Dynamic Password 2.0
This note is a logical continuation of the article Dynamic Password , published earlier.
So, further will be:
First of all, I suggest not to be too critical of this article, leave in perception a bit of humor, because these are primarily ideas that are thrown into a sea of ​​cloudy IT intelligence
')
The implementation method is not a rigid sequence, but a dynamic password constructor, which allows you to insert the templates given by the author in any places and in any quantities in your password template
Scope of application - not public systems for the ordinary consumer. First of all, the idea can be used in closed systems and organizations that want to complicate the mechanism of the usual password entry, but not use additional hardware (phones, tokens, smart cards, etc.)
Disadvantages - the inability to store on the server as a hash, you have to leave part of the password template in clear text. Difficulty, it is necessary to spend a little time to prepare a password using a pattern known to you and, as a result, poor applicability “among the people”.
Advantages - the futility of the idea of ​​hacking a password through a brute force (as long as the passwords are being searched, the subject may become one that has already been used by the generator earlier). Protection from “peeping” of a password (the exact password typed in [1-N] minutes may already be irrelevant)
Me, like some other Habra users, was visited by the idea of ​​a dynamic password a few years ago.
Then, I formulated it for myself as follows:
There are templates: MM, YY, DD, etc. Here we list all the templates from the date formatter and those specified by the author in the parent topic and a bunch to your liking.
To set a password, you need to combine a static text of the password, with a dynamic one, in order to do this, select the framing characters that will indicate where the template begins and ends. For example, you can use double brackets "[[....]]", on the principle of a slash in java "\\".
A few examples of password patterns formed this way:
It is even possible to provide for a calculation inside "[[...]]", for example:
In general, the fantasy is limitless, the main thing in this business is to tell the user in the constructor mode all the necessary patterns and rules, and also to draw his attention that time or any other dynamic parameters need to be formed from the GMT timezone for example, and even better , display the time on which it is necessary to navigate in the future somewhere unobtrusively within the login page.
So it was the turn to describe a fundamentally new “Dynamic Password 2.0”. Turn on the humor, and leave the logic enabled
Imagine the situation:
You see how your friend types in the password field the banal password "QQQQQ" or "11111" and enters, you tell him that he is a complete kettle, once he uses a similar password, and he responds, exits the program and offers to enter it to you. You try to enter the password 5 times and you are not allowed, after that you remember that once you read the article on the Dynamic password Habré and you assume that the password was simply regenerated and, most likely, then the clock was either the 11th minute or something else ... But your friend sits at the computer and again in front of your eyes begins to enter "11111" and lets him go!
What's the secret?
In the phrase “Dynamic Password 2.0” the main word is “ dynamic ”, but not in the sense of “changeable”, but in the sense of “dynamic, dancing”;)
Remember the reaction of Windows to the wrong password entry 3 times in a row? It does not allow you to enter anything for a couple of minutes in order to exclude the selection of a password, and then, after a couple of minutes, it again gives 3 attempts.
What if you control the time between the entered characters and use it as another parameter when logging in to the system?
I will not chew on what you already understand, and immediately give the password template of our "advanced" friend:
Q [[T> 500]] Q [[T> 500]] Q [[T> 500]] Q [[T> 1000]] Q
Where [[T> 500]] , says that there must be a time in milliseconds longer than half a second between characters, and more than a second between the last and last characters.
We turn on the fantasy and think what other rules you can think of: the minimum / maximum time for entering the entire password, more, less, the error in milliseconds, the dynamic time based on the first time interval between entering the first and second character of the password, and much more ...
Immediately about the benefits:
Now about the shortcomings:
Do not forget, all these concepts, ideas for reflection, do not immediately apply the idea to the site "Classmates" and its inhabitantshamsters ;)
In general, interesting projects and good luck to all!
Update1 : Comments in the article The third dimension of password protection finally convinced me that Habr's users think the same way. Before writing my article, I did not read The Third Dimension of Password Protection and its codes.
So, further will be:
- totals to an article written earlier
- more ideas on her account
- I will talk about a fundamentally different "dynamic password 2.0", devoid of the shortcomings of the first.
- as well as
scandals, intrigues, investigations, theidea of ​​how to set a password:
which you yourself will not be able to type while intoxicated,
which can be typed in front of a friend, and consisting of the characters "QQQQQ"
and he will not be able to repeat it ...
First of all, I suggest not to be too critical of this article, leave in perception a bit of humor, because these are primarily ideas that are thrown into a sea of ​​cloudy IT intelligence
Summary from Dynamic Password
')
The implementation method is not a rigid sequence, but a dynamic password constructor, which allows you to insert the templates given by the author in any places and in any quantities in your password template
Scope of application - not public systems for the ordinary consumer. First of all, the idea can be used in closed systems and organizations that want to complicate the mechanism of the usual password entry, but not use additional hardware (phones, tokens, smart cards, etc.)
Disadvantages - the inability to store on the server as a hash, you have to leave part of the password template in clear text. Difficulty, it is necessary to spend a little time to prepare a password using a pattern known to you and, as a result, poor applicability “among the people”.
Advantages - the futility of the idea of ​​hacking a password through a brute force (as long as the passwords are being searched, the subject may become one that has already been used by the generator earlier). Protection from “peeping” of a password (the exact password typed in [1-N] minutes may already be irrelevant)
Ideas and explanations
Me, like some other Habra users, was visited by the idea of ​​a dynamic password a few years ago.
Then, I formulated it for myself as follows:
There are templates: MM, YY, DD, etc. Here we list all the templates from the date formatter and those specified by the author in the parent topic and a bunch to your liking.
To set a password, you need to combine a static text of the password, with a dynamic one, in order to do this, select the framing characters that will indicate where the template begins and ends. For example, you can use double brackets "[[....]]", on the principle of a slash in java "\\".
A few examples of password patterns formed this way:
- " qqq [[MM]] qqq " (correct password is "qqq + 2-digit minute + qqq")
- " [[YYYY]] thousands of monkeys in [[USER]] shoved a banana " (:-))
- " 2 + 2 = [[M]] " (the correct password is "2 + 2 = first digit of the current minute")
- " [[SS]] [[SS]] [[M]] [[SS]] [[SS]] " (a password tied for seconds will require its preparation for a specific second and minute in the future)
It is even possible to provide for a calculation inside "[[...]]", for example:
- k1s $ a [[MM]] [[MM + 1]] [[MM + 9]] [[MM + 7]] [[MM + 9]] (the password is “k1s $ a” + 4 times repeated digits the current minute to which we add the numbers of your year of birth)
- [[HH% 2 == 0]] (the password is true or false, depending on the even minute or not)
- [[MM + -2]] (password, this is the current minute with an error of + - 2 minutes)
- [[MM + -2]] [[MM + -2]] [[MM + -2]] [[MM + -2]] [[MM + -2]] (the development of the previous paragraph - the password (for example, 1920222120) may consist of different numbers within the margin of error and no one would guess that the base figure is the current minute - 20 in my case)
In general, the fantasy is limitless, the main thing in this business is to tell the user in the constructor mode all the necessary patterns and rules, and also to draw his attention that time or any other dynamic parameters need to be formed from the GMT timezone for example, and even better , display the time on which it is necessary to navigate in the future somewhere unobtrusively within the login page.
Dynamic Password 2.0
So it was the turn to describe a fundamentally new “Dynamic Password 2.0”. Turn on the humor, and leave the logic enabled
Imagine the situation:
You see how your friend types in the password field the banal password "QQQQQ" or "11111" and enters, you tell him that he is a complete kettle, once he uses a similar password, and he responds, exits the program and offers to enter it to you. You try to enter the password 5 times and you are not allowed, after that you remember that once you read the article on the Dynamic password Habré and you assume that the password was simply regenerated and, most likely, then the clock was either the 11th minute or something else ... But your friend sits at the computer and again in front of your eyes begins to enter "11111" and lets him go!
What's the secret?
In the phrase “Dynamic Password 2.0” the main word is “ dynamic ”, but not in the sense of “changeable”, but in the sense of “dynamic, dancing”;)
Remember the reaction of Windows to the wrong password entry 3 times in a row? It does not allow you to enter anything for a couple of minutes in order to exclude the selection of a password, and then, after a couple of minutes, it again gives 3 attempts.
What if you control the time between the entered characters and use it as another parameter when logging in to the system?
I will not chew on what you already understand, and immediately give the password template of our "advanced" friend:
Q [[T> 500]] Q [[T> 500]] Q [[T> 500]] Q [[T> 1000]] Q
Where [[T> 500]] , says that there must be a time in milliseconds longer than half a second between characters, and more than a second between the last and last characters.
We turn on the fantasy and think what other rules you can think of: the minimum / maximum time for entering the entire password, more, less, the error in milliseconds, the dynamic time based on the first time interval between entering the first and second character of the password, and much more ...
Immediately about the benefits:
- easy set
- the ability to store the password hash on the server
- the ability, with excellent reaction and tact, to set the simplest melody when “tapping” the password
- impossibility of selection, since time is also a parameter
- wow! you can calculate the minimum time to set a password (say, you can easily type it in 1.5 seconds), and in the case of your
alteredintoxicationconsciousness, you will not be able to type it at the same speed, because the reaction time has suffered greatly and the base is protected from you! ))
Now about the shortcomings:
- Difficult programming, you have to precisely control the time between the characters entered, for implementation you need to think carefully about what to do on the client, and what on the server
- perhaps a complicated pattern making (if the pattern is more difficult than typing 3 characters, wait 3 seconds, type the remaining characters of the password)
- additional non-encrypted field in the database to load the password Hesh in order to know the rules for controlling the time between characters or the total time of dialing
Do not forget, all these concepts, ideas for reflection, do not immediately apply the idea to the site "Classmates" and its inhabitants
In general, interesting projects and good luck to all!
Update1 : Comments in the article The third dimension of password protection finally convinced me that Habr's users think the same way. Before writing my article, I did not read The Third Dimension of Password Protection and its codes.
Source: https://habr.com/ru/post/284670/
All Articles