Dynamic Password 2.0
This note is a logical continuation of the article Dynamic Password published earlier.
So further will be:
First of all, I propose not to be too critical of this article, leave a bit of humor in your perception, because these are primarily ideas thrown into the sea of cloud IT intelligence
The implementation method is not a rigid sequence, but a dynamic password constructor that allows you to insert the templates provided by the author in any places and in any quantities in your password template.
The scope is not social systems for the average consumer. First of all, the idea can be used in closed systems and organizations that want to complicate the usual password entry mechanism, but do not use additional hardware (telephones, tokens, smart cards, etc.)
Disadvantages - the inability to store on the server as a hash, you will have to use part of the template leave the password open. Complexity, you need to spend a little time to prepare a password according to the template you know and, as a result, poor applicability "among the people."
Benefits- the futility of the idea of breaking a password by brute force (while the brute force is being brushed through, the subject may become one that has already been used by the generator before). Protection from “snooping” on the password (the exact password typed in [1-N] minutes may no longer be relevant)
I, like some other Habr-users, visited the idea of a dynamic password a few years ago.
Then, I formulated it for myself as follows:
There are templates: MM, YY, DD, etc. We list here all the templates from the date formatter and those specified by the author in the parent-topic and a bunch more to your taste.
To set a password, you need to combine the static text of the password with the dynamic one, to do this, select the framing characters that will indicate where the template begins and ends. For example, you can use double square brackets "[[....]]", according to the slash principle in java "\\".
A few examples of password patterns generated this way:
You can even provide a calculation inside "[[...]]", for example:
In general, the fantasy is unlimited, the main thing in this matter is to tell the user in design mode all the necessary patterns and rules, as well as to draw his attention to the fact that time or some other dynamic parameters need to be formed from the GMT time zone, for example, or even better , display the time for which you need to navigate in the future somewhere unobtrusively within the login page.
So the turn came to describe a brand new “Dynamic Password 2.0”. Turn on the humor, and leave the logic turned on.
Imagine a situation:
you see your friend typing a banal password “QQQQQ” or “11111” in the password field and enters, you tell him that he’s a full kettle, if he uses a similar password, and he’ll answer, exits the program and offers to enter it to you. You try to enter the password 5 times and it doesn’t let you in, after that you recall that you once read an article on the dynamic password hub and assume that the password was just regenerated and, most likely, then the clock was either the 11th minute or something else ... But your friend sits down at the computer and again before your eyes begins to enter “11111” and starts it up!
What's the secret?
In the phrase “Dynamic Password 2.0”, the main word is “ dynamic ”, but not in the sense of “changeable”, but in the sense of “dynamic, dance”;)
Remember Windows reaction to incorrect password entry 3 times in a row? It does not allow you to enter anything for a couple of minutes to exclude password guessing, and then, after a couple of minutes, it again gives 3 attempts.
What if you control the time between the entered characters and use it as another parameter when entering the system?
I will not chew on what you already understood, and immediately give the password template for our "advanced" friend:
Q [[T> 500]] Q [[T> 500]] Q [[T> 500]] Q [[T > 1000]] Q
Where [[T> 500]], indicates that between the characters there should be a time in milliseconds greater than half a second, and between the penultimate and last characters - more than a second.
We turn on the fantasy and think of what other rules you can think of: minimum / maximum time for entering the entire password, more, less, error in milliseconds, dynamic time based on the first time interval between entering the first and second characters of the password, and much more ...
Immediately on the benefits:
Now about the disadvantages:
Do not forget, these are all concepts, ideas for reflection, do not immediately apply the idea to the Odnoklassniki website and itshamsters ;)
In general, interesting projects and good luck to everyone!
Update1 : Comments in the article The third dimension of password protection finally convinced me that Habr users think alike. Prior to writing my article, I did not read The Third Dimension of Password Protection and its cameras.
So further will be:
- results for a previously written article
- more ideas about her
- I’ll tell you about a fundamentally different “dynamic password 2.0”, devoid of the shortcomings of the first.
- as well as
scandals, intrigues, investigations, theidea of how to set a password:
which you yourself cannot type while intoxicated,
which you can type in front of a friend, and consisting of the characters "QQQQQ"
and he will not be able to repeat it ...
First of all, I propose not to be too critical of this article, leave a bit of humor in your perception, because these are primarily ideas thrown into the sea of cloud IT intelligence
Results from the article Dynamic Password
The implementation method is not a rigid sequence, but a dynamic password constructor that allows you to insert the templates provided by the author in any places and in any quantities in your password template.
The scope is not social systems for the average consumer. First of all, the idea can be used in closed systems and organizations that want to complicate the usual password entry mechanism, but do not use additional hardware (telephones, tokens, smart cards, etc.)
Disadvantages - the inability to store on the server as a hash, you will have to use part of the template leave the password open. Complexity, you need to spend a little time to prepare a password according to the template you know and, as a result, poor applicability "among the people."
Benefits- the futility of the idea of breaking a password by brute force (while the brute force is being brushed through, the subject may become one that has already been used by the generator before). Protection from “snooping” on the password (the exact password typed in [1-N] minutes may no longer be relevant)
Ideas and clarifications
I, like some other Habr-users, visited the idea of a dynamic password a few years ago.
Then, I formulated it for myself as follows:
There are templates: MM, YY, DD, etc. We list here all the templates from the date formatter and those specified by the author in the parent-topic and a bunch more to your taste.
To set a password, you need to combine the static text of the password with the dynamic one, to do this, select the framing characters that will indicate where the template begins and ends. For example, you can use double square brackets "[[....]]", according to the slash principle in java "\\".
A few examples of password patterns generated this way:
- " qqq [[MM]] qqq " (valid password is "qqq + 2-digit minute + qqq")
- " [[YYYY]] thousand monkeys put a banana in [[USER]] " (:-))
- " 2 + 2 = [[M]] " (valid password is “2 + 2 = first digit of the current minute”)
- " [[SS]] [[SS]] [[M]] [[SS]] [[SS]] " (a password tied for seconds will require preliminary preparation for a certain second and minute in the future)
You can even provide a calculation inside "[[...]]", for example:
- k1s $ a [[MM]] [[MM + 1]] [[MM + 9]] [[MM + 7]] [[MM + 9]] (the password is “k1s $ a” + digits repeated 4 times current minute, to which we add the digits of your year of birth)
- [[HH% 2 == 0]] (password true or false, depending on the even minute or not)
- [[MM + -2]] (password, this is the current minute with an error of + - 2 minutes)
- [[MM + -2]] [[MM + -2]] [[MM + -2]] [[MM + -2]] [[MM + -2]] (the development of the previous paragraph - the password (for example 1920222120) may consist of different numbers within the margin of error and no one will guess that the base figure is the current minute - 20 in my case)
In general, the fantasy is unlimited, the main thing in this matter is to tell the user in design mode all the necessary patterns and rules, as well as to draw his attention to the fact that time or some other dynamic parameters need to be formed from the GMT time zone, for example, or even better , display the time for which you need to navigate in the future somewhere unobtrusively within the login page.
Dynamic Password 2.0
So the turn came to describe a brand new “Dynamic Password 2.0”. Turn on the humor, and leave the logic turned on.
Imagine a situation:
you see your friend typing a banal password “QQQQQ” or “11111” in the password field and enters, you tell him that he’s a full kettle, if he uses a similar password, and he’ll answer, exits the program and offers to enter it to you. You try to enter the password 5 times and it doesn’t let you in, after that you recall that you once read an article on the dynamic password hub and assume that the password was just regenerated and, most likely, then the clock was either the 11th minute or something else ... But your friend sits down at the computer and again before your eyes begins to enter “11111” and starts it up!
What's the secret?
In the phrase “Dynamic Password 2.0”, the main word is “ dynamic ”, but not in the sense of “changeable”, but in the sense of “dynamic, dance”;)
Remember Windows reaction to incorrect password entry 3 times in a row? It does not allow you to enter anything for a couple of minutes to exclude password guessing, and then, after a couple of minutes, it again gives 3 attempts.
What if you control the time between the entered characters and use it as another parameter when entering the system?
I will not chew on what you already understood, and immediately give the password template for our "advanced" friend:
Q [[T> 500]] Q [[T> 500]] Q [[T> 500]] Q [[T > 1000]] Q
Where [[T> 500]], indicates that between the characters there should be a time in milliseconds greater than half a second, and between the penultimate and last characters - more than a second.
We turn on the fantasy and think of what other rules you can think of: minimum / maximum time for entering the entire password, more, less, error in milliseconds, dynamic time based on the first time interval between entering the first and second characters of the password, and much more ...
Immediately on the benefits:
- easy set
- the ability to store the hash of the password itself on the server
- the ability, with excellent reaction and a sense of tact, to set the simplest melody when "tapping" the password
- impossibility of selection, since time is also a parameter
- wow! you can calculate the minimum time to type a password (say you easily type it in 1.5 seconds), and in the case of your
altered consciousness ofintoxication, you won’t be able to type it at the same speed, because the reaction time was badly damaged and the base is protected by you from you! )))
Now about the disadvantages:
- Complex programming, you will have to precisely control the time between the input characters, for implementation you need to think carefully about what to do on the client and what on the server
- perhaps it’s difficult to invent a template (if the template is more difficult than typing 3 characters, wait 3 seconds, type the rest of the password characters)
- additional non-encrypted field in the database to the load of the Password Hash, in order to know the rules for controlling the time between characters or the total typing time
Do not forget, these are all concepts, ideas for reflection, do not immediately apply the idea to the Odnoklassniki website and its
In general, interesting projects and good luck to everyone!
Update1 : Comments in the article The third dimension of password protection finally convinced me that Habr users think alike. Prior to writing my article, I did not read The Third Dimension of Password Protection and its cameras.