Pass Phrazr

Passwords are sometimes hard to remember, or at least hard to read, because good passwords are cryptic. That’s a fact and I am still fine with it, because I pay attention to obvious security flaws or risks. However, there are some situations when you do not need cryptic passwords – like “first time passwords”, or “single time passwords”. For this particular case I came up with a nice idea and I’d like to call it pass phrazr (phraser).

Instead of cryptic passwords, use phrases and or simple sentences. If you just enter some phrases as possible pass phrases it doesn’t work very well, but if you use a directory it does. Plus, you can serve i18ln passwords if you add a locale.

The easiest sentence is SVO structured but “Tim like Dogs” sucks and isn’t fancy at all, so I’m going to use a more stylish composition. Factual phrases with *izm nouns instead of boring objects! RaaaaR.

Here’s a simple MySQL Table:

CREATE TABLE passphrazes (
	passphraze_word 	varchar(30) 					NOT NULL,
	passphraze_type 	enum('subject','verb','noun') 	NOT NULL,
	PRIMARY KEY (passphraze_word)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;

If you still wonder about it - the magic goes here:

SELECT concat(  
	(SELECT passphraze_word 
		FROM passphrazes 
		WHERE passphraze_type = 'subject' 
		ORDER BY RAND() 
		LIMIT 1),
	'-',
	(SELECT passphraze_word 
		FROM passphrazes 
		WHERE passphraze_type = 'verb' 
		ORDER BY RAND() 
		LIMIT 1),
	'-',
	(SELECT passphraze_word 
		FROM passphrazes 
		WHERE passphraze_type = 'noun' 
		ORDER BY RAND() 
		LIMIT 1)
);

No clue jet? Well, by selecting random rows you can generate funny phrases like:

He allocated nahualism.
She reinforced mithridatism.
They served social-evolutionism.

Then style it and additionally pimp it more secure (replace spaces with dashes, plus signs, or even camelize it) in your favourite coding language:

He-allocated-nahualism.
SheReinforcedMithridatism.
They+Served+social-evolutionism.

The use case is hopefully obvious. If someone sign up at your site and you generate the first time password for the user, why not something meaningful? There are tons of possibilities to combine words unique.

updated