Life In 19x19

I present to you: GoPass. A revolutionary new method of password generation.

There are ways to make good passwords without a generator. You can look at this LifeHacker article for some tips: http://lifehacker.com/four-methods-to-c ... 1601854240 Yet even these can be somewhat difficult to use once more than a dozen or so accounts are involved. After all, you should use a unique password for each site so that if one is compromised the others are safe.

When it comes down to it, the key is whether the information is meaningful to you. Yet what is meaningful usually comes down to life experience. "PEBKAC" can be just as meaningful to someone as "Earth" or "bicycle" but total gibberish to others. The key in making a good password is to use something meaningful to you that is hard for others to figure out, with enough complexity that a brute-force attack can't crack it easily. That usually means your password should be 12+ characters in length, not based on a dictionary word, and should use all the types of characters in no particular order. The hard part is finding a way to make that meaningful.

How can anyone remember something that complex? Well, we here at L19 do it all the time! We take seemingly random patterns and find deep meaning in them on the go board. How many joseki do you know by heart? How many tesuji do you remember off the top of your head? Now you can take all of that knowledge and use it to keep your online accounts secure.


GoPass starts with a blank go board. After you put in some moves, you can generate a password. This password partly comes from a random number generator, but it's predictable. It uses a seed that can be changed within the program. Entering the same sequence of moves using the same seed creates the same password each time. This means that, if you can memorize a sequence in go, you'll be able to reproduce a strong password whenever you need it. Go's complexity makes for great passwords. A standard keyboard can output 94 characters; a go board has almost 4 times that many options.

For this program, each move gives you two characters. This means that it takes only a 6 move sequence to create a 12 character password. And because you also enter a seed, the number of possible 6 move passwords is virtually infinite. Even if someone knew that the dual Sanrensei was your favorite opening, they wouldn't know that your seed was "Yuta9Dan" so they couldn't generate your password.

Also, there is no move limit. I made the password output a text area inside a viewport. You could play out an entire game to make your password if you wanted (although 1. that's time consuming and 2. I don't know how many websites take 500 character passwords, but I'm sure it's not many).

This program is free and open source, written in Java, and available on SourceForge at https://sourceforge.net/projects/gopass/



Before writing GoPass, I first looked around online to see if something similar existed, also looking for a chess version, but was unable to find anything like this. As far as I can tell, this is the first program of its kind.

Why I made this:



The future of GoPass:

cool idea!

If I understand you correctly you are proposing using a joseki sequence (or some go sequence) to generate a password which you probably cannot remember. So to log into an account you have to use this tool to play out the sequence in order to retrieve the password. You would also have to memorize which joseki is associated with each account. Is this correct?

If I am right then someone could use a joseki dictionary to test all passwords. To prevent this you would have to seed it and remember your seed. That does sound pretty secure, put it sound like a lot of work. And what if the password generator is not available? Presumably it would have to reside on a server somewhere so that you can access it from anywhere. What if the server is down?

I am not trying to dampen the enthusiasm for this. I think it is a clever idea. I just want to understand exactly how it works. I already have an encrypted file on my computer which contains my passwords. What advantage does your method have?

DrStraw wrote:I already have an encrypted file on my computer which contains my passwords. What advantage does your method have?

My understanding is the same as yours. I would say the answer to this question, though, is that this method is reproducible. This means it could work even if you didn't have access to your local computer because of travel, hardware failure, destruction of your property, or some other reason. I use (relatively) weak passwords instead of a password manager just because I don't always access my accounts from the same device. This could certainly help someone like me.

It also slightly reduces the possibility of compromising your passwords by not storing them anywhere. With modern encryption this is unlikely to be a real issue, but your encryption is only as secure as your master password.

Ifyouuseapasswordlikethisyouareprettymuchsafefrombruteforcing123456789

For example something not so clishe.

IlovewalkingmydogWolfie4865 4865-being some numbers that mean something to you.

https://howsecureismypassword.net/

https://www.grc.com/haystack.htm

So, yeah only god can crack that password using bruteforce methods.

Fun project however!

Everybody knows the best password is correcthorsebatterystaple.

Hmmmmm.... I'm interested because I've recently had to go through the hassle of proving I'm me, in order to access my account again, when the "memorable information" that I input something like 12 or 13 years ago turned out to be not so memorable after all, since I couldn't think myself back into the mindset I had back then. And the site somehow has my birthdate wrong.

The trouble I find with long passwords, such as phrases or strings of words like correcthorsebatterystable, is inputting them character-by-character when each character turns into an asterisk immediately. Not all sites allow copy'n'paste.

I long for reliable, easy-to-use biometric logins.

Krama wrote:IlovewalkingmydogWolfie4865 4865-being some numbers that mean something to you.

So, yeah only god can crack that password using bruteforce methods.

This seems to be false.

DrStraw wrote:If I understand you correctly you are proposing using a joseki sequence (or some go sequence) to generate a password which you probably cannot remember. So to log into an account you have to use this tool to play out the sequence in order to retrieve the password. You would also have to memorize which joseki is associated with each account. Is this correct?

Yes, I am proposing using joseki sequences or other go sequences to log into accounts. You could also use something like 8 stones in a row along the top of the board, but that would be counting on security through obscurity (you'll assume no one knows you use this method to create your password) or that your seed is strong enough to be a master password. This could be, but the seed is converted to a long integer (64 bits) for use by the random number generator. That is decently secure, but not nearly as secure as a SHA-2 or other encryption methods used for password security on most sites. The seed's primary purpose is to further increase the variability of passwords, it was not designed to act as a stand-alone security measure.

DrStraw wrote:If I am right then someone could use a joseki dictionary to test all passwords. To prevent this you would have to seed it and remember your seed. That does sound pretty secure, but it sounds like a lot of work.

Using a joseki dictionary to test all passwords for this would be quite the task. Because the board does not take symmetry into account, you'd need to try every joseki at least 8 times. And what if the user played the joseki somewhere else on the board (centered around a different star point, perhaps?), then you'd have to try them there. I'm not saying an exhaustive search like this is impossible, but given the sheer number of possible board states in go, it would require very powerful hardware. Yet just as the seed is not meant to be a stand-alone security feature, the moves are not either. When the move sequence is combined with the seed I can't image this would ever work with modern computing technology.

Yes, this is a lot of work compared to something like a password manager. That is why I hope to write a browser extension for this that allows you to actually use the sequence as a password directly. This program is a step toward a go-based password system. Like all first steps it is wobbly and unsophisticated. For now, as I mentioned in the first hide tag, I'm using this in concert with a password manager. I use this to generate my passwords and the manager to allow me to enter them easily. The reason this is better than using the built-in generator from my manager is that I can reproduce the password later if my manager is unavailable.

DrStraw wrote:And what if the password generator is not available? Presumably it would have to reside on a server somewhere so that you can access it from anywhere. What if the server is down?

This password generator is run locally on your computer. The Java Archive file handles everything from displaying the board to creating the password. If you have the GoPass.jar file, you have the password generator itself. The only way a server going down would be a factor is if you don't have the file on another computer and unsuccessfully try to download it later from SourceForge.

DrStraw wrote:I am not trying to dampen the enthusiasm for this. I think it is a clever idea. I just want to understand exactly how it works. I already have an encrypted file on my computer which contains my passwords. What advantage does your method have?

This is the most important and best question that you asked. The true advantage of this method comes out when comparing it to encrypted files of some kind. An encrypted file is just that - a file on a computer. If someone stole or hacked your computer and obtained the file, it is only a matter of time before they have your passwords. You are counting on your master password to save you from losing all of your password information. If your master password is very strong, then you might be okay, but this program stores no information on your computer. It doesn't write to any files, send anything to any servers, or save a single password. The goal of this program is that the information needed is stored in your brain, not on the computer, and that is the best way to keep your information secure. A brain cannot be hacked by a remote server, so as long as your password is only stored there, it is truly safe.

rat4000 wrote:

Krama wrote:IlovewalkingmydogWolfie4865 4865-being some numbers that mean something to you.

So, yeah only god can crack that password using bruteforce methods.

This seems to be false.

He was first doing true bruteforcing by going 6 to 8 characters...

Now I am using 26 letters + uppercase + 10 numbers and the pass length is 27 characters

26+26+10=62 thus the number of possible combinations is 62^27 which is 4.64*10^34 times more combinations that he wanted to took (and it stated that it would take around 6 hours to bruteforce it so he choose the lowercase only path since it took couple of minutes.)

6 hours times 4.64*10^34 is 20 magnitudes of order longer than the age of the universe thus I am pretty sure you can't bruteforce it.

On the second part of the article where he takes two words out of the dictionary and puts them together.

Yes, the idea is indeed plausable however he does it for only 2-3 words and uses some smart tricks to make the search "hybrid" however the password I mentioned in the previous post has 6 different words + 4 digit numbers.

Even if you put all the supercomputers of the world it would probably take millions of years to crack it that way.

edit: The hybrid way of doing it is something I never seen before but it seems quite good.

he replaces letter e with 3 in some cases and l and i with 1 probably, o with zero etc.

However Ilovewalking$ydogWolfie4865

Picking a letter that is not commonly switched with a number or sign like m for $ which seems random makes the search impossible. You would need to have computers the size of universe to crack this.

I have updated GoPass to version 1.1! You can get the update here: https://sourceforge.net/projects/gopass/

This update adds the ability to choose whether or not symbols are included in the passwords. This is necessary because some websites do not allow certain symbols - or any symbols at all! Additionally, I've increased the randomness of the passwords generated both by improving the behind-the-scenes character board and the seed parsing. While this is good for preventing password collisions (two different seeds and/or sequences leading to the same password) it has the unfortunate side effect of making 1.1 no longer generate 1.0 passwords. I've kept version 1.0 on the SourceForge so that it can still be downloaded there, and obviously version 1.0 will still work just fine. However, if you enter your sequence and seed into version 1.1, it will give you a different password.

There are also some important code improvements. The code looks less like code written in a few days and is much more polished. It also allowed me to cut out some lines that turned out to be needed only to make up for said badly written code and, as such, this version runs better. You'd need to use it on a dinosaur of a computer to notice a difference, but the improvement is there.

As for the possibility of a browser extension... I'm still in the beginning stages of learning how to code Firefox extensions, so that shouldn't be expected anytime soon. But that is still the ultimate goal for this project.

There are other ways:

N4apennyN4a# hint: "go for broke"
I82much4lunch hint: "indigestion at noon"

These days, with "texting" shortcuts popular, you should be able to come up with mnemonic phrases where at least some of the characters will be numeric and/or special. Another useful idea is personal phonetics of words/expressions from languages not written with Roman letters.

I disagree with the idea that you need different passwords for every site. There are two sorts of sites, those where security is important (your bank, etc.) and sites where it is not. Most of us visit a large number of the latter. A single "low security" password could be used for all of those since if compromised, of no consequence.

As I said in the first post, you certainly can use other methods to generate passwords. However, as rat4000 pointed out with this article, it is a bad idea to have your password be based on dictionary words, even when intermixed with "texting" variations. Rainbow tables are real and have compromised millions of online accounts.

While you do not need a different password on sites where security is not important, people do use a surprising number of sites where security matters. Imagine, between having just 2 bank accounts, a PayPal account, an eBay and Amazon account, and a Google Wallet account you're already at 6 accounts where security is important for the sake of protecting your credit card and other financial information. But then, because password resetting is usually done via e-mail, your e-mail account password also matters, so if you used 2 different e-mails when setting up these accounts, we're at 8 passwords. Finally, social networking has become an important part of many people's lives, so a secure Facebook, Twitter, and/or LinkedIn password may also be valuable. That's up to 11 important sites for someone who doesn't do more than a typical person online. Memorizing 11 unique and strong passwords is not impossible, but it is a chore.

As for using password hints, I've recently had to reset an account password because, despite having a hint, I couldn't remember the unique password I set up a couple years ago. To me, something like "srslabr-tm" is a better password hint, because I know exactly what to do to figure out my password.



I'm not saying everyone needs to use GoPass for generating their passwords. At the moment, I'll admit the system is a bit clunky. However, I do recommend to all of my friends and family that they consider getting a password manager and using two-step verification where available to help keep their accounts secure.

A single "low security" password could be used for all of those since if compromised, of no consequence.

If a high-dan player wants to log in to my KGS account and get me to shodan, I'd appreciate it. (Granted, I'd bet that violates the terms of service. And the alternative is having me log in to the dan's account and getting them down to 7k. )