I found 33 six-letter words with a simple rule.

[Geek-9pm]

Password Algorithm for Work-group.

There are 33 six-letter words - with Q & T - without E

ACQUIT ASQUAT DIQUAT LOQUAT QANATS QINTAR QIVIUT QUAINT QUANTA QUANTS QUARTO QUARTS QUARTZ QUATCH QUBITS QUIGHT QUILTS QUINTA QUINTS QUIRTS QUISTS QUITCH QUOIST QUOITS QUOTAS QUOTHA QUOTUM SQUATS SQUINT SQUIRT SQUITS TALAQS TRANQS

source: https://www.bestwordlist.com/edit.htm?/6letterwords.txt

What do you want this. I don't know the technical term for this. You would use this when you company is hanging issue with passwords that are both safe and easy to recover.

Each member of your work group takes a word from the list and adds four digits  from a phone number.  The rule 'six-letter words - with Q & T - without E' is known to the whole workup, so it can be reproduced later if needed.

The combination of words and numbers are easy to remember. Now Kyoto have a limited word set and numbers that are known. This makes it possible for other members of the workup to guess the password of a member. You want that in case of a n emergency.

But the rule is not reveled to the outside world. Therefore the like hood of a stranger getting the password in few attempts  is very unlikely.

Make other rules. Find one or two the workup can remember, but do not let others know. Use the link above to recover a list.

Does anybody know what this Algorithm is called? Were did it originate?

[DaveLembke]

Interesting generator that allows exclusion of characters. Its too bad it doesnt also offer lower case in addition to upper case as well as symbols and numbers to be added to the mix.

About 10 years ago I was messing a round with a random (game character) name generator for games, where I wanted a name to be generated and then decide to use that one or press run again to see what new combination is generated. I did this with PERL with the fact that FOR loops can count alpha to increment and decrement very easily. I basically populated an array with the contents of running from say AAAAAA to ZZZZZZ and a random generator to call to an array string/word element and display that if wanted to have a 6 letter word of same case.

[Geek-9pm]

Thanks for the reply.
My intent was not to make true random passwords. Instead, use real words taht can be remembered. :Part of the password problem is that people forget passwords. Unless there is some way that can recall what the word was.

Use of real words make it mu ch easier for users to recall the password.

A format once used was:

  ward symbol word

The permutations get into the millions and would make it hard to break even with brute force password cracking. To prevent this, the application should havea feature that blocks attempts after five attempts. The block would stay on for on hour to stop the brute force crack.

His is my point, and I think some agree, if the password is to hard, administrators will crate some kind of 'backdoor' to get into  a lost account. Such a 'backdoor'  defects the whole concept of security.

The remedy is to have a simple algorithmic that can be used to recovery forgotten passwords. If the user can see a list of, Le's say, 50 possible passwords, he might recall which word he use.

the 3 letter algorithm I gave earlier has over 17,000 permutations for the algorithm itself. Actually a lot more. I just can do that  very quickly .

The concept is that the easy to remember password can be more effective in security. Because the user can do his own recovery. Otherwise, the password reset thing is the flaw in current practice.

I hope you understand what I am saying. This could be a hour lecture in a classroom.   

[BC_Programmer]

I've never been convinced of that "horse battery staple" style of password myself. The logic behind how long it would take to crack relies on a specific algorithm where the characters are the discrete elements that are changed. like trying to figure out a combination by trying 001, 002, 003, 004...

But the only result is going to be new cracking algorithms that simply use dictionaries instead of letters. In that case, a three word password would be fairly straightforward to crack; Probably easier than say a randomly generated password. Limits on the number of attempts and lockouts most "hacks" occur when a database is hacked and the hashes are retrieved, at which point cracking the passwords is a case of trying to find something with the same hash; the "profit" being that often people will use that same password for the e-mail and you can get all sorts of information that way, I presume.

It's funny because this topic got me thinking of writing a password generator, somehow oblivious to the one I wrote some time ago. But that was for characters, so it might be interesting to have it use a dictionary file and generate a password from a selection of random dictionary words- perhaps with modifications to particular letters or adding a number to the start or end randomly, to add more entropy. and combat easy dictionary attacks.

[Geek-9pm]

This is from dictation. Laugh if you must.   
Thanks for your reply, BC.
Perhaps I need to back up a bit and explain why I got into this peculiar ideal. The point here is not just coming up with a password that's hard to guess. That is only part of the overall scenario.

Data security has for major columns of support.

The first pillar must be the e physical security. That means the equipment itself must be physically secure from anybody coming in and sneaking a peek at the computer hardware and having a chance to fiddle with.

The second pillar must be personnel security. Only individuals who are trusted should be employed by the firm. Even the janitor needs to pass a security check.

The third pillar of data security must be acceptable practices. Using one password for several different accounts should be considered for bid and practice. Instead, there could be a secret password table that is known to a few administrators and this password table could be used as long is it is a secret. The use of e-mail related passwords should be forbidden except for e-mail that is associated with a secure server. So the company would have to have its own e-mail system for its him ploy ease and the employees would never years their personal e-mail resources on the top companies computer. Such a list of acceptable and unacceptable practices is a key ingredient in data security.

The fourth pillar of data security is coming up with a password scheme that cannot be easily broken, tampered or foiled or disrupted. The fact that a password is very hard to crack by brute force is not enough. There should be in place some mechanism to prevent brute force attack of it password protected service. Even if it password is very, very difficult, that is of no value if there is a backdoor mechanism that to go around the password.

Now then, if we can agree that there are some four pillars of security we can say that the security level would be the product of the four pillars. Never assume that it would be the sum of four pillars. It doesn't work that way.

When the maître of something is a product, it means that any of the values used in the product must not be zero. If just one of the four pillars of data security has a value near zero, then the end product will be near zero. It matters not that the other three pillars of security were very high.

There is the issue. Somehow people seem to think that security is simply the sum of the pillars. That doesn't work you cannot make up for the deficiency in one area buying creasing or raising the bar in another area. Yet many people seem to think that all you have to do is make one or two of the security pillars very tall and then it won't matter that the others are short.

I know this sounds kind of abstract, but this is the way you have to reason it out. It's not about the value one thing. It's about the value of a number of things, any one of which must be more valuable than nothing.

To put it another way, take the case of the first pillar. The physical security. It just anybody can Kim in and out at any time and fiddle with a company computer, then that pillar as a value of zero and sooner or later the company is going to be hacked no matter what kind of security levels they have in the other areas. Physical security has to be a very high level. But we can't say that it's more important than anything else. All four pillars are important. They all have to be at a high level to be effective. If just one of the four pillars is at a very low level or near zero, then the whole system is weak.

Case in point. From time to time we hear about how big huge companies have had terrible data breaches. How can this be? Because they did not make sure that all the pillars of data security were in place and said that a high value. A common problem is a weakness in the security of personnel. They allow people with very poor security clearance to come in and out of the building. It could be a janitor, that pizza delivery guy, or somebody who claims to be a building inspector. Anybody who comes into the data center must have some kind of security clearance. Forget that and you might as well forget about data security.

All right, now let's get back to the password thing. To prevent weaknesses in the password scheme, there must not be an easy way to get around the password. Very poorly designed password security systems are a weakness.  A ell-designed system should not have a password reset or password recovery option. If everybody involved in the data security process has been well educated, nobody should ever forget their password. And even if they did forget it, there should be a way for them to recover the password from among their peers, not from some distant third party agency.

That is why I was suggesting there should be a way for people to remember either their password or a password table that Ted can be recovered through some type of algorithm that is a secret known only to trusted employees. The number of simple algorithms for making clever passwords is somewhere in the tens of thousands or maybe even higher. The one I suggested was where you choose common dictionary words and specify the length of the word and certain letters that must be used inside the word. That will give you a small set of words that can be printed out and distributed to trusted employees inside the data center. Of course, that means that everybody who works inside the data center should have a very high level of security.

 If you have disloyal people inside your data center, no amount of password ingenuity is going to protect you from a data breach. On the other hand, if your employees are really well trusted people, and you know they are loyal, you could give them a table of passwords that can be used only for applications relating to the data center operations. This could be a published table of 100 acceptable passwords. That table must never, never be published to any outside agency. Is that too much to ask of your employees, I think not.

This is perhaps longer than what I expected, but I wanted to make clear why I was using such a zany crazy idea. It's not really so crazy when you think about why it is that so many data breaches have taken place. It was not really because the passwords were weak. Almost always it's a case of something else being weak in the data security system.

Of course, one should not be using passwords that are just too easy to guess such as:
qwerty
123456
iamjesus
kissmybut
Those are just two simple to be effective. On the other hand, very complicated passwords do not make up for other deficiencies in the overall security system.
End of Dictation.