ING Attorney, Agent, Or Firm-Lowe, Price, Leblanc & Becker PRONOUNCEABLE SECURITY PASSWORDS 57 ABSTRACT 75) Inventor: Ravi Ganesan, Arlington, Va

IIIHIIIII USOO5588056A United States Patent (19) 11 Patent Number: 5,588,056 Ganesan 45) Date of Patent: Dec. 24, 1996

54 METHOD AND SYSTEM FOR GENERATING Attorney, Agent, or Firm-Lowe, Price, LeBlanc & Becker PRONOUNCEABLE SECURITY PASSWORDS 57 ABSTRACT 75) Inventor: Ravi Ganesan, Arlington, Va. A pronounceable security password is generated using a plurality of first word segment portions and second word 73) Assignee: Bell Atlantic Network Services, Inc., segment portions, each of which has at least one character. Arlington, Va. A transition number, for each of the plurality of first word segment portions is identified, preferably using a Markov 21 Appl. No.: 328,226 model. Each transition number corresponds to the number of different second word segment portions which can be com 22 Filed: Oct. 25, 1994 bined with the first word segment portion to form a pro 151 Int. Cl...... H04L 9/00 nounceable word segment, such a word syllable. A first word I52 U.S. Cl...... 380/4; 380/4; 380/9; 380/23; segment portion is randomly selected. The selection of any 380/25; 380/30; 380/44; 380/49; 380/50 one of the plurality of first word segment portions is of 58 Field of Search ...... 380/9, 23, 25, substantially equal probability. A second word segment 380/30, 44, 49, 50, 4 portion, to which the transition number associated with the selected first word segment portion corresponds, is then (56) References Cited randomly selected. The selection of any one of the corre sponding second word segment portions is likewise of U.S. PATENT DOCUMENTS substantially equal probability. The selected first and second word segment portions are combined to form at least a part 5,394,471 2/1995 Ganesan et al...... 380/23 of the pronounceable security password. Primary Examiner-Thomas H. Tarcza Assistant Examiner-Hrayr A. Sayadian 55 Claims, 9 Drawing Sheets

330 300 GENERATE TRANSTON CHECK YES PROBABY CONSECUTIVE CHARACTERS MARX OK?

340

DSOARD SELECT COMPUTE

TRANSiTION

in "E"CHARACTER CHARACTER

30 CATEGORIE COMBINE SELECTED BGRAMS TRANSiTION

CHARACTER WITH PREVIOUSLY COMBINED 3S CHARACTERS SELEC BGRA

CHECK 30 SELECT DISCARD CONSECUTYE TRANSION TRANSiTION CHARACTERS CHARACTER CHARACTER OK?

IS 35 COMBINE PASSWORD SELECTED BIGRAM+ COMPLETE TRANSiTION CHARACTER YES 365 ENCRYPTIDECRYPT MESSAGES U.S. Patent Dec. 24, 1996 Sheet 1 of 9 5,588,056

8,000,000 ass' 4,000,000 e loooooo.logo £ 6.999999 2,000,00099.99 2 3 4 5 6 7 8 9 O 2 3 4 5678920) 222324 25 BUCKET FIG. 1 PRIOR ART U.S. Patent Dec. 24, 1996 Sheet 2 of 9 5,588,056

4.00%

|~ abcdeT fgh ijk I'm no pr’s tuww.xyz chghphrhshth whqu BUCKETS FIG. 2A PRIOR ART

4.00% PERCENTAGE PROBABILITY

00% S

0.00% W X BUCKET FIG. 2B PRIOR ART U.S. Patent Dec. 24, 1996 Sheet 3 of 9 5,588,056

330 300 GENERATE CHECK TRANSTION YES PROBABILITY CONSECUTIVE MATRIX CHARACTERS OK?

340

305 DISCARD SELECT

fits COMBINED BIGRAM

COUNT + TRANSiTION TRANSiTION CHARACTER CHARACTER

30 CATEGORIE COMBINE SELECTED

BIGRAMS TRANSTION CHARACTER WITH PREVIOUSLY COMBINED 35 CHARACTERS SELECT BIGRAM

CHECK 320 SELECT DISCARD CONSECUTIVE TRANSiTION TRANSTION CHARACTERS CHARACTER CHARACTER OK?

IS 325 COMBINE PASSWORD SELECTED COMPLETE2 BIGRAM + TRANSiTION CHARACTER YES 365 FG. 3 ENCRYPT/DECRYPT U.S. Patent Dec. 24, 1996 Sheet 4 of 9 5,588,056

FROM 325 (SEE FIG3)

40 DISCARD COMBINED CHECK

BIGRAM - CONSECUTIVE TRANSiTION CHARACTERS CHARACTER OK?

IS TO 35 PASSWORD (SEEFIG3) COMPLETE

420

ENCRYPT/DECRYP MESSAGES

FG. 4 U.S. Patent Dec. 24, 1996 Sheet S of 9 5,588,056

GENERATE 500 TRANSTION PROBABILITY MATRIX

COMPUTE 505 TRANSiTION COUNT

50 CATEGORIE WORD SEGMENTS

55 SELECT + COMBINE WORD SEGMENTS

520 ENCRYPT/ DECRYPT MESSAGES F.G. 5 U.S. Patent Dec. 24, 1996 Sheet 6 of 9 5,588,056

FROM 305 (SEE FIG3)

625

600 Establish IS TRANSiTION ENCRYPT/DECRYPT PASSWORD COUNT MESSAGES COMPLETE2 THRESHOLD 675 605

SELECT SELECTRANSiTION CHARACTER

COMBINE SELECTED SELECT TRANSTION TRANSiTION CHARACTER CHARACTER WITH PREVIOUSLY COMBINED CHARACTERS

COMBINE DISCARD ESTABLISH

SELECTED BIGRAM SELECTED DFFERENT

-- TRANSiTION TRANSiTION TRANSTION COUNT CHARACTER CHARACTER THRESHOLD

620

CHECK CHECK CONSECUTIVE YES CONSECUTIVE CHARACTERS CHARACTERS OK? OK? NO 680

DISCARD COMBINED BIGRAM F.G. 6 - TRANSiTION CHARACTER U.S. Patent Dec. 24, 1996 Sheet 7 of 9 5,588,056

FROM 615 (SEE FIGURE 6)

700

CHECK TO 680 NO CONSECUTIVE (SEE FIG6) CHARACTERS OK?

IS PASSWORD TO 605 COMPLETE (SEE FIG6)

ENCRYPTIDECRYPT MESSAGES

FIG 7 U.S. Patent Dec. 24, 1996 Sheet 8 of 9 5,588,056

804 LOCAL STORAGE 802 86 806 NETWORK LOCAL ADMINISTRATOR PROCESSENG 824 STATION UN 80 84 USER USER INPUT INPUT DEVICE DEVICE

820 826 828

8) NETWORK PROCESSING UNIT

82)

808 NETWORK STORAGE DEVICE FG. 8 U.S. Patent Dec. 24, 1996 Sheet 9 of 9 5,588,056

5,588,056 1. 2 METHOD AND SYSTEM FOR GENERATING Bellovin, S. and M. Merritt, "Encrypted Key Exchange' PRONOUNCEABLE SECURITY PASSWORDS IEEE Computer Society Symposium on Security and Pri vacy, May 1992, Oakland, Calif.) or enlarging the size of the likely password key space K. until it approaches the size of BACKGROUND OF INVENTION K, where K is very large. Another approach to improving 1. Field of the Invention password security is to establish a system to select a random This invention relates to security passwords and more password of key space K for the user. This later approach, particularly to a method and system for generating secure however, can be particularly unfriendly to the user and can pronounceable passwords. lead to users maintaining a written ledger of their passwords 10 to avoid having to memorize a long and arbitrarily selected 2. Description of the Related Art password. Poorly chosen passwords continue to be a major cause of security breaches. The increasing popularity of such prod As noted above, attackers typically attack passwords ucts as the Unix Operating System and the Kerberos Authen using dictionary attacks. Either (i) by eavesdropping on the tication Protocol in commercial environments accentuate network or (ii) by requesting from a security server, e.g. in 5 the Kerberos (KOHL90) system, or from a file on a system, this problem, as both are vulnerable to security breaches by the attacker can obtain several strings each of which repre dictionary attacks which search for poor passwords. sents known plaintext encrypted with user passwords, e.g. in Given the choice, most users choose passwords from a UNIX a string of zeroes is encrypted with the user password. "likely password' key space, K, that is a small fraction of The attacker then attempts to decrypt these strings by the entire key space, K, available to them. This smaller key 20 methodically trying passwords from a dictionary of com space is typically composed of bad passwords and bad noisy monly used passwords, and obtain the original plaintext. A passwords. Bad passwords are those chosen from natural related approach which uses less time (but more space) is to language, jargon, acronyms, dates, or other numeric series, pre-compute the encryption of all the passwords in the and/or derivatives thereof. Bad noisy passwords consist of a bad password plus noise (e.g. tiger2 or computer). The dictionary, so once the strings are obtained, a simple lookup small size of K, facilitates breaches of security through is all that is needed to obtain the user password. exhaustive searches of the "likely password' key space, There are at least three approaches to solving the problem which can be performed using conventional techniques and of poorly chosen user passwords, and each has its field of use. First, smart cards or token authenticators can be used to technologies that are well known in the art. For instance, in completely replace the password. Second, proactive pass the Unix operating system (see Morris, R. and K. Thompson. 30 "Password security: A case history', Communications of the word checkers which examine passwords and do not allow ACM, 22(11), November 1979), user passwords are trans bad passwords to be utilized can be used. Finally, a password formed using a one way function based upon the data generator can be used by the system to generate secure encryption standard (DES) (see Data Encryption Standard, passwords for the users. National Bureau of Standards, Federal Information Process 35 Recently, an improved technique for proactive password ing Standards, Publication No. 46-1 (Jan. 15, 1977)), and checking has been described in U.S. patent application Ser. then stored in a password file that is usually accessible to a No. 08/121,852, filed Sep. 17, 1993, entitled Method and number of individuals and is in all cases accessible to the System for Proactive Password Validation, (Attorney administrators of the system to which the password provides Docket No. 680-072), which is also assigned to the assignee access. As the one way function itself is not secret, an of all rights in the present application. As described the adversary can methodically apply this function to all words technique provides a proactive password validation method in K, and then compare the results to those in the password and system which will protect against the selection of bad file. The Kerberos Authentication Protocol (see Kohl, J. C. passwords belonging to a dictionary of bad passwords as Neuman and J. Steiner, "The Kerberos Network Authenti well as bad noisy passwords. The on-line generation of bad cation Service', MIT Project Athena (Oct. 8, 1990) Version 45 noisy passwords is not required. The technique does not 5, Draft 3), is also vulnerable to such dictionary attacks as, require the storage of a dictionary of bad passwords or large for reasons not relevant here, the protocol makes it possible amounts of data, and can easily be installed in a distributed for an adversary having a user password to request server computing environment. Utilizing the technique, password access to encrypted messages. Further, by eavesdropping on validation can be performed quickly. After defining the bad the network, the adversary can also obtain additional 50 password characteristics off-line, the actual validation of the encrypted messages which can be decrypted using the same proposed password can be performed on-line, in real time, exhaustive key search technique on K. using minimal amounts of computing power. The size of the key space that can be searched efficiently With respect to password generators, there are two types by an adversary is much larger than is usually believed by of such generators which are known in the art. One type most users. Karn and Feldmeier have discussed the size of 55 generates completely random passwords which are, by defi the key space that can be searched using conventional nition, guaranteed to be "good'. This type of generator has, techniques and technology. (See Karn, P. R. and D. C. however, the significant disadvantage of making the pass Feldmeier, "UNIX password security-Ten years later', word unpronounceable, and thus hard to remember, and Advances in Cryptology-CRYPTO '89, G. Brassard (Ed.) more likely to be written down, which has a security cost, or Lecture Notes in Computer Science, Springer Verlag, 1990). forgotten, which has an administrative cost. Although this discussion is directed towards UNIX pass The second type generates a random, yet pronounceable word security, the Karn and Feldmeier analysis is widely password for the user, on the assumption that a pronounce applicable to typical systems which have artificially small able password is easier to memorize, and consequently less password key space and are therefore susceptible to a key likely to be written down or forgotten, and hence, more user search attack. Protection against such attacks can be 65 friendly and secure. This type of generator typically works enhanced by either altering the system itself, for instance, as by combining random character generation with the rules for proposed by Bellowin and Merritt to secure Kerberos (see pronunciation to generate strings which are pronounceable. 5,588,056 3 4 There are at least two important aspects to such a generator. Thompson "Password security: A case history”, Communi First, the passwords must be pronounceable. Since the so cations of the ACM, 22 (11), November 1979), have to called "rules' of pronunciation are fairly inexact, this is a actually be searched through a number of dictionary words somewhat subjective issue. Secondly, the generated pass equal to the dictionary size multiplied by a factor of 4096. word must be secure. Several pronounceable password gen Thus in this particular case, the implementation constant C erators have been designed, perhaps the two most prominent would be 4096. However, the implementation constant C being that developed by Morrie Gasser GASS77) in 1977, could be reduced if the attacker uses pre-encrypted dictio which is being adopted as a standard by NIST FIPS92), and naries and has sufficient space on his computing platform to that developed by IBM and used by Sandia Labs. store the salted variations and if the time to search is small Turning now to attacks on system security, the object of 10 as compared to the time required to encrypt. As can be seen an attacker is either to break into any account(s) on the from the above example, the constant C can be properly system or break into a particular account on the system. The chosen only when specific details of the attack are known. former is the more typical vulnerability which most systems Based on these parameters, the criterion for protection face. While it can be argued that the motives of an attacker againstadictionary attack can be defined. The first criterion, will differ for each situation, any password system must which at times is the only one considered by the designers evaluate security in terms of the difficulty of an attacker 15 of systems is: targeting any, rather than one particular, account. This is Criterion 1: KodExTxC because it is the more common attacker motive and, further, According to this criterion, a password space must be chosen because a system secure against this attacker objective is which is large enough so as not to be easily broken by an automatically secure against an attack on a single specific attacker in a "reasonable' time. Gasser's analysis adds two account, although the converse is not true. Consequently 20 closely related, very useful criterion, namely: parameterizing a system on the basis of the total number of Criterion 2: The probability of occurrence of the most users within the "security domain' being protected is of probable passwords in the password space should be low. primary importance. So for instance, although the maximum password space Kis very large, the fact that users choose common natural It will be helpful here to define several parameters: language words with a very high probability can, by itself, K, as discussed above, is the absolute size of the password make the system vulnerable to dictionary attacks. Gasser space. discusses the criterion in the context of pronounceable K is the actual space the attacker needs to search in order password generators, wherein he points out that it is of no to break into a particular user's account. benefit to have an overall maximum key space K which is 30 very huge if a few passwords have a very high probability N is the number of users in the "security domain'. The of being generated, and are generated very frequently by the definition of "security domain” is situation specific. Some system thus resulting in the actual key space K being too concrete examples would be: a DEC VMS multiuser mini small. A closely related criterion, which appears to be computer; a network of SUN workstations and servers implicit in Gasser's discussion of the password probability which use a common/etc/passwd file managed by the NIS distribution is: name server, or a Kerberos realm serving an entire organi 35 Criterion 3: All passwords in the password space must be zation. The number of users within these domains could of roughly equally probable. range from 50 users on a minicomputer to several thousand This is really a generalization of Criterion 2, and ensures that users being served by a common Kerberos server. there does not exist a subset of the maximum password T is the assumed maximum time in seconds which the space K which is so small that it can be easily attacked in attacker can spend on the attack. T depends on many factors lieu of the entire space K to breach system security. including the time interval, t, between which password aging Criterion 4: In an N user system with an actual password is enforced i.e. the period after which a user is required to space of size K, the attacker should have to search, on change passwords. When an attacker captures strings average, a password space of encrypted with passwords, a limited time is available to complete the dictionary attack before the passwords change. 45 K For instance, after time t/2, it is likely that half the passwords N captured by the attacker have changed, and by time t, all the passwords have changed. Depending on the system other in order to break into any one account. This can be expressed 2S: factors may also come into play. 50 E is the encryptions per second for the particular pass K word scheme, which the most powerful attacker is likely to N perform. This parameter, to a great extent, will be deter mined by the type of computing platform which the attacker has access to. Since this "access' could be illegal this is a 55 Since the attacker need only, on average, search through half difficult number to calculate. Unless the attacker in question any given space to expect to find a password, the more is a large organization, like the espionage branch of aforeign precise figure is K/2N. Criterion 4 may be used in place of government, it may be practical to assume that the attacker Criterion 1 since any system meeting Criterion 4 will, by has access to a high end personal computer or workstation definition, meet Criterion 1, whereas the converse is not true. or a UNIX or other high power server. The parameter E can Criterion 5: It should not be possible to divide the be calculated in various ways, see for instance Karn and password space into B buckets or categories, b, b, ..., b, Feldmeir's (KARN89) analysis. from which users choose passwords, with the probability of C is an implementation specific constant which corre users choosing passwords from a respective bucket beingp, sponds to the effort which must be expended by the attacker p2, . . . , p, such that p>lb/K where b is the smallest on a per user basis for a specific system. For instance, in a 65 bucket. UNIX system the attacker searching through a dictionary of Meeting Criterion 5 is a necessary, but not a sufficient, a given size would, because of salting (see Morris, R. and K. condition for meeting Criterion 4. It ensures that the smallest 5,588,056 5 6 bucket or category is large enough to thwart the attacker. The corresponds roughly to the probability of the occurrence in security of the system, in terms of password space size, is as English of the applicable unit's character. secure as the size of the smallest bucket. A series of rules determine which units may appear where The "Sandia System” is a pronounceable password gen in a generated password. These rules are encoded in two erator distributed by Sandia Labs along with a version of the tables, i.e. the unit and diagram tables. The former describes Kerberos V source code, see files 7clcpwd.c and 7cldpwd.c special rules for determining where the units may appear, in Sandia's Kerberos V distribution. The Sandia System and whether they are vowels or consonants, etc. The latter works as follows: describes the rules for determining if two units can be 25 templates have been created to represent typical rules juxtaposed. of pronunciation in English, for instance "cvcvcvc' is a 10 To generate a password the system selects the first unit, template representing words formed by a vowel followed by from one of the 34 units, based on the probability of a consonant followed by a vowel. . . occurrence associated with each of the units. The templates are formed from sets representing, vowels, The system then forms syllables by selecting successive consonants, double vowels, ending vowels, etc. units from the 34 units, based on the rules in the unit and To generate a password the system randomly indexes into 15 diagram tables. These syllables are then concatenated one of the 25 templates i.e. buckets, all 25 templates being together to form the password. equally likely to be picked. If a particular selected unit is inappropriate in a particular The system then picks, at random, a password from that position within the password, that unit is rejected, and particular template, this being a 7 character password. another unit is selected. If the substitute unit is also rejected, In order to inflate the password space, either 1 of 10 digits, 20 another unit is picked. This process is repeated 100 times, or 1 of 26 alphabet letters, is randomly added to the after which the entire syllable is rejected. As noted by password, to bring the total password size to 8 characters. If Gasser, see GASS77, the limit of 100 is rarely reached. the eighth character is a digit from 0 to 9, then because there The Gasser/NIST system has been analyzed in GASS77 are 10 choices of digits and the digit can be added in any one and FIPS92. The total password space K is of size 18 million of eight positions, the password space is expanded by a 25 for 6 character passwords, 5.7 billion for 8 character pass factor of 80. If one of the characters from Ato Z is randomly words and 1.6 trillion passwords for 10 characterpasswords. added to the string, then the effective password space is The most probable passwords have a low probability of increased 208 fold. occurrence. The probability of occurrence of most pass Users are presented with several such passwords and words are roughly equal. asked to pick one. 30 Though not part of the NIST standard, Gasser describes a The addition of the eighth character may make the pass slight modification to the system which guarantees that all word fairly difficult to pronounce, especially when the passwords are equally likely. Pursuant to this modification, eighth character?digit appears in the middle of a pronounce the system generates the passwords completely at random. able syllable. Further, presenting users with several choices In the Gasser/NIST system each unit represents a bucket and letting them pick one, introduces another filter through 35 of passwords. However, unlike the Sandia System which which selected passwords must pass. It is conceivable that randomly indexes into the buckets, in the Gasser/NIST the passwords picked by users are actually from a much system the probability that a user selects a password from a smaller space than would be suggested by the system particular bucket is determined by the probabilities associ parameters. However, no evaluation has been performed to ated with the individual units. In the Gasser variation determine if this is indeed the case. Since the 25 template mentioned above, the probability of selecting from a par buckets are indexed into with uniform probability, it is likely ticular bucket, is not the probability associated with the unit, that 1/25th or 4% of all users in a N user system pick but rather the probability given by the ratio of the size of the passwords from a particular template or bucket. Given the bucket to the total size of the password space. number of characters in the set of vowels, consonants, etc., The distribution of passwords into buckets in the Gasserd the size of each template or bucket can be calculated. The 45 NIST system is shown below in FIG. 2A. FIG. 2A represents size of each of the templates, without the addition of the the distribution of passwords generated by a Gasser/NIST random eighth character is shown in FIG. 1. system completely at random. As the passwords are gener As shown in FIG. 1, the distribution is highly non ated randomly, sorting the sample into buckets will reflect uniform, with most of the passwords in a few large buckets. the actual distribution of passwords into buckets. This dramatically affects the security of the system. The total 50 As can be seen, the distribution of passwords is highly space K of 7 character passwords is 71,213,792, and after non-uniform. However, unlike the Sandia system, all the inserting the eighth character the total space Kexpands to an buckets themselves are not equi-probable. That is, the prob impressive 14.5 billion. However, in a 100 user system, 4 ability of any given password appearing in a given bucket, uses picked passwords from the smallest bucket, which has is dependent on the size of the bucket and is different from a mere 135,800 7 character passwords, and the eighth 55 the probability of a bucket itself; the latter being the prob character increases the password space to only 27 million. ability that the system chooses that bucket to generate a While an attacker may balk at searching through 14.5 billion password. Rather, the probability that a bucket is chosen by passwords, a space of 27 million can be searched without the system is tied to the probabilities assigned to the indi excessive effort in order to break into 4 user accounts on a vidual units. FIG. 2B juxtaposes the distribution of the hundred user system. Still further, the attacker would on passwords into buckets with the probability of a particular average have to search through less than 3.5 million pass bucket being chosen. For purposes of FIG.2B, it is assumed words to break into 1 account on a 100 user system. that there is an equal probability that a user will pick a The Gasser/NIST system, which as noted above, is being password from any of the particular buckets. adopted by NIST, see FIPS92, works as follows: As can be seen from FIG. 2A there are several very small There are 34 units, the characters Ato Z, except Q, and the 65 buckets, i.e. the buckets for R, T, X, GH, SH, TH, QU and characters CH, GH, PH, RH, SH, TH, WH, QU and CK; CK. FIG. 2B suggests that rather than attacking the smallest each unit having an associated probability of selection which bucket itself, it is more beneficial for the attacker to attack 5,588,056 7 8 the small buckets with a relatively high probability of being method and system for generating pronounceable passwords chosen, e.g. the buckets for R and T. It is likely that slightly which provides increased security for a user account. It is a less than 5% of users will have passwords generated from still further object of this invention to provide a method and the R bucket and another 5% from the T bucket. Yet the size system for generating pronounceable passwords which are of the R bucket is a mere 0.31% of the overall password not subject to a smallest bucket attack. It is still another space K, and the T bucket a mere 0.22%. Consequently, an object of this invention to provide a method and system attacker could break into 4 accounts of a 100 account system which can be utilized to quickly generate secure, pronounce after searching through only 12.5 million passwords, and able passwords. It is yet a further objective of this invention might break into one account, on average, after searching 1.6 to provide a method and system for generating secure, million passwords. Using the Gasser variant, i.e. where 10 pronounceable passwords which are user friendly. passwords are generated randomly, the probability of a user Additional objects, advantages and novel features of the having a password generated from a bucket is exactly equal invention will become apparent to those skilled in the art to the size of the bucket. So for instance, instead of 5% of upon examination of the following as well as by practice of users having passwords from the R or T bucket, only the invention. While the invention is described below with approximately 0.3% of users have passwords generated 15 reference to preferred embodiments for generating pro from this bucket. The number of accounts that can be nounceable passwords, it should be understood that the compromised, on average, is thereby decreased, but the invention is not limited thereto. Those of ordinary skill in the problem remains that a rather limited search by an attacker art having access to the teachings herein will recognize will result in a breach in the system security. additional applications, modifications and embodiments in Another pronounceable password generator has been 20 other fields (including, but not limited to, those relating to developed by Digital Equipment Corporation and will be smart cards, automatic tellers and automatic locks), which referred to as the DEC system. The DEC system utilizes a are within the scope of the present invention as disclosed and Markov model to train samples of natural language. Markov claimed herein and in which the present invention could be models are discussed in more detail below in describing the of significant utility. preferred embodiment of the present invention. Suffice it to say at this point that this training yields a transition prob SUMMARY OF THE INVENTION ability matrix. The DEC system generator then utilizes the transition In accordance with the invention, a pronounceable secu probability matrix developed using the Markov model to rity password, for use in encrypting and decrypting mes probabilistically determine the next state. For example, from 30 sages, is formed using a plurality of first word segment the state "Q" it is highly likely that the next state is a “U” portions each having at least one character and a plurality of if the english language is being utilized. After selecting a second word segment portions each having at least one certain number of characters, the system requires that the character. The password is generated utilizing an identified information content of the portion of the password formed at transition number, for each of the first word segment por this point be calculated. This is done using a well-known 35 tions which corresponds to the number of second word mathematical formulation for information content. Addi segment portions in an associated set of second word tional characters are then added until the information content segment portions. The associated set of second word seg meets a predetermined threshold value. The threshold value ment portions includes one or more different second word is selected so as to ensure that the pronounceable password segment portions, each of which is combinable with the generated is not a bad password, i.e. one selected from associated first word segment portion to form a pronounce natural language, jargon, acronyms, dates, or other deriva able word segment, typically a pronounceable syllable. tive thereof. In one implementation of the invention, one of the plu However, the DEC system likewise suffers from the rality of first word segment portions with an associated smallest bucket attacks which have been discussed above transition number greater than zero is randomly selected. As with regard to the Sandia system and Gasser/NIST systems. 45 used herein, random selection means that the selection is of This appears to be caused by the transition probabilities substantially equal probability. Thus, selection of any one of utilized by the system. In particular, the DEC system, as the plurality of first word segment portions which have an understood, uses buckets which are created based upon the associated transition number greater than zero, is of sub transition probabilities of characters, i.e. unigrams, bigrams, stantially equal probability. Next, a second word segment etc., occurring in the English language. Because these tran 50 portion, from the associated set of second word segment sition probabilities vary, the Markov model develops buck portions, is randomly selected. Hence, selection of any one ets of passwords which are small and buckets of passwords of the second word segment portions in the set associated which are large. Stated another way, characters with a with the selected first word segment portion, is also of greater transition probability in the English language will be substantially equal probability. The selected first and second generated more often than those with a lower probability in 55 word segment portions are combined for use as at least apart the English language. Thus, the number of users using of the pronounceable security password. generated passwords with characters having a high transi According to other aspects of this implementation, a tional probability in the English language is increased. determination is made as to whether or not consecutive It is therefore an object of the present invention to provide characters of the combined first and second word segment an improved method and system for generating pronounce portions are identical to a first word segment portion having able passwords which provides greater security than con an associated transition number which is less than a prede ventional systems and techniques. It is a further object of the termined threshold transition number. If so, the combined present invention to provide a method and system for first and second portions are discarded and substitute first generating pronounceable passwords which requires that an and second word segment portions are randomly selected attacker perform a more exhaustive search to uncover one or 65 and combined as described above. Alternatively, if desired, more of the passwords being utilized by the system users. It the selected second word segment portion alone could be is yet another object of the present invention to provide a replaced in lieu of replacing both the selected portions. A 5,588,056 9 10 further check can be made to determine if consecutive ment portion, is randomly selected and combined with the characters of the part of the password formed by the sub third selected first word segment portion. The first part of the stitute combined word segment portions are identical to a pronounceable password is then combined with the com first word segment portion which has an associated transi bined third selected word segment portions to form a com tion number of less than the predetermined threshold tran pleted, or extended part of, the pronounceable security sition number. If so, another substitute is generated. password. It can now be determined if consecutive charac Once a satisfactory first part of the pronounceable pass ters of this extended part of the password correspond to a word has been generated as described above, a first word first word segment portion having a transition number which segment portion, having an associated transition number is less than the aforementioned second threshold transition number. greater than zero and which corresponds to one or more O consecutive characters at the end of the first part of the According to a third implementation of the present inven password, e.g. the last two characters, is identified. Next, tion, each of a plurality of first word segment portions is another second word segment portion, which corresponds to categorized based upon its transition number into one of at the identified consecutive characters, is randomly selected least two categories. One or more selection categories can from the set of second word segment portions associated then be chosen from the at least two categories. One of the with the first word segment portion. The first part of the 15 plurality of first word segment portions categorized within pronounceable password is combined with this later selected the selection categories, is randomly selected. Next, one of second word segment portion to form a still greater part of, the second word segment portions, from the set of second or to complete, the pronounceable security password. If word segment portions associated with the selected first desired, another check can be made to determine if the word segment portion corresponds, is randomly selected. consecutive end characters of this completed or extended 20 The selected first and second portions are combined to form part of the password corresponds to a first word segment at least a part of the pronounceable security password. portion which has an associated transition number of less Preferably, the transition number associated with each first than a predetermined second threshold transition number, word segment portion categorized within the selection cat which is preferably different from (i.e. lower than) the first egories is larger than the transition number associated with threshold transition number. In this regard, it is beneficial to 25 the first word segment portions categorized in a non-selec ensure that the initial part of the password has consecutive tion category. characters which correspond to a first word segment portion A determination can now be made as to whether consecu with a relatively high transition number. As additional tive characters of the part of the pronounceable security characters are added to the password the later consecutive password which has been generated correspond to a first characters can correspond to first word segment portions 30 word segment portion categorized in a non-selection cat with somewhat lower transition numbers without signifi egory. If so, the selected second word segment portion is cantly jeopardizing the security of the password. discarded and a new, or second, second word segment If the later identified consecutive end characters fail to portion, within the set associated with the selected first word meet the second threshold, the later selected second word segment portion, is randomly selected and combined with segment portion is discarded. Another second word segment 35 the selected first portion to form at least a part of the portion is then selected and combined with the first part of pronounceable security password. Alternatively, both of the the pronounceable password as described above. A check selected portions could be replaced. A check can now be can be made to determine if the second threshold is met by made to determine if consecutive characters of this later the substitute second word segment portion. The process generated part of the password correspond to a first word continues until an acceptable pronounceable password is segment portion categorized in a non-selection category. If generated. so, another substitute second word portion is selected as According to an alternative implementation of the inven described above. tion, once a satisfactory first part of the pronounceable Once an acceptable first part of the pronounceable secu password has been generated as described above, another of 45 rity password has been generated, a first word segment the plurality of first word segment portions which have an portion categorized in a selection category corresponding to associated transition number greater than zero, is randomly consecutive characters at the end of the first part of the selected. A second word segment portion, from the set of password is identified. Another second word segment por second word segment portions associated with this later tion, from the set of second word segments associated with selected first portion, is next randomly selected. The second 50 this corresponding first word segment portion, is randomly selected first and second portions are combined. The first selected. The first part of the pronounceable security pass part of the pronounceable password is then combined with word is then combined with the second selected second the combined second selected word segment portions to word segment portion to complete or form at least an form a still greater part of, or to complete, the pronounceable extended portion of the pronounceable security password. security password. If desired, a check can be made to 55 Once again, a determination can be made as to whether or determine if consecutive characters of this completed, or not consecutive characters of this completed, or extended larger part of, the password correspond to any of the portion of, the password, correspond to a first word segment plurality of first word segment portions which has an asso portion categorized in a non-selection category. If so, the ciated transition number of less than the predetermined later selected second word segment portion is discarded and second threshold transition number. a substitute second portion is randomly selected as described If so, the second selected first and second word segment above. portions are discarded. The process continues by randomly According to a further implementation of the invention, selecting another, or third, of the plurality of first word once a satisfactory first part of the pronounceable password segment portions which have an associated transition num has been generated as described in connection with the third ber greater than zero. Next, a third of the second word 65 implementation of the invention, another first word segment segment portions within the set of second word segment portion categorized within a selection category is randomly portions associated with the third selected first word seg selected. Next, another second word segment portion, from 5,588,056 11 12 the set of second word segment portions associated with the the set of second word segment portions associated with the second selected first word segment portion, is selected and retrieved first word segment portion. This retrieval is like combined with the second selected first word segment wise random and retrieval of any one of the stored second portion to form a further part of the password. The first part portions from the associated set is of substantially equal of the pronounceable password is then combined with this probability. further part of the password to complete, or form an The retrieved first and second portions are combined by extended portion of, the pronounceable security password. the processor to form at least a part of the pronounceable Consecutive characters of the completed or portion of the security password. The storage device described above may pronounceable security password thus created may now be also store a predetermined threshold transition number. A checked for correspondence to first word segment portions 10 comparator circuit and/or software implemented by the categorized in non-selection categories, and the later created processor determines if consecutive characters of the part of part of the password is accepted or discarded, as appropriate, the pronounceable security password generated are identical i.e. if consecutive characters correspond to a first word segment portion in a non-selection category the later created to a stored first word segment portion having an associated part is discarded. transition number which is less than the predetermined 15 threshold transition number. If the later created partis discarded, a third one of the first The comparator circuit and/or software may also be used word segment portions categorized within the selection for identifying a stored first word segment portion which categories is randomly selected. Another or third one of the corresponds to an end portion of consecutive characters of second word segment portions in the set associated with the the part of the password generated. The processor can then third selected first word segment portion, is then selected. 20 retrieve another stored second word segment portion from The third selected first and second portions are combined to the set of second word segment portions associated with this form a further part of the password. The first part of the later identified first word segment portion, and hence the pronounceable password is then combined with this further consecutive characters. This retrieval is likewise random part of the password to complete, or form at least a larger and retrieval of any of the stored second word segment portion of, the pronounceable security password. If desired, portions in the applicable set is therefore of substantially another check can be made to determine if consecutive 25 equal probability. The processor combines the initially gen characters of this last generated extended part of the pass erated part of the password with the second selected second word corresponds to a first word segment portion catego word segment portion to complete, or form an extended part rized in a non-selection category. of, the pronounceable security password. The storage device In still another or fifth implementation of the invention, may also store a second predetermined threshold transition each of a plurality of word segments is categorized into one 30 value, which is preferably less than the first predetermined of at least two categories, based upon a transition number threshold value. The above described comparator circuit corresponding to the number of different second word and/or software can be used for determining if consecutive segment portions included in word segments which have a characters of the completed, or extended part of, the pro first word segment portion identical to the first portion of the 3. 5 nounceable security password generated are identical to a word segment being categorized. One or more selection stored first word segment portion having an associated categories are identified from these categories. At least two transition numberless than the second predetermined thresh of word segments categorized within the selection categories old transition number. are randomly selected and combined to format least a In a second embodiment of the system of the present portion of the pronounceable security password. The tran invention, a storage device of the type described above is sition number associated with each word segment catego provided for storing (i) the plurality of the first word rized in a selection category is preferably larger than the segment portions, and (ii) the plurality of second word transition number associated with word segments catego segment portions. The first word segment portions may be rized in non-selection categories. stored in categories or with a category designation. Alter A system for generating a pronounceable security pass 45 natively, software implemented by a processor, categorizes, word, according to the present invention, uses a plurality into one of at least two categories, each of the stored first first word segment portions, each of at least one character, word segment portions based upon its associated transition and a plurality of second word segment portions, each also number. An input device connected to the processor could be of at least one character. The system includes one or more used to identify one or more selection categories from these electronic or magnetic storage devices, such as a CDROM, 50 categories. However, preferably, software implemented by or disk drive, for storing (i) the plurality of first word the processor is used to automatically identify the desired segment portions, (ii) the plurality of second word segment selection category or categories. The processor retrieves one portions, and (iii) a transition number for each stored first of the stored first word segment portions categorized within word segment portion corresponding to the number of a selection category. The retrieval is random and therefore second word segment portions in an associated set of second 55 retrieval of any one of the first portions categorized within word segment portions. The associated set includes one or a selection category is of substantially equal probability. The more different second word segment portions, each of which processor or other circuitry next retrieves one of the stored is combinable with the associated first word segment portion second word segment portions from the set of second word to form a pronounceable word segment. A processor, which segment portions associated with the selected first word is preferably part of a personal computing or communica segment portion. This retrieval is likewise random. The tions device, retrieves, from storage, one of the stored first processor combines the selected first and second portions to word segment portions. The stored first word segment form at least apart of the pronounceable security password. portions have an associated transition number greater than A comparator circuit or software implemented by the zero. The retrieval is random and, therefore, retrieval of any processor may be included in the system for determining if one of the plurality of stored first word segment portions is 65 consecutive characters of the part of the pronounceable of substantially equal probability. The processor also security password generated correspond to a stored first retrieves, from storage, a second word segment portion from word segment portion categorized in a non-selection cat 5,588,056 13 14 egory. The comparator circuit or software may also be used FIG. 2A shows the distribution of passwords in a Gasserl. for identifying a stored first word segment portion catego NIST System. rized a selection category which corresponds to an end FIG. 2B shows the probability of selection of passwords portion of consecutive characters of the part of the password in a Gasser/NIST System. generated. The processor then retrieves another stored sec FIG. 3 is a flow diagram depicting one implementation of ond word segment portion from the set associated with this later identified first word segment portion, and hence the the present invention. consecutive characters. This retrieval is likewise random. FIG. 4 is a flow diagram depicting another implementa The processor combines the initially generated part of the tion of the present invention which is a somewhat modified password with the second selected second word segment 10 version of that depicted in FIG. 3. portion to complete, or form an extended part of, the FIG. 5 is a flow diagram depicting a further implemen pronounceable security password. The above described tation of the present invention. comparator circuit and/or software can again be used for FIG. 6 is a flow diagram depicting a still further imple determining if consecutive characters of the extended part of mentation of the present invention which utilizes one or the pronounceable security password generated correspond 15 more threshold transition values. to a stored first word segment portion categorized in a FIG. 7 is a flow diagram depicting yet another implemen non-selection category. tation of the present invention which is a somewhat modified A still further embodiment of the system according to the version of that depicted in FIG. 6. present invention has a storage device of the type described FIG. 8 is a simplified block diagram of an exemplary above for storing a plurality of word segments. The word 20 system according to the present invention. segments may be stored in categories or with a category designation. Alternatively, software implemented by a pro FIG. 9 illustrates an example of a Markov model. cessor, categorizes, into one of at least two categories, each of the plurality of the word segments based upon a transition DESCRIPTION OF THE PREFERRED number corresponding to the number of different second 25 EMBODIMENT portions included in stored word segments which have a first word segment portion identical to the first word segment Before describing the preferred embodiment of the portion of the word segment being categorized. An input present invention it will be helpful to first discuss the device connected to the processor can be used to identify one Markov model, which is preferably used to extract a set of or more selection categories from these categories. Alterna 30 characteristics, C, from a selected dictionary in accordance tively and preferably, software implemented by the proces with the present invention. For purposes of this discussion it sor is used to automatically identify the desired selection is assumed that the dictionary to be used was generated by categories. The processor retrieves at least two of the stored a K order Markov model, and that characteristics, C, cor word segments categorized within the selection categories. respond to the transition probabilities of the model. In The retrieval is random and the probability of any one of the 35 accordance with the present invention, preferably using stored word segments categorized within the selection cat statistical inference on the Markov chains, a string of egories being retrieved is substantially equal. The processor characters of a password can be generated by a given combines the selected word segments to form at least a part Markov model. of the pronounceable security password. An example of the Markov model is shown in FIG. 9. In each of the above described system embodiments, the Likely strings 1 can be generated by beginning in any state processor will typically also implement software for apply and following high probability transitions such as ab, bc, ac, ing the pronounceable security password to encrypt or andba from FIG. 9. The unlikely strings 2 generated by this decrypt messages between system users. In this regard, a model contain Zero transitions, for example aa, cc, cc, bb, aa cryptosystem, such as an RSA or other type cryptosystem, of FIG. 9. may be provided as part of the system. The pronounceable 45 A Markov model M is a quadruple, m.A.T.,k), where mis security password could, in such a system, be used as a the number of states in the model, A is the state space, T is user's portion of a private crypro-key associated with the the matrix of transition probabilities and k is the order of the split private key cryptosystem. chain. In FIG. 9, an example of such a model for the three According to still further general aspects of the present character language shown is: M=3), a,b,c, T, 1), where invention, each first word segment portion is preferably a 50 bigram and each second word segment portion is a unigram. 0.0 0.5 0.5 () The characters can be chosen from the English or another 0.2 0.4 0.4 alphabet. Passwords of eight or more characters, are pref 10 00 00 erably generated to provide adequate security. This can be 55 giving T (a,a)=0.0, Ta,b)=0.5, etc. done, for example, by utilizing a single first portion of a A key characteristic of a Korder Markov model is that the word segment which is a bigram and at least six second probability of transition Tab, depends only on the previ portions of the word segments, each of which is a single ous states that have been visited. In a first order model the character. The pronounceable security password may form a probability of a transition ending in state b depends only on part of a private key associated with a private key crypto the state from which the transition began (say a). Therefore system, such as an RSA system. In any event, it is preferable Ta,b)=Prob (b,a). In a second order model, the probability that the pronounceable security password which is generated of entering state b from state a also depends on the state of be short. the process prior to entering a. For example, for state c, BREEF DESCRIPTION OF DRAWENGS Ta,b)=Prob (b,ac). 65 As FIG. 9 illustrates, the state space very naturally FIG. 1 shows the distribution of passwords in a Sandia corresponds to the alphabet of the natural language from System. which passwords are expected to be drawn. 5,588,056 15 16 Although the use of bigrams (i.e., a first order Markov pendent of the frequency with whichTHA,THC, THE, THI, model) is adequate for certain applications, the use of THO, and THS occur in the English language, or any other trigrams is preferred. A second order Markov model will language which may be of interest. give better overall results than a first order model. However, To further reduce the probability of small buckets, a it should be noted that the size of the Markov chain that will bigram is randomly selected from the first category of need to be stored increases with increasing order of the bigrams, i.e. the category of bigrams having the highest Markov model. Thus for a first order model, the matrix may occupy about 5-6 KB of storage, while for a second order transition counts. The randomness of the selection ensures model it could occupy 175 KB. that the probability of the selection of any of the bigrams in Pronounceable passwords are generated, according to the the first category is equal or substantially equal. The next present invention, by generating a string of pronounceable 10 character is selected from the legal transitions associated characters whose probability of inclusion in a generated with the selected bigram. This selection is also random and password is unrelated to the frequency with which the thus the selection of any of the legal transitions as the next sequence of characters within the generated password character is also of equal, or substantially equal, probability. appear in the English language or whatever other language The selected characters are combined. If the last two char may be of interest. Thus passwords are generated which are 15 acters of the combination form a bigram which is catego not subject to a smallestbucket attack and are therefore more rized lower than the first category, i.e. a bigram with a secure than those generated by conventional pronounceable transition count less than fifteen, the selected characters are password generators. A Markov model is used to generate a discarded and a new random selection is begun again. transition probability matrix. The transition probability Alternatively, the selected transition character may be dis matrix is generated by a second order Markov model, using 20 carded and a substitute transition character randomly well-known statistical techniques, for words in a selected selected from the transitions associated with the selected word dictionary. Thus, a set of pronounceable word seg bigram. ments having three characters are modeled and the prob Rather than categorizing the bigrams, a threshold transi ability of transition from a first portion of each word tion valve can be selected. Bigrams formed by the consecu segment, which is a bigram, to a single third character which tive characters of the portions of a password generated by completes the word segment is determined. random selection of bigrams, with non-zero transition Although in the preferred embodiment described herein, counts, and associated transition characters can be checked a second order Markov model is utilized, those skilled in the to ensure that the transition count of the formed bigrams art will recognize that the technique could be modified to use exceed the threshold transition valve. other orders of Markov models. The transition probability 30 Referring specifically to FIG. 3, in step 300, a transition matrix is adjusted to reduce the threat of smallest bucket probability matrix for pronounceable word segments, taken attacks. To accomplish the adjustment each bigram ij is from a selected English language dictionary, is generated associated with a Count (i,j) which corresponds to the using a second order Markov model. The pronounceable number of non-zero transitions beginning with the bigramij. word segments are formed of three characters. In step 305 a For example, for the bigram TH, the non-zero transitions 35 transition Countij) is computed for each non-zero transition might be A, C, E, I, O and Swhich form pronounceable word emanating from each bigram which forms the first two segments THA, THC, THE, THI, THO and THS. In this characters of a pronounceable word segment. The bigrams example, the number of non-zero transitions beginning with are then categorized in step 310 based upon the associated the bigram TH would be six and, therefore, the Count (TH) transition numbers. Although preferably three categories are would equal six. selected as noted above, the bigrams may be categorized into Each bigram ij can now be separated into categories based any desired number of categories so long as the categories upon its Count ii. For example, three categories might be are based upon the computed count associated with the established. The first category could be limited to all big bigrams. Steps 300 to 310 will normally be performed off rams with more than fifteen transitions, i.e. a Count (ij) line on a one time basis, while the steps occurring thereafter greater than fifteen. The second category could be limited to 45 will typically be performed on-line, in real time. bigrams with between five and fifteen transactions, i.e. a A bigram is next randomly selected from one or more Count (ij less than or equal to fifteen and greater than or selected categories. The selection of any one of the bigrams equal to five. The final category might contain all bigrams within the selection categories is of substantially equal which have less than five transitions emanating from them, probability. It is normally preferred to limit the selection of i.e. a Count ij less than five. All bigrams having a zero 50 the initial bigram to a category containing bigrams with a transition remain uncategorized and are not used in the high transition count. Subsequent selections may be made generation of the pronounceable passwords. This is because, based upon bigrams with a lower transition count, because, if the transitions are zero the combinations are likely to be from a security standpoint, the number of transitions ema unpronounceable. The transition probability of all non-zero nating from later characters in the string forming the pro transitions emanating from a bigram ij are now replaced 55 nounceable password will be of less importance. The with the reciprocal of the Count, i.e. reduced importance of the number of transitions emanating from the later characters in the string might be most easily -- understood, by analogy, the following example. If the gene CEiji alogy of some number of human couples in a first generation is followed through multiple generations, it will be under This in effect makes all the transitions emanating from the stood that those couples which have had a greater number of bigram equi-probable. By adjusting transitions in the offspring in the early generations will have a greater number Markov model, the systems can be protected against the of offspring than those couples who have had a smaller smallest bucket attacks which have been described earlier number of offspring in the early generations even if the later and which result in the insecurity of conventional systems. 65 have had a relatively larger number of offspring in later For example, for the bigram TH the transition to any of the generations. This is because the total number of offspring transitions A, C, E, I, O or S are equi-probable and inde grow expedientially with each generation. Thus by having a 5,588,056 17 18 greater number of offspring in the earlier generations of the tation is performed utilizing steps identical to steps 300 family, a greater number of total offspring will exist as through 325 of FIG. 3 but varies thereafter. In particular, in compared to the case where a relatively smaller number of step 410 the portion of the password formed by the selected offspring occur in the earlier generations and a relatively bigram and transition character combined in step 325 of greater number of offspring occur in the later generations. FIG. 3, are analyzed to determine if the bigram formed by Thus by ensuring that the initially selected bigrams have a the last two characters of the segment have an associated high transition probability, it will ensure that a relatively transition count which is within an acceptable range. If not, greater number of bigrams are available for subsequent the entire generated password portion is discarded and the selection. On the other hand, the number of transitions process proceeds with the selection of another bigram and emanating from the last selected bigram will have very little O transition character as described in FIG. 3 beginning with impact on the security of the pronounceable password which step 415. If the transition count associated with the bigram has been created. formed by the last two characters of the generated portion of In step 320, a transition character associated with the the password are acceptable, a determination is made in step selected bigram is randomly selected. Once again, the ran 415, as to whether or not the password portion completes the dom selection ensures that the selection of any one of the 15 password. If not, another bigram and transition character are transition characters which have been utilized in determin selected and combined as described in connection with FIG. ing the transition count for the selected bigram, will be of a 3, see steps 315 through 325. This combination is then substantially equal probability. The selected bigram and combined with the previously generated password portion to transition character are combined in step 325. add a further portion to the password. One further bigram Next, it is determined if the bigram formed by the last two 20 and transition would be selected to develop a pronounceable consecutive characters of the generated password portion password with the desired number of characters. For has a transition count within an acceptable range. For example in this preferred embodiment, a nine letter pass example, this check may be preformed by ensuring that the word would be generated. As discussed above, preferably bigram formed by the last two characters of the generated multiple passwords will be generated and presented to the password portion is within one of the categories used in user, who would then make a selection of one of the selection of the selected bigram. If the transition count of the passwords. Once the full password has been generated, it bigram formed by these characters is unsatisfactory, the can be used in step 420 to encrypt and decrypt messages. generated word segment is discarded in step 335 and the FIG. 5 is a flow chart representing another implementa process begins again with the selection of a new bigram as tion of the invention. In step 500 a transition probability previously discussed in step 315. If the bigram formed by 30 matrix using a second order Markov model is generated for the last two characters of the generated word segment are pronounceable word segments, each having four characters. acceptable, a transition character associated with the bigram The number of non-zero transitions associated with each formed by these characters is randomly selected in step 340. trigram in the probability matrix is computed in steps 505. This latter transition character is combined in step 345 with The word segments themselves are categorized in step 510 the previously generated password portion. In step 350 a 35 into the desired number of categories based upon the tran determination is made as to whether or not the last two sition Count ij associated with the trigram forming the first characters of this extended word segment form a bigram three letters of each word segment. In step 515, two word with an associated transition Countij, which is acceptable. segments from selected categories are selected and com Once again, this step could be performed by comparing the bined to form an eight character pronounceable password. bigram formed by the last two consecutive characters of the The selection of the two word segments is random so that the extended password segment with bigrams which have been selection of any of the word segments within the predeter categorized within either the categories from which the mined categories in forming the pronounceable password is initial bigram was selected in step 415 or from other of substantially equal probability. The user may, as discussed subsequently selected categories. If the bigram formed by above, have the ability to select one of a number of gener the last two characters is unacceptable, it is discarded in step 45 ated passwords. The generated password is utilized as indi 355 and a substitute transition character is selected as cated in step 520 to encode and decode messages. Thus, described in step 340. If the bigram formed by the last two common trigrams like "the", "she", "hat”, "lap", "wat”, etc. characters in the extended password portion is acceptable, a can be presented to the users as word segments and used to determination is made in step 360 as to whether or not the form good passwords, e.g. wat-she-lap. password is complete. For example, the system can be 50 FIG. 6 represents a still further implementation of the arranged to generate passwords of any desired number of present invention. The probability matrix and computation characters although in the preferred embodiments eight or of the transition count for the pronounceable word segments nine character passwords are utilized. If the addition of the is performed as described in steps 300 and 305 of FIG. 3. last character does not complete the password, a further However, in this particular implementation, the bigrams are transition character is selected based upon the bigram 55 not categorized but rather a predetermined transition count formed by the last two letters of the extended password threshold is established in step 600. A bigram is randomly segment as described in step 340 and the process continues selected in step 605 from a set of bigrams within the until a full string of acceptable password characters have pronounceable word segments. A transition character which been selected. In a typical practical application, multiple has been used in computing the transition Count Lij for the pronounceable passwords, say 20, will be generated in the selected bigram is randomly selected in step 610. The manner described above and presented to the user. The user selected bigram and transition character are combined in then selects a desired password from those presented. The step 615. A determination is made in step 620 as to whether generated pronounceable password can then be applied to a or not consecutive characters of the portion of the password message for encryption and decryption purposes as indicated generated by combining the bigram and transition character in step 365. 65 form a bigram which fails to meet the transition threshold FIG. 4 is a simplified flow chart of an alternative imple established in step 600. If the threshold is not met, the mentation of the present invention. The FIG. 4 implemen selected bigram and transition character are discarded in step 5,588,056 19 20 680 and a substitute bigram and transition character are device 810, which for example could be a computer key selected and combined as described in steps 605-615. If the board, can access the local processing unit 806 and local Countij) for all bigrams formed by consecutive characters storage device 804 via interface 824, and the network of the generated password portion are acceptable, a deter processing unit 812 and storage device 808 via LAN link mination is made in step 625 as to whether or not the 826. A non-intelligent or "dumb' terminal 814 may also be password is of the desired length. If not, another transition linked via a LAN link 828 to the network processing unit character is selected in step 630 based upon the bigram 812. Such a terminal would normally be considered insecure formed by the last two characters of the password portion and subject to easedropping. generated up to this point in step 615. In step 650 the In a first embodiment of the present invention bigrams selected transition character is combined with the previously 10 which form a portion of pronounceable word segments generated portion of the password. In step 760 a second selected by the administrator are stored on the network transition count threshold is identified and utilized in step storage device 808 and/or, if desired, the local storage device 665 to determine if the bigram formed by the last two 804. Additionally stored on either or both of devices 804 and characters of the string of characters resulting from the 808 are associated unigrams which form the third character combination of step 650 meets the second threshold require 15 in the three character word segments selected by the network ments. If not, the last character is discarded in step 670 and administrator for use in generating pronounceable pass a substitute character is selected as described above in step words. As discussed above, each of the bigrams has an 630. If the threshold is met, a determination is made, as associated transition number which is likewise stored by the discussed in step 625, as to whether or not the password is system administrator on the network storage device 808 complete. If not, another selection is made as described in 20 and/or local storage device 804, as applicable. These tran step 630. Once a full string of characters have been selected sition numbers, as described above, correspond to the num to complete a pronounceable password, it can be applied as ber of different unigrams which are included in the selected indicated in step 675 to encrypt and decrypt messages. pronounceable word segments which begin with a particular In a still further implementation of the invention as shown bigram. As noted earlier, in connection with the description in FIG. 7, rather than developing a string of characters by 25 of the various implementations of the method of the present selecting individual transition characters once a combined invention, bigrams with zero transition numbers are gener selected bigram and associated transition character gener ally considered illegal and therefore would typically not be ated in step 615 of FIG. 6 are determined in step 700 to meet stored on storage devices 804 and/or 808. the transition threshold of step 600 of FIG. 6, a determina A user desiring to obtain a pronounceable password can tion is made in step 710 as to whether or not the password 30 make a request for such a password to be generated via user is complete. If so, it can be applied in the encryption and input device 810 or 814. If the portions of the pronounceable decryption of messages in step 715. If not another bigram word segments and associated transition number have been and trigram are selected and combined as described in stored on the local storage device 804, the processor 806, connection with steps 605 to 615 of FIG. 6. This combina upon receiving the request from user input device 810, tion is then combined with the previously generated portion 35 retrieves via interface 816 a first bigram stored in the local of the password to extend the string of characters to form a storage device 804. Retrieval is random thus the selection of pronounceable password of the desired length. As noted any one of the stored bigrams is of substantially equal earlier, the user may be allowed to select a password from probability. In a similar manner the processor retrieves a a number of generated passwords. unigram from the set of unigrams which, when combined By increasing or decreasing the size of the dictionary with the retrieved bigram, form one of the pronounceable selected to identify pronounceable word segments the word segments which have been selected by the network Markov model can be varied. Thus, to increase the number administrator. Here too the retrieval is random and therefore of transitions in a Markov model a larger dictionary can be the retrieval of any one of the unigrams which may be used. Alternatively, to simplify the model a smaller dictio combined with the retrieved bigram to form one of the nary can be used for identifying pronounceable word seg 45 selected pronounceable word segment is of substantially ments. The dictionary may be for any language and it should equal probability. The bigram and unigram are combined by be clear that the present invention can be utilized no matter the local processor 806 to form the first three characters of what language may be of interest to the users. a pronounceable security password. Also stored on the local FIG. 8 is a simplified block diagram representative of a storage device 804 by the network administrator are prede pronounceable password generating system in accordance 50 termined threshold transition numbers. In this regard, a with the present invention. It will be understood by those different transition number threshold is utilized in accor skilled in the art that the present invention can be imple dance with the applicable security policy for each round in mented in any number of system configurations and that the selecting additional characters to be included in the gener system shown in FIG. 8, and hereinafter described, is ated pronounceable password. The number of threshold exemplary of the type of systems encompassed by the 55 transition numbers selected will vary depending on the present invention. particular system security requirements. Thus, although a As shown, an administrator's station 802 is used to particular number of threshold values are indicated hereinto access, through interfaces 816, a local storage device 804 via be stored in the local and/or network storage devices 804 and local area network (LAN) communications links 820 and 808, as applicable, it should be understood that the network 826 and local processing unit 806. The network administra administrator has the discretion to store and utilize as many tor's station 802 can also access a network storage device or as few threshold values as may be deemed appropriate 808 by LAN communications link 820 to the network and that a single threshold transition number could be used processing unit 812 and via interface 822 to the network if so desired. storage device 808. The local processing unit 806 may also The processor 810 implements a software routine to be capable of communicating, via LAN link 826, with the 65 determine if consecutive characters of the portion of the network processing unit 812 and from there network storage pronounceable security password which has been generated device 808 via interface 822. A user utilizing the user input are identical to a stored bigram which has an associated 5,588,056 21 22 transition number below that of the first threshold transition number associated with the bigram formed by the first two number retrieved by the processor from the local storage characters of each of the three character word segments. device 804 via interface 816. In the case of the three Thus, as in the second embodiment, the processor retrieves characters formed in the initial selection round, this check only word segments conforming to predetermined catego entails comparing the stored transition number associated 5 ries which have been selected by the network administrator with a stored bigram corresponding to the bigram formed by and included in the processing software. In this embodiment the last two letters of the generated three character string processing unit 806 or 812, having received a request to against the retrieved first threshold transition number. If the generate a pronounceable security password, retrieves two transition number associated with the corresponding bigram word segments from designated categories and combines the is less than the retrieved threshold transition number, the O two segments to form a six character portion of the pro selection process is begun anew as described previously. If nounceable security password. A third word segment is next the generated string meets the required threshold, another retrieved from a larger number of categories of stored word unigram is randomly retrieved by processor 810 from the segments and combined with the generated six character local storage device 804. This unigram is retrieved from a set string to complete the pronounceable security password. of unigrams which when combined with the bigram formed 15 As described, the present invention provides an improved by the last two characters of the generated string of char method and system for generating pronounceable passwords acters form another of the pronounceable word segments which provide greater security than conventional tech selected by the network administrator. This latter retrieved niques. Pronounceable passwords are generated which unigram is combined by processor 810 with the previously require that an attacker perform a more exhaustively search generated three character string to create a further extended to uncover one or more of the passwords, thereby providing portion of the pronounceable password. A transition number increased security for a user account. The pronounceable associated with a bigram corresponding to the last two passwords which are generated are not subject to a smallest characters of the generated four character string is now bucket attack. Using the invention, secure, pronounceable compared by the processing unit 810 with a second thresh passwords, which are user friendly, can be generated quickly old transition number stored, by network administrator, on 25 and easily. local storage device 804 and retrieved by local processing I claim: unit 806. This second threshold transition number if lower 1. A method implemented on a computing device for than the first threshold transition number. The processor 806 forming a pronounceable security password using a plurality discards retrieved characters which form bigrams which fail of first word segment portions, each having at least one to meet a required threshold. The processor continues to 30 character, and a plurality of second word segment portions, retrieve unigrams as described above until an acceptable each having at least one character, with each of said plurality eight or nine character pronounceable security password has of first word segment portions (i) having an associated set of been generated. In practice, the system would generate one or more said second word segment portions, each said multiple pronounceable passwords which are displayed to second word segment portion within said associated set the user, who then can select one of the displayed generated 35 being different from others within said set and being com passwords. binable with said associated first word segment portion to Generation of a pronounceable security password by a form a pronounceable word segment and (ii) having a user of non-intelligent user input device 814 would be transition number corresponding to the number of said identical to that described above except that the network second word segment portions within the associated set of processing unit 812 would perform the necessary processing second word segment portions, comprising the steps of: using data retrieved from network storage device 808 via selecting a first one of said plurality of first word segment interface 812 and would transmit the generated password or portions, wherein selection of any one of said plurality passwords to the user via LAN link 828. of first word segment portions is of substantially equal In a second embodiment of the system in accordance with probability; the present invention, rather than threshold transition num 45 selecting a first one of said plurality of second word bers being stored on the local storage device and/or network segment portions from said set of second word segment storage device 804 and 808, the bigrams are stored in portions associated with said selected first word seg categories or with category designations selected by the ment portion, wherein selection of any one of said network administrator based upon each bigram's associated second word segment portions within said associated transition number. Thus the processor is directed by the 50 set of second word segment portions is of substantially processing software to select bigrams or unigrams associ equal probability; ated with bigrams only from certain categories during each round of generating new characters for inclusion in the combining said selected first word segment portion and pronounceable security password. Accordingly, rather than said selected second word segment portion to form a checking transition numbers associated with bigrams corre 55 first pronounceable word segment; and sponding to consecutive characters of the generated string of generating a pronounceable security password including characters, a check is made to determine if bigrams corre said first pronounceable word segment only if consecu sponding to the last two characters of the generated string tive characters of said first pronounceable word seg are within a selected group of categories to determine their ment fail to correspond to those of said plurality of first acceptability. word segment portions having a transition number less In a further embodiment of the system according to the than a first threshold transition number. present invention, rather than storing the bigrams and uni 2. A method for forming a pronounceable security pass grams which form the pronounceable word segments word according to claim 1, further comprising the step of: selected by the network administrator, the pronounceable determining if consecutive characters of said first pro word segments themselves are stored on the local storage 65 nounceable word segment correspond to a first word device 804 and/or network storage device 808. The stored segment portion, within said plurality of first word word segments are categorized based upon the transition segment portions, and if the transition number of said 5,588,056 23 24 corresponding first word segment is less than said first 7. A method for forming a pronounceable security pass threshold transition number. word according to claim 6, wherein said second threshold 3. A method for forming a pronounceable security pass transition number is different than said first threshold tran word according to claim 2, further comprising the steps of: sition number. discarding said first pronounceable word segment if the 8. A method for a forming pronounceable security pass transition number of said corresponding first word word according to claim 1, further comprising the steps of: segment portion is less than said first threshold transi selecting a second one of said plurality of first word tion number; segment portions, wherein selection of any one of said selecting a second one of said plurality of first word plurality of first word segment portions is of substan segment portions, wherein selection of any one of said 10 tially equal probability; plurality of first word segment portions is of substan selecting a second one of said second word segment tially equal probability; portions from the set of second word segment portions selecting a second one of said plurality of second word associated with said second selected first word segment segment portions from the set of second word segment portion, wherein selection of any one of said second portions associated with said second selected first word 15 word segment portions within said associated set of segment portion, wherein selection of any one of said second word segment portions is of substantially equal second word segment portions within said associated probability; set of second word segment portions is of substantially combining said second selected first word segment por equal probability; tion and said second selected second word segment combining said second selected first word segment por 20 portion to form a second pronounceable word segment; tion and said second selected second word segment and portion to form a substitute first pronounceable word combining said first part of the password with said second segment, and part of the password to form a portion of the password; generating a pronounceable security password including wherein said generated pronounceable security password said substitute first pronounceable word segment only 25 includes said second pronounceable word segment only if consecutive characters of said substitute first pro if consecutive characters of said formed password nounceable word segment fail to correspond to those of portion fail to correspond to those of said plurality of said plurality of first word segment portions having a first word segment portions having a transition number transition number less than the first threshold transition less than a second threshold transition number. number. 4. A method for forming a pronounceable security pass 30 9. A method for forming a pronounceable security pass word according to claim 3, further comprising the step of word according to claim 8, further comprising the step of determining if consecutive characters of said substitute determining if consecutive characters of said portion of the pronounceable word segment correspond to a first word password correspond to a first word segment portion, within segment portion, within said plurality of first word segment said plurality of first word segment portions, and if the portions, and if the transition number of said corresponding 35 transition number of the corresponding first word segment first word segment portion is less than said first threshold portion is less than the second threshold transition number. transition number. 10. A method for forming a pronounceable security pass 5. A method for forming a pronounceable security pass word according to claim 9, wherein said second threshold word according to claim 1, further comprising the steps of: transition number is different than said threshold transition identifying a first word segment portion, within said number. plurality of first word segment portions, corresponding 11. A method for forming a pronounceable security pass to one or more characters at an end portion of said first word according to claim 9, further comprising the steps: pronounceable word segment; discarding said second pronounceable word segment if selecting a second one of said plurality of second word the transition number of said corresponding word seg segment portions from the set of second word segment 45 ment is less than said second threshold transition num portions associated with said corresponding first word ber; segment portion, wherein selection of any one of said selecting a third one of said plurality of first word segment second word segment portions within said associated portions, wherein selection of any one of said plurality set of second word segment portions is of substantially of first word segment portions is of substantially equal equal probability; and 50 probability; combining said first pronounceable word segment with selecting a third one of said plurality of second word said second selected second word segment portion to segment portions from the set of second word segment form a part of the password; portions associated with said third selected first word wherein said generated pronounceable security password 55 segment portion, wherein selection of any one of said includes said second selected second word segment second word segment portions within said associated only if consecutive characters of said formed password set of second word segment portions is of substantially part fail to correspond to those of said plurality of first equal probability; word segment portions having a transition number less combining said third selected first word segment portion than a second threshold transition number. and said third selected second word segment portion to 6. A method for forming a pronounceable security pass form a substitute second pronounceable word segment; word according to claim 5, further comprising the step of and determining if consecutive characters of said part of the combining said first pronounceable word segment and password correspond to a first word segment portion, within said substitute second pronounceable word segment to said plurality of first word segment portions, and if the 65 form a substitute portion of the password; transition number of said corresponding first word segment wherein said generated pronounceable security password portion is less than said second threshold transition number. includes said substitute second pronounceable word 5,588,056 25 26 segment only if consecutive characters of said substi rality of first word segment portions categorized within tute password portion fail to correspond to those of said said one or more selection categories is of substantially plurality of first word segment portions having a tran equal probability; sition numberless than said second threshold transition selecting a first one of said plurality of second word number. segment portions from the set of second word segment 12. A method for forming a pronounceable security pass portions associated with the selected first word segment word according to claim 11, further comprising the step of portion, wherein selection of any one of said second determining if consecutive characters of said substitute word segment portions within said associated set of portion of the password correspond to a first word segment second word segment portions is of substantially equal portion, within said plurality of first word segment portions, O probability; and if the transition number of said corresponding first word combining said selected first word segment portion and segment portion is less than said second threshold transition said selected second word segment portion to form a number. first pronounceable word segment; and 13. A method for forming a pronounceable security pass generating a pronounceable security password including word according to claim 1, further comprising the steps of 15 said first pronounceable word segment only if consecu applying said pronounceable security password to encryptor tive characters of said first pronounceable word seg decrypt a message. ment fail to correspond to those of said plurality of first 14. A method for forming a pronounceable security pass word segment portions categorized in a non-selection word according to claim 1, wherein each of said plurality of Category. first word segment portions is a bigram or a trigram. 20 23. A method for forming a pronounceable security pass 15. A method for forming a pronounceable security pass word according to claim 22, wherein the transition number word according to claim 1, wherein each said plurality of associated with each of said first word segment portions second word segment portions is a unigram. categorized within said one or more selection categories is 16. A method for forming a pronounceable security pass higher than the transition number associated with each of word according to claim 1, wherein each character is a letter 25 said first word segment portions categorized in a non of an alphabet. selection category. 17. A method for forming a pronounceable security pass 24. A method for forming a pronounceable security pass word according to claim 1, wherein said transition numbers word according to claim 22, further comprising the step of are derived using a Markov model. determining if consecutive characters of said first pro 18. A method for forming a pronounceable security pass 30 nounceable word segment correspond to a first word seg word according to claim 1, wherein said pronounceable ment portion, within said plurality of first word segment security password is formed of eight or more characters. portions, and if said corresponding first word segment 19. A method for forming a pronounceable security pass portion is categorized in a non-selection category. word according to claim 1, wherein said pronounceable 25. A method for forming a pronounceable security pass security password includes at least six characters from said plurality of second word segment portions. 35 word according to claim 24, further comprising the steps of: 20. A method for a forming pronounceable security pass discarding said first selected second word segment portion word according to claim 1, wherein said pronounceable if said corresponding first word segment portion is security password forms a part of a private key associated categorized in a non-selection category; with a cryptosystem. selecting a second one of said plurality of second word 21. A method for forming a pronounceable security pass segment portions from the set of second word segment word according to claim 20, wherein said cryptosystem is an portions associated with the first selected first word RSA type cryptosystem. segment portion, wherein selection of any one of said 22. A method implemented on a computing device for second word segment portions within said associated forming a pronounceable security password using a plurality set of second word segment portions is of substantially of first word segment portions, each having at least one 45 equal probability; character, and a plurality of second word segment portions, combining said first selected first word segment portion each having at least one character, each of said plurality of and said second selected second word segment portion first word segment portions (i) having an associated set of to form a substitute first pronounceable word segment; one or more said second word segment portions, each said 50 and second word segment portion within said associated set generating a pronounceable security password including being different from others within said set and being com said substitute first pronounceable word segment only binable with said associated first word segment portion to if consecutive characters of said substitute first pro form a pronounceable word segment and (ii) being catego nounceable word segment fail to correspond to those of rized into one of at least two categories based upon a 55 said plurality of first word segment portions catego transition number corresponding to the number of said rized in the non-selection category. second word segment portions within the associate set of 26. A method for forming a pronounceable security pass second word segment portions, comprising the steps of: word according to claim 25, further comprising the step of identifying one or more selection categories from said at determining if consecutive characters of said substitute first least two categories, wherein the transition number pronounceable word segment correspond to a first word associated with each of said first word segment portions segment portion, within said plurality of first word segment categorized within said one or more selection catego portions, and if said corresponding first word segment is ries equals or exceeds a first threshold transition num categorized in a non-selection category. ber; 27. A method for forming a pronounceable security pass selecting a first one of said plurality of first word segment 65 word according to claim 22, further comprising the steps of: portions categorized within said one or more selection identifying a first word segment portion, within said categories, wherein selection of any one of said plu plurality of first word segment portions, categorized in 5,588,056 27 28 said one or more selection categories and correspond selecting a third one of said plurality of first word segment ing to consecutive characters at an end portion of said portions categorized within said one or more selection first pronounceable word segment; categories, wherein selection of any one of said first selecting a second one of said plurality of second word word segment portions categorized within said one or segment portions from the set of second word segment more selection categories is of substantially equal prob portions associated with said corresponding first word ability; segment portion, wherein selection of any one of said selecting a third one of said plurality of second word second word segment portions within said associated segment portions from the set of second word segment set of second word segment portions is of substantially portions associated with the third selected first word equal probability; and 10 segment portion, wherein selection of any one of said combining said first pronounceable word segment with second word segment portions within said associated said second selected second word segment portion to set of second word segment portions is of substantially form a part of said password; equal probability; wherein said generated pronounceable security password combining said third selected first word segment portion includes said second selected word segment portion 5 and said third selected second word segment portion to only if consecutive characters of said part of the form a substitute second pronounceable word segment; password fail to correspond to those of said plurality of and first word segment portions categorized in the non combining said first pronounceable word segment and selection category. said substitute second pronounceable word segment to 28. A method for forming a pronounceable security pass 20 form a substitute portion of said password; word according to claim 27, further comprising the step of wherein said generated pronounceable security password determining if consecutive characters of said part of the includes said substitute second pronounceable word password correspond to a first word segment portion, within segment only if consecutive characters of said substi said plurality of first word segment portions, and if said tute password portion fail to correspond to those of said corresponding first word segment portion is categorized in plurality of first word segment portions categorized in the non-selection category. said non-selection category. 29. A method for a forming pronounceable security pass 32. A method for forming a pronounceable security pass word according to claim 22, further comprising the steps of: word according to claim 31, further comprising the step of selecting a second one of said plurality of first word determining if consecutive characters of said substitute segment portions categorized within said one or more 30 password portion correspond to a first word segment por selection categories, wherein selection of any one of tion, within said plurality of first word segment portions, and said first word segment portions categorized within said if said corresponding first word segment portion is catego one or more selection categories is of substantially rized in a non-selection category. equal probability; 33. A method implemented on a computing device for selecting a second one of said plurality of second word 35 forming apronounceable security password using a plurality segment portions from the set of second word segment of pronounceable word segments, each of said plurality of portions associated with the second selected first word word segments including a first portion having at least one segment portion, wherein selection of any one of said character and a second portion having at least one character, second word segment portions within said associated and being categorized into one of at least two categories set of second word segment portions is of substantially based upon a transition number corresponding to the number equal probability; of different said second portions included in those of said combining said second selected first word segment por plurality of word segments which have a first portion tion and said second selected second word segment identical to the first portion of the word segment being portion to form a second pronounceable word segment; categorized, comprising the steps of: and 45 identifying one or more selection categories from said at combining said first pronounceable word segment with least two categories, wherein the transition number said second pronounceable word segment to form a associated with each of said word segment portions portion of said password; categorized within said one or more selection catego ries equals or exceeds a first threshold transition num wherein said generated pronounceable security password 50 includes said second pronounceable word segment only ber; if consecutive characters of said password portion fails selecting at least two of said word segments categorized to correspond to those of said plurality of first word within said one or more selection categories; segment portions categorized in said non-selection cat combining said selected word segments to form a portion egory. 55 of said pronounceable security password; and 30. A method for forming a pronounceable security pass generating a pronounceable security password including word according to claim 29, further comprising the step of said pronounceable security password portion only if determining if consecutive characters of said password consecutive characters of said pronounceable security portion correspond to a first word segment portion, within password portion fail to correspond to those of said said plurality of first word segment portions, and if said plurality of first word segment portions categorized in corresponding first word segment portion is categorized in a a non-selection category; non-selection category. wherein, the probability of any one of said word segments 31. A method for forming a pronounceable security pass -categorized within said one or more selection catego word according to claim 30, further comprising the steps: ries being selected is substantially equal. discarding said second pronounceable word segment if 65 34. A method for forming a pronounceable security pass said corresponding first word segment portion is cat word according to claim 33, wherein the transition number egorized in a non-selection category; associated with each said word segment categorized in said 5,588,056 29 30 one or more selection categories is higher than the transition means for combining said first pronounceable word seg number associated with each said word segment categorized ment with said second selected second word segment in a non-selection category. portion to form a part of the password; 35. A processing system for generating a pronounceable wherein said generated pronounceable security password security password using a plurality of first word segment includes said second selected second word segment portions, each having at least one character, and a plurality portion only if consecutive characters of said part of the of second word segment portions, each having at least one password fail to correspond to those of said first word character, with each of said plurality of first word segment segment portions within said plurality of first word portions (i) having an associated set of one or more said segment portions having a transition number less than second word segment portions, each said second word the stored second threshold transition number. segment portion within said associated set being different 10 38. A system for generating a pronounceable security from others within said associated set and being combinable password according to claim 37, further comprising: with said associated first word segment portion to form a pronounceable word segment and (ii) having a transition means for retrieving said stored second threshold transi number corresponding to the number of said second word tion number; and segment portions within the associate set of second word 5 means for determining if consecutive characters of said segment portions, comprising: part of the password correspond to a first word segment portion, within said stored first word segment portions, means for storing (i) the plurality of first word segment and if the transition number of the corresponding stored portions, (ii) the plurality of second word segment first word segment portion is less than the retrieved portions, (iii) the transition number associated with second threshold transition number. each of said stored first word segment portions and (iv) 39. A system for generating a pronounceable security a first threshold transition number, password according to claim 37, wherein said second thresh means for retrieving one of said stored first word segment old transition number is different than said first threshold portions, wherein retrieval of any one of said stored transition number. first word segment portions is of substantially equal 40. A system for generating a pronounceable security probability; 25 password according to claim 35, further comprising means means for retrieving one of said stored second word for applying said pronounceable security password to segment portions from the set of said stored second encrypt or decrypt a message. word segment portions associated with said retrieved 41. A system for generating a pronounceable security first word segment portion, wherein retrieval of any one password according to claim 35, wherein said said pro of said stored second word segment portions within 30 nounceable security password forms a part of a private key said associated set of stored second word segment associated with a cryptosystem. portions is of substantially equal probability; 42. A system for generating a pronounceable security means for combining said retrieved first word segment password according to claim 41, wherein said cryptosystem portion and said retrieved second word segment portion is an RSA type cryptosystem. to form a first pronounceable word segment; and 35 43. A processing system for generating a pronounceable means for generating a pronounceable security password security password using a plurality of first word segment including said first pronounceable word segment only if portions, each having at least one character, and a plurality consecutive characters of said first pronounceable word of second word segment portions, each having at least one segment fail to correspond to those of said first word character, each of said plurality of first word segment segment portions within said plurality of first word portions (i) having an associated set of one or more said segment portions having a transition number less than second word segment portions, each said second word the stored first threshold transition number. segment portion within said associated set being different 36. A system for generating a pronounceable security from others within said set and being combinable with said password according to claim 35, further comprising: associated first word segment portion to form a pronounce means for retrieving said stored first threshold transition 45 able word segment and (ii) being categorized into one of at number, and least two categories based upon a transition number corre means for determining if consecutive characters of said sponding to the number of said second word segment first pronounceable word segment correspond to one portions within the associated set of second word segment of said stored first word segment portions and if the portions, comprising: transition number of the corresponding stored first 50 means for storing (i) the plurality of first word segment word segment portion is less than the retrieved first portions, (ii) the plurality of second word segment threshold transition number. portions and (iii) a first threshold transition number; 37. A system for generating a pronounceable security means for identifying one or more selection categories password according to claim 35, further comprising: from said at least two categories, wherein the transition means for storing a second threshold transition number; 55 number associated with each of said first word segment means for identifying one of said stored first word seg portions categorized within said one or more selection ment portions corresponding to one or more characters categories equals or exceeds the stored first threshold at an end portion of said first pronounceable word transition number, Segment, means for retrieving one of said stored first word segment means for retrieving a second one of said stored second portions categorized within said one or more selection word segment portions from the set of stored second categories, wherein retrieval of any one of said stored word segment portions associated with said corre first word segment portions categorized within said one sponding first word segment portion, wherein selection or more selection categories is of substantially equal of any one of said stored second word segment portions 65 probability; within said associated set of stored second word seg means for retrieving one of said stored second word ment portions is of substantially equal probability; and segment portions within the set of said stored second 5,588,056 31 32 word segment portions associated with the retrieved means for combining said retrieved word segments to first word segment portion, wherein retrieval of any one form a portion of said pronounceable security pass of said stored second word segment portions in said word; and associated set of stored second word segment portions means for generating a pronounceable security password is of substantially equal probability; including said pronounceable security password por means for combining said retrieved first word segment tion only if consecutive characters of said pronounce portion and said retrieved second word segment portion able security password portion fail to correspond to to form a first pronounceable word segment; and those of said stored plurality of first word segment means for generating a pronounceable security password portions categorized in a non-selection categories; including said first pronounceable word segment only if 10 wherein, the probability of any one of said stored word consecutive characters of said first pronounceable word segments categorized within said one or more selection segment fails to correspond to those of said stored categories being retrieved is substantially equal. plurality of first word segment portions categorized in 48. A method implemented on a computing device for a non-selection category. generating a pronounceable security password comprising 44. A system for generating a pronounceable security 15 the steps of: password according to claim 43, further comprising means identifying a set of pronounceable word segments; for determining if consecutive characters of said first pro nounceable word segment correspond to a stored first word dividing each of said pronounceable word segments into segment portion categorized in a non-selection category. a first portion having at least one character and a second 45. A system for generating a pronounceable security portion having at least one character; password according to claim 44, further comprising: 20 determining a probability of transition from each of said means for identifying one of said stored first word seg first portions to one or more of said second portions to ment portions categorized in said one or more selection form one of the pronounceable word segments; categories and corresponding to consecutive characters randomly selecting one of said first portions from those of at an end portion of said first pronounceable word said first portions having an associated probability of segment; transition less than a selected threshold; means for retrieving a second one of said stored second randomly selecting one of said second portions from word segment portions from the set of stored second those of said second portions combinable with said word segment portions associated with the identified selected first portion to form one of said pronounce stored first word segment portion, wherein selection of able word segments; any one of said stored second word segment portions in 30 combining said selected first and selected second portions said associated set of stored second word segment to form one of said pronounceable word segments; and portions is of substantially equal probability; and generating pronounceable security password including means for combining said first pronounceable word seg said pronounceable word segment only if consecutive ment with said second retrieved second word segment characters of said formed pronounceable word segment portion to form a part of said password; 35 fail to correspond to those of said first portions which wherein said pronounceable security password also have an associated probability of transition which is includes said second retrieved second word segment greater than the selected threshold. portion only if consecutive characters of said part of 49. A method for generating a pronounceable security said password fail to correspond to those of said stored password according to claim 48, further comprising the plurality of first word segment portions categorized in steps of: said non-selection category. categorizing said first portions based upon said probabil 46. A system for generating a pronounceable security ity of transition; and password according to claim 45, further comprising means randomly selecting only from said first portions catego for determining if consecutive characters of said part of the rized within selected said categories. password correspond to one of said stored first word seg 45 50. A method for generating a pronounceable security ment portions categorized in a non-selection category. password according to claim 48, wherein said probability of 47. A processing system for generating a pronounceable transition is determined using a second or third order security password using a plurality of pronounceable word Markov model. segments, each of which (i) having a first portion having at 51. An article of manufacture for forming a pronounce least one character and a second portion having at least one 50 able security password using a plurality of first word seg character, and (ii) being categorized into one of at least two ment portions, each having at least one character, and a categories based upon a transition number corresponding to plurality of second word segment portions, each having at the number of different said second portions included in least one character, with each of said plurality of first word those of said plurality of word segments which have a first segment portions (i) having an associated set of one or more portion identical to the first portion of the word segment 55 said second word segment portions, each said second word being categorized, comprising: segment portion within said associated set being different means for storing the plurality of word segments; from others within said set and being combinable with said means for identifying one or more selection categories associated first word segment portion to form a pronounce from said at least two categories, wherein the transition able word segment and (ii) having a transition number number associated with each of said word segments corresponding to the number of said second word segment categorized within said one or more selection catego portions within the associated set of second word segment ries equals or exceeds a first threshold transition num portions, comprising: ber; computer readable storage medium; and means for retrieving at least two of said word segments 65 computer program stored on said storage medium; categorized within said one or more selection catego wherein said stored computer program is configured to be IIeS, readable from said computer readable storage medium 5,588,056 33 34 by a computer and thereby cause said computer to generate a pronounceable security password including operate so as to: said pronounceable word segment only if consecutive select a first one of said plurality of first word segment characters of said pronounceable word segment fail to portions, wherein selection of any one of said plurality correspond to those of said first word segment portions, of first word segment portions is of substantially equal within said plurality of first word segment portions, probability; categorized in a non-selection category. W select a first one of said plurality of second word segment 53. An article of manufacture for forming a pronounce portions from said set of second word segment portions able security password using a plurality of pronounceable associated with said selected first word segment por word segments, each of said plurality of word segments tion, wherein selection of any one of said second word 10 including a first portion having at least one character and a segment portions within said associated set of second second portion having at least one character, and being word segment portions is of substantially equal prob categorized into one of at least two categories based upon a ability; transition number corresponding to the number of different combine said selected first word segment portion and said said second portions included in those of said plurality of selected second word segment portion to form a pro 15 word segments which have a first portion identical to the first nounceable word segment, and portion of the word segment being categorized, comprising: generate a pronounceable security password including computer readable storage medium, and said pronounceable word segment only if consecutive computer programming stored on said storage medium; characters of said pronounceable word segment fail to correspond to those of the first word segment portions, wherein said stored computer program is configured to be within said plurality of first word segment portions, readable from said computer readable storage medium having a transition number less than a threshold tran by a computer and thereby cause said computer to sition number. operate so as to: 52. An article of manufacture for forming a pronounce identify one or more selection categories from said at least able security password using a plurality of first word seg two categories, wherein the transition number associ ment portions, each having at least one character, and a 25 ated with each of said word segment portions catego plurality of second word segment portions, each having at rized within said one or more selection categories least one character, each of said plurality of first word equals or exceeds a first threshold transition number, segment portions (i) having an associated set of one or more select at least two of said word segments categorized said second word segment portions, each said second word 30 within said one or more selection categories; combine segment portion within said associated set being different said selected word segments to generate a pronounce from others within said set and being combinable with said able word segment, and associated first word segment portion to form a pronounce generate a pronounceable security password including able word segment and (ii) being categorized into one of at said generated pronounceable word segment only if least two categories based upon a transition number corre 35 consecutive characters of said pronounceable security sponding to the number of said second word segment password fail to correspond to those of said plurality of portions within the associate set of second word segment portions, comprising: word segments categorized in a non-selection category; wherein, the probability of any one of said word segments computer readable storage medium; and categorized within said one or more selection catego computer programming stored on said storage medium, ries being selected is substantially equal. wherein said stored computer program is configured to be 54. An article of manufacture for generating a pronounce readable from said computer readable storage medium able security password comprising: by a computer and thereby cause said computer to computer readable storage medium; and operate so as to: 45 computer programming stored on said storage medium; identify one or more selection categories from said at least wherein said stored computer program is configured to be two categories, wherein the transition number associ readable from said computer readable storage medium ated with each of said first word segment portions by a computer and thereby cause said computer to categorized within said one or more selection catego ries equals or exceeds a first threshold transition num operate so as to: ber. 50 identify a set of pronounceable word segments; select a first one of said plurality of first word segment divide each of said pronounceable word segments into a portions categorized within said one or more selection first portion having at least one character and a second categories, wherein selection of any one of said plu portion having at least one character, rality of first word segment portions categorized within determine a probability of transition from each of said said one or more selection categories is of substantially 55 first portions to one or more of said second portions to equal probability; form one of the pronounceable word segments; select a first one of said plurality of second word segment randomly select one of said first portions from those of portions from the set of second word segment portions said first portions having an associated probability of associated with the selected first word segment portion, transition less than a selected threshold; wherein selection of any one of said second word randomly select one of said second portions from those of segment portions within said associated set of second said second portions combinable with said selected first word segment portions is of substantially equal prob portion to form one of said pronounceable word seg ability; mentS, combine said selected first word segment portion and said 65 combining said selected first and selected second portions selected second word segment portion to form a pro to produce one of said pronounceable word segments; nounceable word segment, and and 5,588,056 35 36 generating a pronounceable security password including a processor that is programmed for randomly selecting the produced pronounceable word segment only if one of said first portions from those of said first consecutive characters of the produced pronounceable portions having an associated transition probability less word segment fail to correspond to those of said first than a selected threshold, for randomly selecting one of portions which have an associated probability of tran 5 said second portions from those of said second portions sition which is greater than the selected threshold. combinable with said selected first portion to form one 55. A programmable computer system for generating a of said pronounceable word segments, for combining pronounceable security password comprising:, said selected first and selected second portions to storage medium having stored a set of pronounceable produce one of said pronounceable word segments, and word segments, wherein each of said pronounceable 10 for generating a pronounceable security password word segments has a first portion having at least one including the produced pronounceable word segment character and a second portion having at least one only if consecutive characters of the produced pro character, and wherein each said first portion has an nounceable word segment fail to correspond to those of associated transition probability, said associated tran said first portions which have an associated probability sition probability corresponding to a probability of said 15 of transition which is greater than the selected thresh first portion being combined with one of said second old. portions to form one of the pronounceable word seg ments; and