Dynamic password
It has long been occurred to me one idea about improving the security of their accounts and login to sites that require registration.
I then read Habr without registration, so naturally I did not write anything.
I myself do not program at this level and is not associated with sites that access user accounts, that is, I cannot implement and test the idea, so I decided to share the idea with a knowledgeable person.
Who needs this? Probably Google, I thought ... I could hardly find the address of one employee, wrote a letter.
Summary (I am I, C is an employee):
I. I have an idea to log in to my account, this will increase the secrecy and reliability of the process.
C. Send, I will find someone to send.
I send (the description will be below the dialogue).
C. Forced to disappoint, but already done (and gives me a link to two-step authentication).
I. It's not at all! There is proposed a two-step authentication method. For it, you need a phone (not very good and reliable binding) to which the code of the second authentication stage is sent. Moreover, the code can be changed only once in 30 days ...
S. ... (silent).
I remind.
S. The idea is bad, do not waste time, I will not send it to anyone.
')
If the idea is bad, then so it is, abandoned this process.
Today I read Habr. Already as a registered user.
I draw your attention to the article “Sesame, open up!” - logging into your Google account using a QR code.
I think that's what people think about how to protect their users! And I remember my idea. Maybe someone will still need?
Now about the idea in more detail.
When I corresponded about her, I did not find anything like this on the Internet, it is quite possible that I was looking badly. Yes, and this employee because it turns out - also not found!
Maybe someone still implements this idea? It seems to me that there is nothing particularly difficult here. Discuss, only I can not help much - not my path.
Passwords to electronic mailboxes, personal pages, forums, etc. are always unchanged.
They change manually and rarely by the users themselves.
With a rare password change, its secrecy decreases.
I propose to make an automatically changing (dynamic) password.
In this case, the password can contain both a classic one - an unchangeable part, and a dynamically changeable one.
If the variable part is made sufficiently dynamic, then during the selection of the password by key generators, the password will change, which will make it difficult to select.
Also, the password peeped by other people in ten minutes will be different.
In short, the essence is that the user's password is not hard, but dynamic and changes according to the rules and conditions described during registration (changing the password).
When entering the Account, the mail server checks the match of the entered password with the current set of all changing parameters.
If it is quite primitive, you can give an example:
Password option (best part of the password) - the current time with an accuracy of plus or minus a couple of minutes.
The user dials it, the system checks the tolerance (plus or minus a couple of minutes, is there some accuracy at the user) and passes into the system.
The simplest examples of binding the dynamic part to various parameters:
- The current hour in one of the time zones.
- The current quarter of an hour - 1, 2, 3, 4.
- The current ten minutes - 0, 1, 2, 3, 4, 5.
- The current minute is 0 ... 59.
- The ordinal number of the day in the year (how many days are left before the New Year) - 0 ... 365.
- Current month (serial number) - 1, 2, 3, ..., 12.
- Current month (the first letter of the name) - J, F, M, ..., D.
- The letters of the name or the surname of the president of the country - A ... Z.
- Season - winter, spring, summer, autumn - win, spr, sum, aut.
- The last exchange rate of the selected currency -?
- The number of years since the birth of any selected person is 0 ... 2011.
- How many years are left before a certain event - 0 ...?
- The air temperature in a particular city according to the forecast of the selected site.
- Binary or other code translation.
Sample password. 415Med125
4 - the number of tens of minutes.
15 - the current hour in one of the time zones.
Med is the current president.
125 is the ordinal day of the year.
To memorize, you can invent mnemonic rules.
For a specific example - “President’s time is day”.
Unlike two-step authentication, in my version the code changes automatically according to predefined rules. Moreover, it can change at least once every 10 minutes (depending on what is used in the dynamic part).
And you do not need a phone to enter.
Results.
1. Opinions are divided. In the discussion, someone thinks the idea is so-so, someone has found a rational grain.
2. Aquahawk January 17, 2012, 21:26 and slightly below gave examples 1 , 2 and 3 , where a similar principle is applied.
It turns out that the idea with the dynamic part is working. The dynamic part will work approximately as RSA SecurID Token in the links provided.
Here is another interesting link.
Murtazin today wrote about a very interesting bank card with a built-in display.
3. MazeFAQa January 17, 2012, 22:10 wrote the right idea, which I could not get across immediately. The password, the static and the dynamic part are the constructor that the user collects on his own. Puts what he wants and where he wants.
4. It seems that this idea is so-so and right was C from the dialogue ...
Thanks to everyone who participated in the discussion!
5. It turns out that this algorithm has already been implemented.
6. There was a further development of the idea Dynamic password 2.0 author djvu
PS 2014.
The idea was implemented to unlock the screen of the smartphone. TimePIN: the stolen password of Lockscreen will not help in a minute .
I then read Habr without registration, so naturally I did not write anything.
I myself do not program at this level and is not associated with sites that access user accounts, that is, I cannot implement and test the idea, so I decided to share the idea with a knowledgeable person.
Who needs this? Probably Google, I thought ... I could hardly find the address of one employee, wrote a letter.
Summary (I am I, C is an employee):
I. I have an idea to log in to my account, this will increase the secrecy and reliability of the process.
C. Send, I will find someone to send.
I send (the description will be below the dialogue).
C. Forced to disappoint, but already done (and gives me a link to two-step authentication).
I. It's not at all! There is proposed a two-step authentication method. For it, you need a phone (not very good and reliable binding) to which the code of the second authentication stage is sent. Moreover, the code can be changed only once in 30 days ...
S. ... (silent).
I remind.
S. The idea is bad, do not waste time, I will not send it to anyone.
')
If the idea is bad, then so it is, abandoned this process.
Today I read Habr. Already as a registered user.
I draw your attention to the article “Sesame, open up!” - logging into your Google account using a QR code.
I think that's what people think about how to protect their users! And I remember my idea. Maybe someone will still need?
Now about the idea in more detail.
When I corresponded about her, I did not find anything like this on the Internet, it is quite possible that I was looking badly. Yes, and this employee because it turns out - also not found!
Maybe someone still implements this idea? It seems to me that there is nothing particularly difficult here. Discuss, only I can not help much - not my path.
Passwords to electronic mailboxes, personal pages, forums, etc. are always unchanged.
They change manually and rarely by the users themselves.
With a rare password change, its secrecy decreases.
I propose to make an automatically changing (dynamic) password.
In this case, the password can contain both a classic one - an unchangeable part, and a dynamically changeable one.
If the variable part is made sufficiently dynamic, then during the selection of the password by key generators, the password will change, which will make it difficult to select.
Also, the password peeped by other people in ten minutes will be different.
In short, the essence is that the user's password is not hard, but dynamic and changes according to the rules and conditions described during registration (changing the password).
When entering the Account, the mail server checks the match of the entered password with the current set of all changing parameters.
If it is quite primitive, you can give an example:
Password option (best part of the password) - the current time with an accuracy of plus or minus a couple of minutes.
The user dials it, the system checks the tolerance (plus or minus a couple of minutes, is there some accuracy at the user) and passes into the system.
The simplest examples of binding the dynamic part to various parameters:
- The current hour in one of the time zones.
- The current quarter of an hour - 1, 2, 3, 4.
- The current ten minutes - 0, 1, 2, 3, 4, 5.
- The current minute is 0 ... 59.
- The ordinal number of the day in the year (how many days are left before the New Year) - 0 ... 365.
- Current month (serial number) - 1, 2, 3, ..., 12.
- Current month (the first letter of the name) - J, F, M, ..., D.
- The letters of the name or the surname of the president of the country - A ... Z.
- Season - winter, spring, summer, autumn - win, spr, sum, aut.
- The last exchange rate of the selected currency -?
- The number of years since the birth of any selected person is 0 ... 2011.
- How many years are left before a certain event - 0 ...?
- The air temperature in a particular city according to the forecast of the selected site.
- Binary or other code translation.
Sample password. 415Med125
4 - the number of tens of minutes.
15 - the current hour in one of the time zones.
Med is the current president.
125 is the ordinal day of the year.
To memorize, you can invent mnemonic rules.
For a specific example - “President’s time is day”.
Unlike two-step authentication, in my version the code changes automatically according to predefined rules. Moreover, it can change at least once every 10 minutes (depending on what is used in the dynamic part).
And you do not need a phone to enter.
Results.
1. Opinions are divided. In the discussion, someone thinks the idea is so-so, someone has found a rational grain.
2. Aquahawk January 17, 2012, 21:26 and slightly below gave examples 1 , 2 and 3 , where a similar principle is applied.
It turns out that the idea with the dynamic part is working. The dynamic part will work approximately as RSA SecurID Token in the links provided.
Here is another interesting link.
Murtazin today wrote about a very interesting bank card with a built-in display.
3. MazeFAQa January 17, 2012, 22:10 wrote the right idea, which I could not get across immediately. The password, the static and the dynamic part are the constructor that the user collects on his own. Puts what he wants and where he wants.
4. It seems that this idea is so-so and right was C from the dialogue ...
Thanks to everyone who participated in the discussion!
5. It turns out that this algorithm has already been implemented.
6. There was a further development of the idea Dynamic password 2.0 author djvu
PS 2014.
The idea was implemented to unlock the screen of the smartphone. TimePIN: the stolen password of Lockscreen will not help in a minute .
Source: https://habr.com/ru/post/136450/
All Articles