Re: Split passwords
From: Jean-Luc Cooke (jlcooke_at_engsoc.org)
Date: 06/29/05
- Next message: clem: "Re: Safe to transmit (symmetric) key encrypted with itself?"
- Previous message: aruck: "Split passwords"
- In reply to: aruck: "Split passwords"
- Next in thread: Ingbert Grimpe: "Re: Split passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Jun 2005 16:31:40 GMT
Good try. But there is next to no differenc to using this versus
using a password-passkey system.
Generate a passkey (100bytes lets say) and save to a file.
Key for a login comes from hash(password + passkey).
This is sometimes called two-factor authentication. But it requires
that you not lose the passkey. If you do, you'll lose *all* your
passwords.
JLC
aruck <are@stable.form> wrote:
> An idea that I've been batting around...
> User enters a password. It can be long or short, weak or strong,
> whatever the user wants. As the user types, random numbers are
> collected. The program then combines the random numbers with the
> password, hashes that, and displays the hash values as base 36 numbers
> (so it looks like one long string of letters and numbers). The user can
> then cut-n-paste the string into the "password" field of another
> program.
> The program would obviously need to save the random numbers to a file
> that the user must secure in a safe or something (since the same random
> numbers would be needed to regenerate the same string).
> The end result is a long, random "password" based partly on what the
> user entered and partly on a string of random bytes.
> PROS
> (a) The string will be random and possibly quite long. A SHA256 result
> would yield a string of around 50 characters. A long, random password
> is very strong.
> (b) The user can choose a short, weak password and it won't adversely
> affect security in a measurably significant way.
> (c) If the user's password is leaked, then the user's data will remain
> secure as long as the file of random data remains secure. This guards
> against users who write down their passwords, and affords some
> protection against being forced to reveal a password.
> CONS
> (a) User has to run a little program to get the string. Clearly, the
> user cannot use this method for a login password.
> (b) User must protect the random data. This means keeping it on a
> floppy or USB drive, stored in a safe place. It also means wiping (not
> just deleting) extra copies.
> (c) User must remember which data file is associated with which
> password.
> (d) The string must be displayed on screen, where others may see it.
> (e) The string exists in RAM until the program ends and the user clears
> the screen. The OS might swap out that part of RAM and inadvertently
> record the string on disk. An OS with bad security might permit another
> process to read the program's memory space.
> (f) User will probably have to cut-n-paste the string, since it may be
> too long and complex to type accurately. Some programs may not permit a
> user to paste a string into a password field.
--
- Next message: clem: "Re: Safe to transmit (symmetric) key encrypted with itself?"
- Previous message: aruck: "Split passwords"
- In reply to: aruck: "Split passwords"
- Next in thread: Ingbert Grimpe: "Re: Split passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
