----
People who care about security use hard-to-crack passwords, generally generated by a password generator to have a random mix of uppercase letters, lowercase letters, numbers, and symbols. Those four requirements are often required for website passwords, along with a minimum length and other requirements. However, a password like 3gK*&>5%bZY)sH:D can be hard to type, especially on certain devices. For example, typing out passwords for video game consoles is a huge annoyance, as you generally have to hunt and peck with a cursor across a software keyboard. That cursor is controlled by your video game controller. This can be more difficult than a hardware or a capacitive touch (mobile) keyboard, which are both controlled directly with your fingers and you can input multiple letters in rapid succession.
 |
| The on-screen keyboard on a PlayStation 4. You must press a button to access capital letters or for the symbol keyboard. I don't know why there are there two f's on this keyboard. |
It would be easier to type such passwords with a better keyboard. But since we can't use our phones to input passwords to our game consoles, nor do we want to pay for expensive game console keyboards, it's simpler to just generate a password that's easy to type. What would make the passwords easy to type? Putting all the types of characters next to each other. Uppercase letters go in one continuous section of characters, lowercase letters go in another section of characters, numbers are colocated, and all symbols also go next to each other. This way, you're not constantly switching the keyboard type for every character you input, only each section.
What about security? You can still keep good security by having a password be long, using a crypto-safe pseudorandom selection, not only for each character, but the order of the character type sections. If you like, you can add extra sections, picked randomly of course. A password of 3045krkfEYTB{+:_ is hard to crack. A bad actor doesn't know the order of the sections, nor do they know which characters are selected within each section.
Meanwhile, you only switch keyboard types (from default to number* to lowercase to uppercase to symbols) a maximum of four times. That's way fewer than the 13 keyboard switches needed to type 3gK*&>5%bZY)sH:D, a password of equal length. It's more secure than the easy-to-type password, but the easy-to-type password is already secure enough (takes years to crack).
If you want to see exactly how secure the algorithm would be, let's compare:
Assuming you have 27 symbols, there are 27+10+26+26=89 different characters to choose from with a regular password. A password of length 16 means there are 89^16=1.5e+31 or 15 nonillion possibilities. A high number for sure.
With an easy to type password of four sections (minimum) and a length of four characters per section (default), let's first calculate the permutations on the sections P(4,4)= 24. Then each section has 4 characters, allowing repeats. For digits that's 10^4 = 10,000. Each set of letters is 26^4=456,976. Symbols is 27^4=531,441. Multiplying those together gets you 2.6e+22 or 26 sexillion possibilities. The easy-to-type password is less than a regular 16-character password by 9 orders of magnitude, but it's still quite tough to brute force. And that's if your hacker already knows you're using this generator with the default settings.
Compare it with the much more popular 8-character password, which has roughly only 3.0e+15 or 3 quadrillion possibilities (number of symbols varies). The easy-to-type password is stronger by 7 orders of magnitude. And you can play with the number and length of the sections to make it even stronger. Keep in mind, you still have to switch keyboard types many times when typing in the traditional 8-character password, even if you have to switch fewer times than with a 16-character password.
Because I was interested in this idea, I decided to code it up in JavaScript, and because I like getting to the point, I posted my implementation up above. I set the section length minimum to 1 in case users want to generate a regular-style password, but if using a section length of less than 4, I highly suggest using 8 or more sections. Passwords are generated completely client side; I don't save or send the results anywhere at all.
You can also find the code at: https://github.com/omaric/easytypepass
* I suppose there isn't a numbers-only keyboard type on most onscreen keyboards. Still, I think numbers deserve their own section in this password generator.
