Fingerprint authentication

Like most social network users, I occasionally receive messages from friends asking me to support this or that initiative.
A couple of years ago, this is exactly what happened: the girl with whom we worked together asked to vote for her at some photo contest. I usually don’t refuse such services, so after spending two minutes and using the opportunity to log in on the contest website using accounts in different social networks, I sent a confirmation to my friend:




- Voted. Good luck in the competition.
- Thank you, buddy, but now you need to change all the passwords. I do not participate in any competition.
')
As you understood, I was a victim of phishing.

I must say what happened to me for the first time, as a rule, elementary care is enough not to fall for the bait:

1. Clicking links in strange domain zones, with addresses from a random set of letters, or similar to addresses of popular services or obscene words should be avoided. Of course, you should not log in to these sites.
2. Links should be avoided in messages written in a style uncharacteristic to the interlocutor, with a mass of [atypical] errors or promotional offers — for some reason, most of the crooks are unable to communicate coherently.
3. Should be avoided sites, the content of which is radically different from the stated or oversaturated with aggressive advertising in the style of " Man-Eater ". As a rule, fraudsters do not care about anything other than their own benefit, they cannot get at least some benefit from their actions.

However, in this case, the phishers approached the case with love and diligence: first, somehow they took over the password of my friend from the social network, second, they sent messages on her behalf that I did not classify as suspicious (quite literate , short and believable), and thirdly, they ensured the credibility of the phishing site itself: it was taken slightly casually, but quite at the level usual for such an event, moreover, it actually had real photos and a voting system that works at least nominally.


I used to consider myself, as they say, an experienced user, to a certain extent protected from fraud, but as it turned out, it was easy enough to deceive me. Although the average spammer is not able to do it, but this fact only indicates a low level of intellectual development of the fraudster, not my high level. So, I had to go through an annoying password changing procedure.

What is so complicated about it?
Well, firstly, an active user of the network may have more than a dozen basic resources on which he regularly communicates and stores important information, and under a hundred of those that are used occasionally, but their importance is high (for example, hosting control panels or electronic currency sites ). At each of these sites, one has to go through a long and often confusing password change procedure. The number of resources on which we register for the sake of several visits is generally difficult to count - fortunately, in general, they can be neglected. But keep in mind that each site sets its own procedure and conditions for setting a password. Many validate passwords in length, the presence of certain characters, registers and alphabets. In fact, even once to come up with a password that will satisfy most of the frequently used sites is a problem. And to replace it with another similar one is generally not a trivial task.
Of course, security considerations generally involve the use of unique passwords for each individual product or resource, but in practical terms, for this you need to have either paranoia or an unlimited amount of time and memory. In fact, all unknown passwords are stored in some text file in a folder, the password from which is stored in another text file, the password from which the person already stores in his head. Wild difficulty!

Anyway, I understood the importance of protecting information, so I did all of the above and, apparently, successfully kept access to all key resources intact. Rather, to all but one.
Learn to change your password requires at least one digit. As for evil, there were no numbers in my new password - only symbols of different registers and punctuation marks. It would be possible to replace any letter with a visually similar figure if I had not been so tired of the previous actions. Already we already have to keep at least two passwords in mind: a new one and an old one (in case you suddenly need to enter somewhere where the password has not yet been replaced). To add to them the third - the variation of the second with the numbers - there was not the slightest desire. So I just spat on security - well, who needs my LJ? - and left the password the same.

Nevertheless, all these years, I did not leave a slight concern. A compromised password is like an unopened pane in a house. Of course, the likelihood that a clever, subtle thief will clean my apartment through her is negligible, but it exists, and the brain does not tolerate such stimuli. Periodically, forgetting the background, I tried to change the password to a new one, came across a validator and scored another six months.

But recently a phrase from the release of Windows8 about " graphic passwords " accidentally caught my eye prompted me to a new thought: why do we need passwords? What function do they perform?

Obviously, a password is a marker, a mark of a subject who has access to certain information. As a rule, it is the creator and owner of the information, but sometimes it is just the person who has the right to access: a close person, an employee, a procurator. In any case, the ideal password will be a certain unique personality feature that cannot be copied, but since we do not know how to make “aura casts” or select and scan a person’s “soul”, “nature”, a combination of characters stored in human memory.
The advantages of this method of recognition include a sufficiently high resistance to decoding (the variety of mental processes ensures a high degree of randomness of the generated value) and theft (the material basis of individual sections of memory is extremely difficult or impossible to isolate).
By cons - low capacity (traditionally it is believed that short-term memory well holds no more than 7 characters at a time) and the vulnerability of the data access interface (the password can be obtained from the carrier by deception or coercion). In addition, over time, the data is subject to damage and loss due to the properties of the media itself. Possible methods against this are the coding of emotionally significant data: memorable dates, names, names. However, in this case, the resistance of the password to decryption is reduced (a lot of films about “hackers” picking up a password on a photo card on the table, for example).

The same Windows8 or Habr offer more interesting options for defining the copyright holder of information. In the first case, these are gestures that need to be performed on the image, in the second, a combination of the image and its name, which are provided and tested only under certain conditions. Such options are difficult to fake, due to which it is unlikely that anyone will do this, that is, by increasing the complexity of the authorization algorithm, we will, to a certain extent, increase its reliability. And the complexity for the user, by the way, so, to accept such a password in a massive and mandatory manner - most likely means losing a significant portion of users. Therefore, in Windows, the graphic password only complements, but does not replace the text one. And on Habré, the inconvenience of registration is compensated by real (tape customization, the ability to write posts) and imaginary (status) advantages.

But what about the transitional option? After all, we are in the digital world - here both the image, and the sound and video can be represented as symbols. At the same time, we do not need to worry about the emotional significance (few people can forget the photo of their girlfriend or their favorite song), nor about coding our emotions into password symbols - let the robots do it. Thus, on the one hand, we use our purely personal, genuine preferences and memories, and on the other, we implement backward compatibility with traditional techniques of providing access by text key.

For example, I made a small service: www.cncbkn2pwd.info
The algorithm of work is as follows: select an individually meaningful image (a photo card of your favorite erotic star will come down for the test), load into a form and get a unique password of 12 numbers and letters of the Latin alphabet. This set of characters bears absolutely no meaning, however, due to a simple encryption algorithm (using built-in php functions), it always matches your picture. That is, if you forget the password, to restore it will be enough to download it again. In this case, the original image and password are not saved and can not be decrypted.

To steal such a password is also almost impossible - on any modern device there are hundreds of thousands of graphic files, and any of them can be the key to information. On the other hand, there is no need to memorize a multitude of meaningless symbols — memorize meaningful pictures.
The disadvantage of approaching is that, like a regular alphanumeric password, it can be found out by deception. However, how easy is the password replacement procedure! After all, it will be possible to part with the previous one without any regret, because the picture will remain with you, only an incoherent set of characters will be lost.