Jump to content
MakeWebGames

Could be worth the read


Uridium
 Share

Recommended Posts

While entertaining, I fully disagree with that article.

Security question are meant to act as the combination to a lock, just like any key.

Putting this article into context: it's like a smooth key.

What I usually do for password recovery if there is no definite relation to the user, like a social security number which they can email a copy of, is a combination of sensitive information from a random ground of users. Financial statistics companies and government organization do it here locally.

Things could be like, in what year/month did you sign up? Giving about five other users' details along with their own in random order.

Another one is to ask for last logon ISP, again following the same strategy. There are a lot that can be used, but it's quite application specific.

One technique I have tried, is using images, and comprising a password out of that.

It does work well to a certain extent, as it's an image to upload for authentication rather than text.

The problem with that is that images aren't the most secure form of authorization, unless you embed a signature that relates to a specific request in time.

A strategy for authentication I do want to do some trail tests(someday) on is prediction. It absurd, yes, but hear me out.

With something like Google's Prediction API, you can train it to store a subnet of IP addresses, request identifiers such as the browser(when it is updated, changed, etc.) and most importantly login times. The password can theoretically be simplified to just a username and something else related to that account.

A possible problem with this is training the API, about 200+ valid logins with a password would be required for each user, and even then it's just marginally correct.

But if you have logs, I'm pretty sure you can mine the data accurately enough to make a well-guessed prediction on whether the user request authentication is really the owner of the account.

Human behavior is quite indifferent individually, and it has been studied to extreme extents. Combining that research as well into something like this, could prove to be quite a solid approach.

Link to comment
Share on other sites

I was wondering if somelthing like for example could ever be achieved:

once you register on a site your details for password are not logged however you download a PW file, which you keep on your pc and once asked to login you upload the PW file to the server which can read it and log you in to your account...

Link to comment
Share on other sites

I was wondering if somelthing like for example could ever be achieved:

once you register on a site your details for password are not logged however you download a PW file, which you keep on your pc and once asked to login you upload the PW file to the server which can read it and log you in to your account...

It's the same approach as using an image, as I've mentioned.

A better way would be to use websockets combined with a file api to use public-key cryptography.

That part will be easy, the hard part is encrypting the actual data stream.

P.S. This is a similar technique that the SSH protocol uses.

Link to comment
Share on other sites

Here is a simple way to defeat hackers - Don't use the internet period, and if you happen to, don't use any of your personal information, and do not do banking online, do banking the old way go in person, and do shopping the old way too...

As for the article, I use the method have yet been hack...

When my secret security question is "What is your favorite color?" I reply with something totally off a color such as example: THEZOO#05438ANIMAL ....

I never answer them with a correct answer...

However this does not stop a hacker from hacking, eventually your password gets cracked.

And watch out for those insecure sites whom do not use security on their passwords or site, I've came across a couple like so, I refuse to do any business with them.

Link to comment
Share on other sites

My opinion on having a Password file to be uploaded to access my account is ABSURD!

What if i wanted to access the site from my iPhone? Or Jump onto my friend's iPad quickly. Which in theory mean's if i want to have my account with me at all time's, it would either need to be on an encrypted USB (Which can not be plugged into the iPhone/iPad), and would only be able to use it on a PC. Which render's Mobile technology useless.

My approach(but sure there are better):

Function/Class that can encode & decode.

a uniqid() that would be passed thru the Encode&Decode function (Stored in the DB encoded).

Using phpass.

So how does everything interlock?

When registering, create a uniqid() as a salt to your password along with phpass. Encode the uniqid and store that in the DB. If a hacker get's the DB, he still has to decode each uniqid before cracking the password, unless he/she grabs the entire DB and Code, but its a simple extra layer.

When login in, decode the uniqid, add it as a salt to the input password and pass it thru phpass. PHPASS CheckPassword function will check that password along with the decrypted uniqid.

What's nice about phpass is that you can specify the iteration count. And if set at 15, take's approx 30 second's to check the password.

The longer it takes the system to check/generate the password = longer the hacker takes to run thru rainbow table's.

Obviously, every approach on the internet is hackable. But it's time consuming that drives the hacker to the next target.

As i believe, make it challenging for the hacker :P

Edited by HauntedDawg
Link to comment
Share on other sites

My opinion on having a Password file to be uploaded to access my account is ABSURD!

What if i wanted to access the site from my iPhone? Or Jump onto my friend's iPad quickly. Which in theory mean's if i want to have my account with me at all time's, it would either need to be on an encrypted USB (Which can not be plugged into the iPhone/iPad), and would only be able to use it on a PC. Which render's Mobile technology useless.

My approach(but sure there are better):

Function/Class that can encode & decode.

a uniqid() that would be passed thru the Encode&Decode function (Stored in the DB encoded).

Using phpass.

So how does everything interlock?

When registering, create a uniqid() as a salt to your password along with phpass. Encode the uniqid and store that in the DB. If a hacker get's the DB, he still has to decode each uniqid before cracking the password, unless he/she grabs the entire DB and Code, but its a simple extra layer.

When login in, decode the uniqid, add it as a salt to the input password and pass it thru phpass. PHPASS CheckPassword function will check that password along with the decrypted uniqid.

What's nice about phpass is that you can specify the iteration count. And if set at 15, take's approx 30 second's to check the password.

The longer it takes the system to check/generate the password = longer the hacker takes to run thru rainbow table's.

Obviously, every approach on the internet is hackable. But it's time consuming that drives the hacker to the next target.

As i believe, make it challenging for the hacker :P

So, by the same logic, key-based SSH authentication is bad and plaintext passwords are good?

Link to comment
Share on other sites

Please show me where I said "plaintext".

Also, did I not somehow say, to be able to access my account from multiple location's?

Even if dropbox is a unsafe solution to store an encrypted file. But if the hacker wanted to. He could decrypt it.

I see your theory, but for a game, email & anything web related (as I'm sure that is what illusions meant), just won't be user friendly having to keep a file with you at all times.

Link to comment
Share on other sites

Please show me where I said "plaintext".

Also, did I not somehow say, to be able to access my account from multiple location's?

Even if dropbox is a unsafe solution to store an encrypted file. But if the hacker wanted to. He could decrypt it.

I see your theory, but for a game, email & anything web related (as I'm sure that is what illusions meant), just won't be user friendly having to keep a file with you at all times.

The logic behind authentication is to be secure as possible, not to be convenient.

And I never shoved it in anyone's face and said "use it", I just mentioned another way.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...