Passwords

Friday, 11 May 2007

I couldn’t sleep last night. Probably too much caffeine or coding, most people count sheep to help them sleep. I thought I’d invent an authorisation system 🙂

The basic idea is that a password is replaced with a Text file key and PIN number, so a user only needs to remember a 4 digit pin number to login to a web site rather than a username and password combination. Every time a user wishes to login they simply find the relevant file with the key and enter their name and pin.

The text file contains a string with “HeyesKey:hashgoeshere@domaingoeshere”, this is important because it solves the problem of phishing as well. If the browsers decided to implement a clipboard check or submission check then sites could be identified as bogus really easily. Now even if an attacker found your HeyesKey text file and they knew your first name, they would still need to guess the correct PIN number in order to login. The system borrows from the real world with how ATM machines works, so the Key is like your debit/credit card and if you enter your pin incorrectly 3 times the account is disabled.

See a demo here:-
http://www.businessinfo.co.uk/labs/HeyesAuthMethod/heyes_auth_test.php

Source code here:-
HeyesAuthMethod

Advantages:-
1. Could prevent all types of phishing.
2. 4 character pin instead of a long password.
3. Keys stored in plain text so they could be encrypted and stored in
a safe place.
4. Accounts can be disabled because brute force DOS attacks would be
very difficult.

Disadvantages:-
1. Could be hard for someone to understand at first.
2. Users might not like copying and pasting a text file to login.

The entry 'Passwords' was posted on May 11th, 2007 at 3:39 pm and is filed under phishing, php, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “Passwords”

  1. Ambush Commander writes:
    No. 1 — May 11th, 2007 at 6:11 pm

    If you’re going to go as far as suggesting text keys and browser support, why not go the whole kaboodle and have browser implement public key authentication like SSH?

  2. Ambush Commander writes:
    No. 2 — May 11th, 2007 at 6:38 pm

    By the way, you should probably warn your users that JavaScript is required to use the comment forms, as well as the fact that their comment won’t show up immediately due to moderation.

  3. Gareth Heyes writes:
    No. 3 — May 14th, 2007 at 8:19 am

    @ambush commander

    Yes of course I could have encrypted the data but as I said in the post I did it because I couldn’t sleep not to write a full comprehensive solution. The idea in my head enabled the user to remember a small pin number but provide enough security that their account couldn’t easily be compromised.

    The system could also prevent Phishing using browser clipboard checks; I’ve released the code/concept as GPL so anyone can improve it.

    Agreed I will change the plugin I wrote to warn javascript is required.

«
»