Passwords are the necessary evil of modern day computing. Just try and think how many passwords your have; Hotmail, Facebook, Amazon, Blackberry PIN, ATM PIN… the list goes on and on.
Our online worlds would cease to function if Firefox or Keychain or whatever windows uses forgot all our passwords. Thats why so many people use the same password, for everything! And online bad guys know this, once they’ve hod-winked you into handing over your Hotmail password they can get into your Amazon, your Facebook gathering mothers maiden names, pet names, towns and cities of birth. All the info they need to steal your identity.
Luckily the banks are hip to this and don’t let you choose your own password, a series of codes, tests and randomly generated numbers are required to log in. But this is all rendered useless if the thief walks into your local branch armed with a copy of your birth certificate and 3 months of utility bills.
What’s wrong with my password you ask? Well as my Mum recently discovered using a dictionary word for her Hotmail, it was just a matter of time. And a random string of letters isn’t much good either, with networks and processors getting fast enough to make brute force attacks feasible.
Lets do some Maths! Take your normal 8 letter password, all in lower case and no numbers that gives:
n(r) = 26(8) = 208,827,064,576
Now if we add in upper case:
52(8) = 53,459,728,531,456
And now the gold standard, numbers and punctuation , . – _ ( ) [ ] \ / ? < > ! @ $ % ^ & * an extra 20 possible characters:
(52 + 10 + 20)(8) = 2,044,140,858,654,980
Now this is getting close, even Roadrunner would have trouble cracking this, but it’s still not enough. It wont be long before we have this type of processing power on our desks and on our laps and eventually in our pockets, so we better come up with a solution.
The Dynamic password, a cypher with an algorithmic portion.
The user would pick a the normal password, mixed case, numbers etc. but also a function, these functions would take values such as, time, date, weekday etc and produce an output that would be appended or prepended to the password. This would make passwords only valid for a few hours or days at most. And vastly decrease the odds of a brute force attack.
Examples
<Cypher><Yesterday’s date * your birthday>
<Tomorrows Date><Cypher><The hour * today’s date + 1)
This ‘new’ passwords have the advantage of automatically changing every day, week, hour or even minute. This means if a hacker does crack your password, it’s no good in 60 seconds. Or if it only changes every day, he’d have to have a computer fast enough to check all possibilities in 24 hours other wise start again.
Don’t forget to express yourself in the comments.
Have you heard of the RSA tokens?
Pretty much thats what they do, but they change every minute and have 6 digits. Additionally, they have reasonable strong encryption and facilitate 2 factor authentication.
Your approach is nice, but also remember that there is a limit to what people will put up with…
Actually, RSA tokens do functionally more than this kind of scheme.
Having a password that changes on a regular basis based on a simple algorithm does shorten the attack window if the attacker doesn’t know the algorithm but it makes no difference at all of the attacker knows the algorithm.
The point of the RSA tokens (and other brands’ equivalents) is that you CAN’T know the algorithm. (Or rather, you can’t know the seed value for the algorithm.) This means that must be in possession of the device. This counts as two-factor authentication as it is “something you know” and “something you have”.
Including the date in your password is still only “something you know”. It might be two separate things you know but it still doesn’t count as two-factor authentication.
This technique improves security but not by any significant factor. Essentially, it should be just as easy for an attacker to find out your password as to find out the algorithm you use to modify your password.
There is a simple way for web sites to REDUCE the risk of dictionary attacks add an increasing delay between attempts to logon
So after each attempt to logon delay the response by a set time and double the delay each time this soon makes it unfeasible to run the attack
2sec
4sec
8sec
16sec
32sec
64sec etc…
see the King’s Chessboard
pb…
–
Ignoring the fact that future security will be biometric/hardware based and not software/password based, what is wrong with the old sentence.
IWalkedThroughTheForest
Significantly more powerful that an arbatrary 8 character password that is difficult to remember and has to include your standard upper case, lower case, punctuation and number and much easier to remember.