JavaScript中的人类可说出密码生成器

Question

I am in the process of developing a script that generates human-speakable strings for use in passwords. I am only concerned with English-sounding phrases. So far I have come up with the notion of different arrays:

vowels = ['a','e','i','o','u'];
single_consonants = ['b','c','d','f','g','h','j','k','l','m','n','p','q','r','s','t','v','w','x','y','z'];
double_consonants_leading = ['Bh','Bl','Br','By','Ch','Cl','Cr','Cy','Dr','Dw','Dy','Fl','Fr','Fy','Gh','Gl','Gn','Gr','Gw','Gy','Hy','Jy','Kn','Kr','Kw','Ky','Ly','Mc','Mn','Mr','My','Ny','Ph','Pl','Pn','Pr','Ps','Py','Q','Rh','Ry','Sc','Sh','Sk','Sl','Sm','Sn','Sp','St','Sv','Sw','Sy','Th','Tr','Ts','Tw','Ty','Vr','Vy','Wh','Wr','Wy','Xy','Y','Z'];
double_consonants_trailing = [...'ch'...];
tripple_consonants_leading = [...'Dry','Fly'...];
tripple_consonants_trailing = [...'rch'...];

I will then define a set of rules to concatenate elements from these arrays to create strings but not necessarily words that you would find in the dictionary.

An example is: " Frug-Spunner-Snow-Drive "

Another alternative is to use a list of words found in the dictionary, however, my first thought on that is that it is a finite list. As soon as someone knows which list you are generating strings from it will inevitably reduce the time taken to crack it.

My solution will not only create words found in the dictionary but strings that sound like words.

function generateString(length)
{
.
.
.
return randomString;
}

generateString(7);

outputs: "Brownen" (a random string)

The function will take an argument length and return a string of that length, it could be improved by accepting more arguments such as how many parts to use and the separator to be used between those parts .

function generateString(parts,lengthOfPart,separator)
{
.
.
.
return randomString;
}

generateString(4,5,"-");

outputs: "Crown-Drive-Knife-Gnome" (4 strings, each 5 characters long split by a hypen)

This is what I have so far, and the question itself is a work in progress. I would like to make sure that I am on the right track.

My question is: Is this overkill? What are the pros and cons? And ultimately, how will I go about developing this in JavaScript?

Edit 1 (13/11/2013)

I have since found an article here: http://www.baekdal.com/insights/password-security-usability that describes using a list of common words, but as long as three+ words are used at any given time then it is very secure as the time it takes to break it is so long the thing you are trying to protect will be of little value.

Edit 2 (10:10 14/11/2013)

I have found another article referring to Markov Chain generator http://www.soliantconsulting.com/blog/2013/02/draft-title-generator-using-markov-chains in Javascript, but again the text is generated from a source text . Is this possible without it and by defining rules.

Answer 1

I think a good approach might be to use a Markov Chain that is generated from a large body of English text. A Markov Chain is basically a probabilistic construct which is dependent upon the source from which it is generated, so you are likely to get many English-like words that are pronounceable. In a Markov Chain, you have a state from which you can transition into many other states based on a probability. Since your Markov Chain will be based on English letters from a body of English text, transitions from one letter to another letter will be more probable than a transition to a different one. For example, it is more likely to transition from c to a or o , than from c to z or x . I have a simple Perl script that generates Markov Chains based on words or letters and I was able to get the following "words" that seem to be pretty pronounceable:

Engulary 
Beavy 
Lan 
Irstatinval
Bassions
Assish 
Forld  
Anturopean 
Cought 
Froot 
Thation 

Keep in mind though that the entropy is limited by the source material, so it is better to have a large body that you're generating words from. Taking a pointer from the xkcd password generator mentioned by Diodeus , you can combine two or more of these words into pronounceable but nonsensical phrase, that can be a password as well.

Answer 2

Simple example without words list (only letters defined) for people with very good memory ... To get human speakable words, more rules should be added like 4 vowels together. Results

Diecrue - Okeiae - Auasvei
Aovaua - Biaeeo - Suwien
Aiasmea - Aueglou - Koiroa
Doiiui - Domeab - Slokaoa
Oeiuju - Yootraa - Koaeua
Qagwisva - Hiexau - Yovaca
Fleeaee - Peaoui - Xafriaa
Vaaute - Iqovai - Naaaesn
Yauehe - Ueeguu - Mrouiepr
Smikreua - Friusnut - Aoqiji

main code: http://jsfiddle.net/mMZ3Y/

function get_password_word(n){
    var data1 = ['a','e','i','o','u'];
    var data2 = ['b','c','d','f','g','h','j','k','l','m','n','p','q','r','s','t','v','w','x','y','z'];
    var data3 = ['bl','br','cl','cr','dr','dw','fl','fr','gl','gr','gw','kn','kr','kw','mr','ph','pl','pn','pr','ps','sc','sh','sk','sl','sm','sn','sp','st','sv','sw','tr','ts','wh'];

    var str = '';
    var last = '';
    for(var i = 0; i < n; i++){
        var type = getRandomInt(1, 10);
        //avoiding some cases
        if(last == 3)
            type = 1;
        if(last == 2)
            type = 1;
        if(last == 1 && getRandomInt(1, 2) == 1)
            type = 2;
        //generate
        if(type < 4){ //40%
            str += data1[getRandomInt(0, data1.length-1)];
            last = 1;
            }
        else if(type < 9){  //40%
            str += data2[getRandomInt(0, data2.length-1)];
            last = 2;
            }
        else{ //20%
            str += data3[getRandomInt(0, data3.length-1)];
            last = 3;
            }
        }
    str = str.charAt(0).toUpperCase() + str.slice(1);
    return str;
    }