pa55: remembering passwords

pa55 is a new way to solve the problem of remembering difficult-to-guess passwords. The idea is to deterministically generate strong passwords based on some easy-to-remember but difficult-to-guess information. All you, as the user, have to remember is some information, not the actual passwords, and pa55 can generate the relevant passwords whenever you need.

The problem is that we cannot remember passwords. We end up using very easy-to-remember and also very easy-to-infer (for the attacker) passwords. We keep using the same passwords for different services. When we realise that this is not a good thing to do then we start writing down passwords; and try to make complicated passwords which are not always that complicated. Sometimes, we also use password managers, many of which help us generate random strong passwords. If we ever need to remember a password that we stored with a password manager then we just unlock the specific password manager database. A solution indeed but not without some drawbacks:

(1) The password manager database contains many passwords associated with other private information such as account numbers, user names and so on, which are then locked with just one (perhaps not-so-strong?) password or sometimes just a four digit code. This creates a single point of failure.

(2) Password managers store data on the cloud for convenience of operation between multiple devices. Although, they use encryption but storing such sensitive data on the cloud itself does not incite much trust in people even if the distrust may not always be reasonable.

Passwords are terrible and there is a lot of research trying to find alternative reliable means of authentication. Until passwords disappear, the solution to the problem discussed above is the industry-standard Password Based Key Derivation Function version 2 or PBKDF2 (RFC2898: https://www.ietf.org/rfc/rfc2898.txt) along with a well-known cryptographically secure hash function: SHA1, SHA256 or SHA512. An easy way to think of this is to consider pa55 as a black box, which accepts as inputs: a master secret, a password hint and some other parameters and outputs a strong random password. So long as the inputs remain the same, output remains unchanged. In other words, so long as you remember the master secret and the password hint, the same strong password will be generated for you. Furthermore, if you cannot distinguish the I from a 1, or a 0 from a o and so on in the generated password then pa55 can read it out in slow-paced clear English.