I added: "This tip is especially to help those (millions of) people that have to fill in passwords manually, e.g. because they cannot afford themselves a PC/laptop, but they can afford paper and a pencil or a mobile. Those who have difficulties in reading/writing/spelling, but still can use Keepass.

When using a trusted guestpc/internetcafe, they can use that to (re)create passwords, afterwards they can use their own mobile to fill in easely a password elsewhere."

[steelej]

How do you use KeePass if your user cannot afford a PC/laptop?

If you use a "trusted guestpc/internetcafe" how do you access the KeePass program? It would need to be downloaded and installed, or you would need to download and run the portable version. I would seriously question whether there is ever such a thing as a "trusted guestpc/internetcafe". I would NEVER trust a computer I did not own, or know and trust the owner with any of my passwords.

How do you access your previously stored passwords on a guest pc, or are you only using the KeePass program to generate a password with some structure that you have proposed? If that is the case you would need to enter your password pattern generator each time.

This would appear to be a very complicated, and potentially high risk way, of achieving very little little unless I am missing something.

[Kowin]

Hi Steelej, I admit it is not the easiest way, but thankful if you have those usefull passwords (see advantages above).

If you have a mobile Keepass-app, you can copy on PC/laptop generated passwords (by hand) to mobile apps. On this world more people have only a mobile without laptop/PC or only a paper to write on.

Second question you gave the answer almost yourselves: use portabble version. The verdict if a pc/internetpc can be trusted is up to the user him/herselves and independable of the thoughts behind the password generating pattern. E.g. can I trust my near family ;-).

Access to previous passwords is via that mobile app or on a safely stored paper (f you don't have digital storage available in the bush). Yes, to generate passords you have to install/use Keepass. That is not ideal, but you get nice password-list.

The biggest challenge indeed is that the user will generate passwords with the proposed password generating pattern in Keepass. If he/she comes so far in the process, then under the tab 'Preview' a list of passwords can be copied (and eventually printed). So you do not need to generate passwords separate.

Complicated? With the help function you can manage it, but it is not direct for dummies.
High risk? The same as usual Keepass risks.

Yes, it would be nice if you can generate passwords in the proposed way also using an online website. The positive difference with other password generating websites is described above.

So who likes to make this password generating pattern usefull on online, outside Keepass ?
I myself try to make it work in MS Excel.

[ReadyPlayerOne]

Let's be clear here this is going far beyond just simple random password to protect the database only when first accessing it the harder you make it the higher and more likely you the user will lock yourself out. When this happens no one can help unless you had a previous database that didn't have a Master password. The reason such a program like this exist for the reason paper notes can be lost or logins are old and new one aren't written down leading to lockup logins. As anything I have multiple USB of the database and USB portable Keepass but they have the Master password first need to enter before access and on my Android keepassAndroid with Dropbox to sync the data but the database has the Master password so regardless one needs the Master password to access the database.

[Kowin]

This solid comment of RPO is valid for Keepass and password managers in general. It does not affect direct the background thoughts about why and how this specific password generating pattern is built.

It is always in the end the user who decides in his/her specific situation why and how to use this pattern or not. Many people do not live in the circumstances to use password(manager)s securely, but this pattern CAN help them.

Again: it should be ideal, when the password results of this password generating pattern are available online.

[Kowin]

I now added in my first message a MS Excell sheet with the easy to use password generator.
It works the same as mentioned above.

From now on you do not need Keepass to only GENERATE this specific kind of password.

Most likely people are more familiar using MS Excel than using a Keepass password generating pattern.

General advise: Above all: store your passwords secure, consult the internet. E.g. use a password manager like Keepass or if you have no digital choise: keep your password-paper secret in a secure(d) place.

Please feel free to use or experiment with the sheet anywhere (OSL).

[Kowin]

I added in my first message an extra variation of the password generating pattern based on UPPERcases, because people can prefer to use those instead of lowercases.

I also configured this second pattern into a new Excel sheet (v3, Open Source License).

The hash value is generated inside my Windows 10 with the command get-filehash "Passwordgenerator 3-2-3 v4.xlsx" | format-list.

[ReadyPlayerOne]

I like to update if you don't password lock the excel password file anyone accessing would break your Keepass password. So your already making it easier for someone to access KeePass here. Simple hard to guess password is all that is needed for Master password in KeePass. Password Generating is making a already complicated password more complicated here. Not everyone is familiar with Excel unless you use it on daily basis so this assumption is also not correct. If one is over creating password there will be mistakes. As mentioned Keepass isn't a Cloud Password manager so the only risk is your own local computer if you fail to make a Master Password to lock the KeePass database. I have it on the Main and two USB but they all share the same Master password to access the database and to sync without that no one can gain access to the database.

[Kowin]

Hey RPO allyour remarks are already (implicite) clearified in the my messages. Please read them carefully, again, but i will clearify your remarks: * if you don't password lock the excel password file anyone accessing would break your Keepass password. : "Every F9 gives one-time unique password, no history. To prevent breakin use the normal precaustions using Keepass and other password stuff, not special for this pattern story." * So your already making it easier for someone to access KeePass here. :"It is not about the masterpassword only. If you use already Keepass you should better use the generator and the pattern as described in the manual. If you have no Keepass better use this (in your eyes unsave) sheet instead thinking own password. See also answer above." * Simple hard to guess password is all that is needed for Master password in KeePass.
Password Generating is making a already complicated password more complicated here. : "HArd to guess is normally long, a lot of characters etc.. Please see results from password test https://lowe.github.io/tryzxcvbn/. It takes centuries to gues generated passwords. Hard to guess: see explanation on that site what that means, it is so relative. Not everybody has digital luxerious tools to make hard to guess passwords.." * Not everyone is familiar with Excel unless you use it on daily basis so this assumption is also not correct. : "If you can open ms excel you have you paswwords before you, just like switch on the light. More people use ms excel than Keepass. And yes more people use digital tools than ms office, but that is all how to present statistics" * If one is over creating password there will be mistakes. : "That is just the advantage of this tool less complicated passwords devided in groups and still secure enough. Your remark seems not consistent with hard to guess passwords, see above" * As mentioned Keepass isn't a Cloud Password manager so the only risk is your own local computer if you fail to make a Master Password to lock the KeePass database. I have it on the Main and two USB but they all share the same Master password to access the database and to sync without that no one can gain access to the database.: "I cannot follow your thoughts. They are for people that have digital tools, not relevant for paper passwords and digital dummies."

[Kowin]

I made a simple website about the spreadsheet on Google sites: https://sites.google.com/view/easy-typewrite-pword-generator/homepage .

[Kowin]

Sorry, little correction of weblink in my previous message.
The correct webadress is: https://sites.google.com/view/easy-typewrite-pword-generator/homepage (without that . at the end).

[ReadyPlayerOne]

This is going beyond having a pragmatic Master Password to protect the database that the user can remember without having to write down the password. The more complicated the password the quicker the user themselves will lock themselves out of the database. That's the simplistic of just having a good Master Password that the user can recall without issue to get to their logins.

[Kowin]

Hi RPO.
Your repeated points about passwords in general are no discussion. Clear, you are not going to use this pattern / spreadsheet. Your Keepass is locked with a complicated but easy to remember long masterpassword protecting all the other complex passwords saved within. No point of discussion for me.

Pitty you still miss the real value of the thoughts written above.

Try to imagine yourself firmly you have NO digital tools at all and/or you cannot digitally copy passwords, so you have to do manual writing or manual typing. Too many people have only that choice. Point made: You have the digital choice and use it.

Try this for fun:
First step: Manual type (preference: mobile) and write ten of your complex passwords out of your Keepass database. Judge objective how often you make type errors, have to make corrections, measure type speed and the needed time.
Next step: same experiment but now type/write ten passwords made by the sheet according the usage guidelines (watch the number of needed groups 3-7, off-/online).

I am sure there is a difference.

Perhaps the logic on ludocode blog could help you and that logic is valid not for diceware passwords only.

[ReadyPlayerOne]

Remember this the harder you make it the harder the users themselves will be the one locked out not someone trying to get the password. Keypass database is locally stored or on USB assuming one makes a Master Password so no other has access to it. This is all that is required to block unauthorized access to the database even if one puts online if there is a password - crackers aren't going to waste time and time to break it when time is of money to them. This isn't unlike Online LastPass that got hacked because it was Online database and a Gold-Mine for crackers whom gained access until months laters when the story came out - they told users Oh Sorry we let them hack your account but by then users were already hacked or login stolen and who knows they sold that data to. So let this be a lesson why Online Login storage is a Gold-Mine for hackers.

[Kowin]

Hey RPO,
You repeated your truth points about (master) passwords in general enough now. It blurs this discussion.
I am sure you did not do the suggested experiment.
Still big misunderstanding: it is about ALL PASSWORDS that you can generate with this (Keepass) pattern for different purposes.
Sorry, from now on I will answer only if you have relevant new points and not repetitions.

[Kowin]

I edited afterwards the two patterns in my first message at the top of this discussion.

The possible character choise [\.\ ]at the end of both patterns is removed, because it can be triggy to write on paper correctly, yes or no, that invisable space (not the point) at the end of the password.

The patterns are now conform those in the spreadsheet attachment version 4. So if you already enthousiastic applied a previous pattern in Keepass, you can better replace it.

This correction does not lower significant the already high security level of the generated password.

Please visit my homemade website about this pattern. It is not yet noticed by the big public <];-)

[Sven Bent]

To you question. none of them what i prefer to type as password when ih ave to type them is something along the line of:
Why do people simply not understand to use passphrases as they can contain excessive amount of entropy but still be easy to remember.

The underlying mechanics in your suggested is directly bad for the purpose you are describing. as they are hard to remember it means the user will need to reduce entropy to make it easy on brain power.
using pass phrases instead requires less brain power for the same amount of entropy even if you went with you typical brute force accelerates like dictionary attack/sentence construction

[Sven Bent]

you password suggestion of jnj.qhk alm.uF cxi.tfz oxs had a "strength" of guesses_log10: 26
mine above got over 109
Which one do you think is easier to remember without having to type it down ?

[Kowin]

Hi Sven,

I appriciate sharing your thoughts with me. My comment is a bit longer, but i hope you will have the guts to read it all with curriosity. Take a coffee meanwhile :-)

Typing passwords is nobodys hobby, in that way I certain agree with you. Minimizing the total effort to type/write on-/offline used passwords is my starting point for the pattern. In the faint hope people will not be repelled as for longer and complicated passwords.

"Why do people simply not understand to use passphrases as they can contain excessive amount of entropy but still be easy to remember." That is a rhetorical question, but the simple fact is they do not use them.

And pitty I am one of them ...... too much feeling (!) of hustle and bustle. And yes, that is not the logical reasoning speaking here, that is prefered by security minded people, as you are.

I think people are lovely lazy by nature and they need just a few simple guided steps with as the outcome an easy to type/write secure password as presented in this discussion. Handling a (long) passphrase seems too much effort in daily live.

Above all an majority of the ONLINE websites do not allow room for long passphrases. Those websites force the dubious obligation to use "not common characters" (read: brain power) to give the feeling of having a secure password. But the here presented pattern is online equal secure and better to type/write. And when often used it will remember as a well-known pattern, that is a human brain fact. Yes just as passphrases, but much shorter and sufficient secure.

Websites could offer as a better way to security the choise of long passwords, but they fear that users will forget them sooner. They forget that in the eventually case of the possibility using brute force on a insecure website (fast access and no password limits), short passwords/hashes are always unsecure.

For OFFLINE passwords this too shortness is mostly not the case and your passphrase is better applicable, but still too much effort. Short (vocabular) passphrases can be guessed faster than the presented pattern of equal length.

Offcourse you may choose your sentence password, but in fact it gives a lot of superfluous security overkill, extra to the allready overkill of the sufficient secure pattern password presented here.

If the user follows the advised (group)rules then there is no reduction in entropy and still there is overkill left. The user can even choose more groups than advised and increase the overkill and also reducing the userfriendlyness of the password.

So security overkill is minimized in this pattern password and strongly depending on the user correct choises made following the adviced 3 rules.

If you have dozens of passwords in your theory, you have dozens of sentences multiplied with the necessity that all that characters have to be typed by hand or written down (when no use of digital tools).

Most of them you will not remember when needed, also in combination with the userid, website etc. So when needed that sentence password one still need a (analoge) tool (paper) to remind the total good combination of pasword/userid/website. Those things together needs a lot of not userfriendly and accurate typing/writing. In this process the pattern password is fast and secure to type/write and shortens the by hand fill in proces.

In short, I agree with you long passphrases are secure, but not feeling userfriendly and too much, practical impossible to measure, overkill, especially for online usage.
The pattern offers sufficient secure and guided groupwise used passwords.

Wow, are you reader still there? Feel free to give your thought.

[Kowin]

Sorry for the inconvenience.

Something goes wrong with the sending of my posts in this discussion.
Every (little) change afterwards in a already posted comment causes a separate not welcome new update mail.

This did not happen before.

I will report this bug to the editord of this discussion.