28

Typing on a smartphone is tedious. Special characters are the hardest; lowercase letters are generally the easiest. But even a long all-letter passphrase like "correct horse battery staple" is difficult to type on a smartphone.

I normally use LastPass on my computers, and let it generate long passwords with a mix of letters, numbers, and symbols. For example: "5&8fjmYyb4^Vd2n". Since I never have to read or type these passwords, they can be anything.

There is a LastPass app for just about every platform out there (cool). The one for Android is basically a web browser. If I want to log in to, say, http://amazon.com, it can fill in my credentials. But Amazon also has a few apps: Kindle, MP3 Cloud player, App Store, etc. These apps have their own login screens.

To run the Amazon Kindle PC software, I can use LastPass to copy my Amazon password to the clipboard, then paste in to the Kindle software login screen. However, copy/paste and switching between apps on Android is clumsy. It's better than typing "5&8fjmYyb4^Vd2n" but it still is a pain.

Two other obvious examples are the Twitter and Facebook apps. There are many more.

My phone has a slide-out keyboard, so digits and lowercase letters are easily accessible. Uppercase and some symbols (those on the numbers) are harder to get to. Other symbols are very difficult, as you have to navigate UI to look for them.

Similarly, the Kindle has a keyboard and a web browser. Both are hard to use, but sometimes they're just the ticket. There is no LastPass app for Kindle.

Ideally, I'd like a way to come up with strong, easy-to-remember passwords that are also easy to type on these hard-to-use devices.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Jay Bazuzi
  • 451
  • 4
  • 8
  • 2
    What are you using the password to protect? What model or type of smart phone? Does it have a slide out thumbboard? Are alternate authentication mechanisms such as speech and facial recognition possible? – this.josh Aug 11 '11 at 07:51
  • @this.josh: good questions. In this case, my phone has a slide-out keyboard, but I'm hoping for a more general solution. – Jay Bazuzi Aug 11 '11 at 17:24
  • I think a general solution will not achieve a strong password that has high usability for a general device. This is because the class of general smartphones has great variety in the user inferface both physicaly and logicaly. The best way to approach a problem of a variety of devices is to use a external component. I would suggest something like a microSD hardware security module. – this.josh Aug 11 '11 at 21:41
  • My phone has a handwriting recognition system on it which I use for entering characters that are not on my touchscreen keyboard. In particular I use this for entering Chinese text in my emails/texts. Is a similar handwriting app available on your phone? – Rincewind42 Aug 12 '11 at 03:56
  • @JayBazuzi, Why not simply make a strong one and commit some time to muscle memorize it? (it's your *password* afterall) I don't actually know my password by heart, but my fingers know where they need to go. – Pacerier Jul 17 '12 at 20:59
  • XKCD Was Wrong, because the comic assumes hackers will try every possible combination of all ASCII characters. In reality they know humans don't use truly complex passwords so they try all possibilities within a rule set (all lower case letters combinations of all english words etc..). They are limited by their hardware, the link below follows three hackers while they attack huge list of passwords. [ArsTechnica How Real Hackers Hack "Anatomy of a Hack"](http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/) –  May 30 '13 at 14:52
  • 1
    You somehow managed to deduce the exact opposite conclusion from the content of the article. The article demonstrates how `Tr0ub4dor&3`-style passwords (made from semi-memorable variations on dictionary words) are easy to crack. The xkcd comic proposes a password generation scheme that is not vulnerable to the amount of brute force expended in this attack. – Gilles 'SO- stop being evil' May 30 '13 at 15:16

5 Answers5

11

You actually already have part of the answer: to make it easy to type, use only lowercase letters.

Now the trick is to know how many letters to use. If you want, e.g., 40 bits of entropy (a quite high goal for a password), then you must accumulate at least x letters such that 26x > 240 (i.e. 9 letters). 9 letters are sufficient if they are chosen uniformly, randomly and independently from each other; do not try to do it in your head, the human brain is a terrible RNG. Instead, use a good RNG (coin flips, dice, a computer with /dev/urandom...) and, that's the important bit, stick to the result: you get your 9 letters, accept them and learn them.

If you want to have a password that you can "easily" memorize then you need more letters. For instance, you could generate 100 sequences of 10 letters, and keep the one which pleases you most; since 2610 > 100*240, you still get your 40 bits of entropy.

See this question (in the crypto-specific stackexchange site) for details on the involved mathematics.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
8

Hmmm, it seems you have already considered that know-it-all horse. In my experience, that (lowercase pass-phrase of multiple words) is the easiest option without a special app - each operation gets you one additional character (as opposed to special chars, where multiple operations get you one character).

Apart from that, there's a (cross-platform) app named Keepass, also available for Android (free, for 1.5+, IIRC); I'm using the clipboard to ferry passwords to and fro, clearing it afterwards - thus the annoyance of password management is independent of password length and type, allowing for arbitrary password length. I'm also using Dropbox to sync the (encrypted) password file with my desktops.

Piskvor left the building
  • 1,644
  • 15
  • 14
  • 3
    Side rant: anyway, some services *cough Skype cough* are still enforcing a ridiculously tiny **maximum** password length, rendering any attempts at reasonable password entropy moot - what are they doing, storing the damn plaintext? (I see no other explanation) – Piskvor left the building Aug 11 '11 at 09:53
  • I would ditto Piskvor suggestion of using a password manager. He suggests Keepass, I've also used Keepass as well as Lastpass and Roboform, each of which support mobile apps. This will allow you to keep passwords complex without worrying about typing them in. However, you still have to key a master password to start the password manager app. – Rincewind42 Aug 12 '11 at 03:51
  • @Rincewind42: Indeed, but memorizing *one* good password is easier than memorizing many; thus you can have a more complex master password (e.g. eight words, interspersed with numbers and special characters). At that point, of course, the Rubber-Hose algorithm becomes an easier method of cryptanalysis. – Piskvor left the building Aug 12 '11 at 07:35
5

What I do on a Blackberry (because I got annoyed with the multiple keypresses to select a symbol or different case etc.) I use a long password that I don't actually know. I just know the shape of it on the keyboard.

It might have upper or lower case or symbols - I'd have to check to actually find out:-)

Actually had a look to check I meet entropy needs (based on @ThomasPornin's answer) and I figure I'm good - current password is 16 chars!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

Markus Jakobsson and Debin Liu have proposed an intriguing approach to password authentication on smartphones. Their proposal is basically to take any ordinary password, and then map its first four characters to a 4-digit PIN by using the standard telephone mapping (e.g., ABC -> 2, DEF -> 3, etc.).

Their approach generates a 4-digit PIN. This has advantages and disadvantages:

  • The primary advantage is usability: it is easy to enter on your phone. This is likely to be a huge benefit for many users.

  • The primary disadvantage is, obviously, security: a 4-digit PIN is easier to guess. It is application-specific whether a 4-digit PIN is adequate. Obviously, for a 4-digit PIN to provide good security, the web site needs to take various steps to deter random password guessing, including limits on the rate at which an attacker can try passwords or limits on the number of incorrect password attempts that are allowed. However, their paper argues that if these appropriate steps are taken, their scheme can provide adequate security for many purposes.

I encourage you to read the paper and form your own opinion about whether it is appropriate for your needs.

D.W.
  • 98,420
  • 30
  • 267
  • 572
1

It has been a while since this question was posted, so perhaps times have changed.

Many mobile phone password managers include a special keyboard that can look up passwords in the password manager and type them in for you in a single button press. Some of them on Android even take advantage of accessibility features to do that automatically with minimal interaction.

I thought LastPass was among the apps that support this feature, but if not, I know 1Password supports it, PasswordBox (and assumably TrueKey) supports it, KeePass has a couple apps that support it, and there are a few more.

This feature will allow you to use the password manager in any browser page and on any app with a login field, without any need for app switching or copy-paste (assuming your password database is already open). So now you just need to be able to log into your password manager easily. Either deal with the infrequent long password entries, or find an app that supports shorter logins like a PIN or fingerprint reader, but be aware that may compromise your security to some extent if your phone gets lost or stolen and you don't take steps to protect the stored data.

Ben
  • 3,846
  • 1
  • 9
  • 22
  • 2
    Yes, a lot has changed indeed. iPhones for example now have Touch ID, which allows a login with just your fingerprint. Even third-party apps have an interface to Touch ID (eg. PayPal supports Touch ID login). – ST2OD Apr 20 '16 at 06:23