New Password Paradigm Technical Principles

Here are the technical principles of the New Password Paradigm:

User passwords are generated for users randomly on their behalf and sent them via email.
Generated passwords should be as easy to use and easy to remember as possible.
Passwords should have sufficient entropy to eliminate the possibility of automated guessing.
Password input should be as forgiving as possible to make it easier to enter.
Password input should be as automated as the platform allows.

Process Flow

When the user signs up for the first time, a password is generated for them and sent via email, whereupon they use that password to log in.
If the user has forgotten or lost their password, the same algorithm and process is used to send a new password.

Password Generation Algorithm

Here we will offer a simple algorithm (implemented here in JavaScript) that satisfies the Technical Principles. It is not the only possible solution, however. (This is just for illustration only, the complete reference implementations are below).

function np_pwGen()
{
	return np_pwTerm() + " " + np_pwTerm();	// 2073600^2 = 4,299,816,960,000 permutations
											// @1000 guesses per second = 136 years
}

function
np_pwTerm()
{
	return np_termHalf() + np_termHalf();	// 1440 * 1440 = 2073600 permutations
}

function
np_termHalf()
{
	var firsts = "bcdfghjklmnprstvwz";		// 18 characters
	var mids = ["a", "e", "i", "o", "u"];	// 5 characters
	var lasts = "bcdfgjklmnprstvz";			// 16 characters
											// == 1440 permutations

	var rv = "";

	rv += firsts.substr(np_rand(firsts.length), 1);
	rv += mids[np_rand(mids.length)];
	rv += lasts.substr(np_rand(lasts.length), 1);

	return rv;
}

function np_rand(max) {		// return a number between 0 and max
	return Math.floor(Math.random() * max );
}

About This Algorithm

It produces readable two-syllable password phrases.
It generates a random password with an entropy of about four trillion possibilities, which should be more than sufficient for most systems (you could add another term to make the entropy astronomical, for instance).
It implicitly relies on the password parsing algorithm illustrated below: spaces should be optional on input, and matching should not be case sensitive. This way, a user could enter, "word word", or "wordword", or "Word Word", "WordWord", and so on and still match the password.
It does not include upper case letters, numbers or special characters that are slower to enter on mobile devices.

Password Parsing Algorithm

Here again we will offer a simple parsing algorithm, here implemented in JavaScript, to demonstrate the principles of the New Password Paradigm. This algorithm works in conjunction with the password generation algorithm above.

function
np_cleanPassword(input)		// this returns a cleaned up version of the password or false if invalid format
{
	var alphas = input.toLowerCase().replace(/[^a-z]/g, '');		// remove anything not a-z

	if(alphas.length != 12){
		return false;
	}

	return alphas.substr(0, 6) + " " + alphas.substr(6);
}

Password Display Function

Using the above password parsing algorithm, you can now display user passwords in easier-to-remember chunks. In other words, instead of displaying:

Hello! Your new password is: zotpuglopwed.

You can instead display it like so:

Hello! Your new password is: zotpug lopwed.

Here's the code to convert the password generated by the example algorithm into the above more easily read format:

function
np_displayPassword(input, separator)	// return the password string into something easy to read
{
	return input.substring(0, 4) + separator + input.substring(4, 8);
}

Reference Implementations

The above code snippets are for illustration purposes. We are also offering complete reference implementations in JavaScript and Java. These implementations attempt to be as complete and useable in the real world as possible, and in particular deal with the filtering of undesirable phases within generated passswords.

Platform-Specific Convenience Considerations

On mobile platforms, a simple optimization would be for your app to scrutinize the clipboard when the app is brought to the foreground and it is in the login screen, and, if the password is in the right format, automatically enter that password and attempt to log the user in (and ignore the clipboard text if the format is not exactly correct).

Future Directions

As this project is in its infancy, we will be pursuing the following as time permits:

Example implementations in several common programming languages (PHP, Java, Ruby, Objective-C, etc.).
A more interesting or readable real-word-based password generating algorithm.
Password generators that are better for non-English languages.