I am in the process of developing a script that generates human-speakable strings for use in passwords. I am only concerned with English-sounding phrases. So far I have come up with the notion of different arrays:
vowels = ['a','e','i','o','u'];
single_consonants = ['b','c','d','f','g','h','j','k','l','m','n','p','q','r','s','t','v','w','x','y','z'];
double_consonants_leading = ['Bh','Bl','Br','By','Ch','Cl','Cr','Cy','Dr','Dw','Dy','Fl','Fr','Fy','Gh','Gl','Gn','Gr','Gw','Gy','Hy','Jy','Kn','Kr','Kw','Ky','Ly','Mc','Mn','Mr','My','Ny','Ph','Pl','Pn','Pr','Ps','Py','Q','Rh','Ry','Sc','Sh','Sk','Sl','Sm','Sn','Sp','St','Sv','Sw','Sy','Th','Tr','Ts','Tw','Ty','Vr','Vy','Wh','Wr','Wy','Xy','Y','Z'];
double_consonants_trailing = [...'ch'...];
tripple_consonants_leading = [...'Dry','Fly'...];
tripple_consonants_trailing = [...'rch'...];
I will then define a set of rules to concatenate elements from these arrays to create strings but not necessarily words that you would find in the dictionary.
An example is: "Frug-Spunner-Snow-Drive"
Another alternative is to use a list of words found in the dictionary, however, my first thought on that is that it is a finite list. As soon as someone knows which list you are generating strings from it will inevitably reduce the time taken to crack it.
My solution will not only create words found in the dictionary but strings that sound like words.
function generateString(length)
{
.
.
.
return randomString;
}
generateString(7);
outputs: "Brownen" (a random string)
The function will take an argument length and return a string of that length, it could be improved by accepting more arguments such as how many parts to use and the separator to be used between those parts.
function generateString(parts,lengthOfPart,separator)
{
.
.
.
return randomString;
}
generateString(4,5,"-");
outputs: "Crown-Drive-Knife-Gnome" (4 strings, each 5 characters long split by a hypen)
This is what I have so far, and the question itself is a work in progress. I would like to make sure that I am on the right track.
My question is: Is this overkill? What are the pros and cons? And ultimately, how will I go about developing this in JavaScript?
Edit 1 (13/11/2013)
I have since found an article here: http://www.baekdal.com/insights/password-security-usability that describes using a list of common words, but as long as three+ words are used at any given time then it is very secure as the time it takes to break it is so long the thing you are trying to protect will be of little value.
Edit 2 (10:10 14/11/2013)
I have found another article referring to Markov Chain generator http://www.soliantconsulting.com/blog/2013/02/draft-title-generator-using-markov-chains in Javascript, but again the text is generated from a source text. Is this possible without it and by defining rules.
I think a good approach might be to use a Markov Chain that is generated from a large body of English text. A Markov Chain is basically a probabilistic construct which is dependent upon the source from which it is generated, so you are likely to get many English-like words that are pronounceable. In a Markov Chain, you have a state from which you can transition into many other states based on a probability. Since your Markov Chain will be based on English letters from a body of English text, transitions from one letter to another letter will be more probable than a transition to a different one. For example, it is more likely to transition from c to a or o, than from c to z or x. I have a simple Perl script that generates Markov Chains based on words or letters and I was able to get the following "words" that seem to be pretty pronounceable:
Engulary
Beavy
Lan
Irstatinval
Bassions
Assish
Forld
Anturopean
Cought
Froot
Thation
Keep in mind though that the entropy is limited by the source material, so it is better to have a large body that you're generating words from. Taking a pointer from the xkcd password generator mentioned by Diodeus, you can combine two or more of these words into pronounceable but nonsensical phrase, that can be a password as well.