IWalkedThroughTheForest

Significantly more powerful that an arbatrary 8 character password that is difficult to remember and has to include your standard upper case, lower case, punctuation and number and much easier to remember.

So after each attempt to logon delay the response by a set time and double the delay each time this soon makes it unfeasible to run the attack
2sec
4sec
8sec
16sec
32sec
64sec etc…

see the King’s Chessboard

pb…

–

Having a password that changes on a regular basis based on a simple algorithm does shorten the attack window if the attacker doesn’t know the algorithm but it makes no difference at all of the attacker knows the algorithm.

The point of the RSA tokens (and other brands’ equivalents) is that you CAN’T know the algorithm. (Or rather, you can’t know the seed value for the algorithm.) This means that must be in possession of the device. This counts as two-factor authentication as it is “something you know” and “something you have”.

Including the date in your password is still only “something you know”. It might be two separate things you know but it still doesn’t count as two-factor authentication.

This technique improves security but not by any significant factor. Essentially, it should be just as easy for an attacker to find out your password as to find out the algorithm you use to modify your password.

Pretty much thats what they do, but they change every minute and have 6 digits. Additionally, they have reasonable strong encryption and facilitate 2 factor authentication.

Your approach is nice, but also remember that there is a limit to what people will put up with…