Home Law in IT Dynamic Password 2.0

Dynamic Password 2.0

by admin

This post is a logical continuation of the article Dynamic password published earlier.
So, next up will be :

  • The totals to the previously written article
  • more ideas about her
  • I’ll tell you about a fundamentally different "dynamic password 2.0", devoid of the disadvantages of the first one.
  • As well as, scandals, intrigue, investigation idea how to set a password :
    Which you yourself cannot type while intoxicated,
    which you can type in front of a friend, and which consists of the characters "QQQQQQ"
    and he won’t be able to repeat it…

First of all, I suggest not to treat this article too critically, leave a bit of humor in your perception, because these are first of all ideas thrown into the sea of cloud IT intelligence

Summary of the Dynamic Password article

Way of realization – not a rigid sequence, but a dynamic password constructor that allows you to insert the templates given by the author in any places and in any quantities in your password template
Scope – not public systems for the average consumer. First of all, the idea can be used in closed systems and organizations which want to complicate the mechanism of regular password input, but not to use additional hardware (phones, tokens, smart-cards, etc.)
Disadvantages – Impossibility to store on the server as a hash, you have to leave a part of the password pattern as plain text. Complicated, you have to spend some time to prepare a password using a pattern you know, and, as a consequence, poor usability "among the masses".
Advantages – Uselessness of the idea of brute-force password cracking (while brute-force is going on, the saber can become the one that was already used by the generator before) password peek protection (the exact password typed in [1-N] minutes may no longer be relevant)

Ideas and explanations

I, like some other Hubra-users, was visited by the idea of a dynamic password a few years ago.
Then, I formulated it for myself as follows :
There are templates: MM, YY, DD, etc. List here all the templates from the date formatter and indicated by the author in the parent-topic and a bunch more to your liking.
What would set the password to combine the static text of the password, with a dynamic, that would do this, select the framing characters, which will indicate where the template starts and ends. For example, you can use double square brackets "[[….]]", like the slash in java "\\".
Few examples of password templates formed this way :

  • " qqq[[MM]]qqq "(the correct password is "qqq+2x-digit minute+qqq")
  • " [[YYYY]] thousands of monkeys in [[USER]] slipped a banana "( 🙂 )
  • " 2+2=[[M]] " (the correct password is "2+2=the first digit of the current minute")
  • " [[SS]][[SS]][[M]][[SS]][[SS]] " (a password tied to seconds will require that it be prepared in advance for a specific second and minute in the future)

You can even provide a calculation inside "[[…]]" for example :

  • k1s$a[[MM]][[MM+1]][[MM+9]][[MM+7]][[MM+9]] (password is "k1s$a "+ four times the digits of the current minute, to which we add your year of birth)
  • [[HH%2==0]] (password true or false, depending on whether the minute is even or not)
  • [[MM+-2]] (password, this is the current minute with an accuracy of +- 2 minutes)
  • [[MM+-2]][[MM+-2]][[ MM+-2]][[MM+-2]][[MM+-2]] (development of the previous point – the password (e.g. 1920222120) can consist of different digits within the margin of error and no one will guess that the base number is the current minute – 20 in my case)

In general, imagination is limitless, the main thing in this case, tell the user in the designer mode, all the necessary templates and rules, as well as to draw his attention that the time or any other dynamic parameters needed to form the original GMT timezone, for example, or better yet, display time to be used in the future somewhere unobtrusively within the login page.

Dynamic Password 2.0

Now it’s time to describe the brand new "Dynamic Password 2.0". Turn on the humor, and leave the logic on
Imagine the situation :
You see your friend types in the password field trivial password "QQQQQQ" or "11111" and enters, you tell him that he is a complete dummy, if he uses such a password, and he in response, leaves the program and offers to enter it for you. You try to enter the password 5 times and you’re not allowed in, then you remember that you once read an article on hobber Dynamic password and assume that the password was just overgenerated and most likely it was either the 11th minute or something else… But your buddy sits down at the computer and starts typing "11111" in front of you again and it lets him in!
What’s the secret?
In the phrase "Dynamic Password 2.0", the main word is " dynamic " but not in the sense of "changeable" but in the sense of "dynamic, danceable" 😉
Remember the reaction of the windup to entering the password incorrectly 3 times in a row? It doesn’t let you enter anything for a couple of minutes to prevent password matching, and then after a couple of minutes it gives you 3 attempts again.
What if you control the time between characters entered and use it as another parameter when logging in?
I am not going to explain what you have already understood and I am going to show you the password pattern of our "advanced" friend:
Q[[T> 500]]Q[[T> 500]]Q[[T> 500]]Q[[T> 1000]]Q
Where [[T> 500]] indicates that there must be a time in milliseconds greater than half a second between characters, and more than a second between the penultimate and last characters.
Use your imagination and think what other rules you can think of: minimum/maximum time for the whole password, more, less, error in milliseconds, dynamic time based on the first interval between the first and second character of the password, and much more…
Immediately about the benefits :

  • easy set
  • Ability to store the password hash itself on the server
  • Ability, with excellent reaction and sense of tact, to set a rudimentary melody for "tapping" a password
  • impossible to pick, because time is also a parameter
  • wow! you can calculate the minimum time to type a password (say you can easily type it in 1.5 seconds), and in the case of your altered mind intoxicated, you won’t be able to dial it with the same speed because your reaction time is severely affected and the base is protected by you from you! ))

Now for the disadvantages :

  • Difficult programming, you have to control the time between the characters you enter, to implement it you need to think carefully what to do on the client and what to do on the server
  • maybe a complicated pattern (if the pattern is more complicated than typing 3 characters, wait 3 seconds, type the rest of the characters of the password)
  • additional unencrypted field in the database in addition to the password Hash to know the rules of controlling the time between the characters or the total time of the dialing

Don’t forget, these are all concepts, ideas to think about, don’t immediately attach the idea to the Odnoklassniki site and its hamsters inhabitants 😉
All in all, interesting projects and good luck to all!
Update1 : Comments in the article The third dimension of password protection finally convinced me that Habra users think alike. Before writing my article, I hadn’t read "The Third Dimension of Password Protection" and its comments.

You may also like