Fingerprint Authorization
Like most users of social networks, I periodically receive messages from my friends asking me to support this or that undertaking.
That is exactly what happened a couple of years ago: the girl we worked with asked to vote for her at some photography contest. I usually don’t refuse such services, so after spending two minutes and using the opportunity to log in to the contest website using accounts on different social networks, I sent a friend a confirmation:
- I voted. Good luck in the contest.
“Thanks, buddy, but now you need to change all the passwords.” I do not participate in any competition.
As you understand, I became a victim of phishing.
I must say that this happened to me for the first time as a rule, elementary attentiveness is enough not to fall for the bait:
- Avoid clicking on links in strange domain zones, with addresses from a random set of letters, or similar to the addresses of popular services or obscene words. Of course, do not log in to these sites.
- You should avoid links in messages written in a style uncharacteristic of the interlocutor, with a lot of [atypical] errors or advertising offers - for some reason, most of the crooks are unable to communicate coherently.
- You should stay away from sites whose content is fundamentally different from the declared or oversaturated with aggressive advertising in the style of " Horse-Eater ." As a rule, fraudsters do not care about anything other than their own gain, you can’t get at least some benefit from their actions.
However, in this case, the phishers approached the matter with love and care: firstly, somehow they took possession of the password of my friend from the social network, and secondly, they sent messages on her behalf that I did not classify as suspicious (quite competent , short and believable), and thirdly, they ensured the credibility of the phishing site itself: it was made a little carelessly, but quite at the level usual for such an event, in addition, it really had real photos and a voting system that worked at least nominally.
Previously, I considered myself, as they say, an experienced user, to a certain extent protected from fraud, but as it turned out - to deceive me is quite simple. Although this is beyond the power of the average spammer, this fact indicates only a low level of intellectual development of the fraudster, and not a high mine. So, I had to go through the annoying password change procedure.
What is so complicated about this?
Well, firstly, an active network user can have more than a dozen basic resources on which he regularly communicates and stores important information, and under a hundred of those that are used occasionally, but their importance is high (for example, hosting control panels or electronic currency sites ) On each of these sites you need to go through a long and often confusing password reset procedure. The number of resources on which we register for several visits is generally difficult to calculate - fortunately, basically, they can be neglected. But keep in mind that each site sets its own procedure and conditions for setting a password. Many validate passwords in length, the presence of certain characters, registers and alphabets. In fact, even once to come up with a password that will satisfy most commonly used sites is a problem.
Of course, security considerations generally require the use of unique passwords for each individual product or resource, but in practical terms, this requires either paranoia or unlimited amounts of time and memory. In fact, all unrecorded passwords are stored in a text file in a folder, the password for which is stored in another text file, the password from which the person already stores in his head. Wild difficulties!
One way or another, I understood the importance of protecting information, so I did all of the above and, apparently, successfully retained access to all key resources intact. Rather, to all but one.
Learn to change the password requires the presence of at least one digit. As if evil, there were no numbers in my new password - only characters of different registers and punctuation marks. It would be possible to replace any letter with a visually similar figure if I had not been so tired of the previous steps. Already without that you have to keep in mind at least two passwords: a new and an old one (in case you suddenly need to enter somewhere where the password has not yet been replaced). To add to them a third - a variation of the second with numbers - there was not the slightest desire. So I just didn't give a damn about security - well, who needs my LJ? - and left the password unchanged.
Nevertheless, all these years I was not left with slight concern. A compromised password is like an open window in a house. Of course, the likelihood that a clever subtile thief will clean my apartment through her is negligible, but it exists, and the brain does not tolerate such irritants. Periodically, forgetting the background, I tried to change the password to a new one, ran into the validator and scored for another six months.
But a phrase that recently caught my eye from the release of Windows8 about “ graphic passwords ” prompted me a new thought: why do I need passwords? What function do they perform?
Obviously, a password is a marker, a mark of a subject who has access to certain information. As a rule, this is the creator and owner of the information, but sometimes it is simply a person entitled to access: a close person, employee, successor. In any case, the ideal password will be some unique and non-copyable personality trait, but since we do not know how to make “aura casts” or select and scan the “soul”, the “nature” of a person, traditionally a combination of characters stored in human memory.
The advantages of this recognition method include a relatively high resistance to decryption (a variety of mental processes guarantees a high degree of randomness of the generated value) and theft (the material basis of individual sections of memory is extremely difficult or impossible to distinguish).
By cons - low capacity (traditionally it is believed that short-term memory holds well no more than 7 characters at a time) and vulnerability of the data access interface (the password can be obtained from the media by fraud or coercion). In addition, over time, data is subject to damage and loss due to the properties of the medium itself. Possible tricks against this are coding emotionally significant data: memorable dates, names, titles. however, in this case, the password's resistance to decryption is reduced (a lot of films about “hackers” picking up a password using a photo card on the table, for example).
The same Windows8 or Habr offer more interesting options for determining the copyright holder of information. In the first case, these are gestures that need to be performed on the image, in the second - a combination of the image and its name, which are provided and tested only under certain conditions. Such options are difficult to fake, due to which it is unlikely that anyone will do this, that is, by complicating the authorization algorithm, we will, to a certain extent, increase its reliability. And the complexity for the user, by the way, so accepting such a password in a massive and mandatory manner - most likely means losing a significant part of users. Therefore, in Windows, a graphical password only complements, but does not replace, a text one. And on Habré, the inconvenience of registration is compensated by the real ones (customization of the tape,
But what about the transitional option? After all, we are in the digital world - here, and the image, and sound and video can be represented as symbols. At the same time, we do not need to worry either about emotional significance (few people will be able to forget a photo of their girlfriend or favorite song), or about encoding our emotions into password symbols - let robots do it. Thus, on the one hand, we use our purely personal, genuine preferences and memories, and on the other, we implement backward compatibility with traditional text-key access techniques.
For example, I made a small service: www.cncbkn2pwd.info
The algorithm of work is as follows: select an individually significant image (for the test a photo card of your favorite erotic star will come off), upload to the form and get a unique password of 12 digits and letters of the Latin alphabet. This character set does not make absolutely any sense, however, due to the simple encryption algorithm (built-in php functions are used), it always matches your picture. That is, if you forget the password, to recover it will be enough to download it again. At the same time, the original image and password are not saved and cannot be decrypted.
It is also almost impossible to steal such a password - on any modern device there are hundreds of thousands of graphic files, and any of them can be the key to information. On the other hand - no need to memorize a lot of meaningless characters - remember meaningful pictures.
The disadvantage of this approach is that, like a normal alphanumeric password, it can be deceived. However, how easy it is to change your password! After all, it will be possible to part with the previous one without any regret, because the picture will remain with you, only an incoherent set of signs will be lost.