Entering a Password Multiple Times for Security
I was thinking about the 1983 movie WarGames and how the computer personality of “Joshua” acted like a human. The first time you asked it a question, it responded with a question or didn’t give a complete answer. However, if you asked the computer the same question a second time, you got the information you were after.
Today’s passwords will soon become obsolete, according to computer experts. They are insecure not only because people choose bad ones and write them down, but because of brute force cracking as well.
My idea is this: have the computer say all passwords are wrong, at least the first time they are entered. To gain access to the system, you must enter the correct password twice in a row.
This would instantly double the processing time required by a bruteforce hacking attempt, while at the same time not making much for difficult for the user. Assuming the user knows their password, all they need to do is enter it twice. Simple enough. A person guessing at the password, however, would need to enter every guess twice – and since the computer responds exactly the same way even if the password is correct (but only entered once), the cracker may never even know the computer is set up with this sort of system. In this case, it would be impossible for the cracker to get in with their traditional bruteforce crack, no matter how much time or processing power they had.
Keep in mind that this is only an idea. I realize it might not be practical, since I’m not sure how it would help with people breaking md5sums or password hashes. Once you have access to the stored password, there’s no telling what you can do with it.
But go along with me and consider this: the user has to enter a series of passwords, perhaps two or three of them, with the computer responding in the same way (“invalid password”) after every entry. For example, my password might be “mice”, “eat”, “cheese”, entered separately but consecutively and in order.
It would be virtually impossible to break such a password using brute force.
Yet since I know the password, it only takes slightly longer – and it might even be the same, considering I could choose simpler passwords this way rather than a more complex password (with symbols and numbers) the traditional way.
If password security becomes a problem, I think this is a great idea. And remember, you read it here first.
Wow… that is one of the best ideas for security that I’ve heard in a long time. The only problem I see with it is that many people will get annoyed with the 3 password thing. I would use it. I’m sure many companies would use it. But I’m sure the basic idea has been thought of before. Imagine if someone could actually crack all 3 passwords. I mean, unless someone is a big enough tool to use the same one 2 or 3 times, it would be virtually impossible to crack three, six character long, alphanumeric passwords. There are infinite combinations (not really, but i’m too lazy to find the real number).
But anyways, the idea is great… try telling someone about it, you could be rich (or not, someone might just steal the idea :P)
That’s a great idea for people who are used to technology. My problem with it is that it doesn’t work for others who don’t use computers as much. I can’t imagine telling my parents that they’re entering the right password when the computer is telling them “Invalid Password”. Of course, if someone is going to use an automated script to break the password, we can simply replace the phrase “Invalid Password” with something like “Please re-enter your password.”
i have a password hacked so plz give me my password i have a need it i hope u give me this id password
Interesting concept, but the reason brute force is working now a days is because of computing power. This concept is already applied in a lot of software but the other way around. You have only a limited number of attempts before locked out, this renders brute force obsolete… for now I think the best option is to create a secure password.
HP warns over OpenView flaw
John Leyden, The Register 2005-08-31
Enterprise users are been urged to apply workarounds following the discovery of a potentially troublesome vulnerability involving a component of HP’s widely used network management suite, HP OpenView. A security bug in Network Node Manager opens the door to possible hacker attack, according to work by security researchers at Portcullis Computer Security and NGS Software.
Network Node Manager (NNM) allows networks managers to monitor and control the operation of network devices. The flaw creates a means for hackers to execute potentially malicious shell commands by exploiting inadequate input checks involving scripts (e.g. cgi-bin/connectedNodes.ovpl) used by various versions of NNM. The vulnerability affects versions 6.2, 6.4, 7.01, and 7.50 of OpenView NNM running on HP-UX, Solaris, Windows NT, Windows 2000, Windows XP and Linux systems.
Find more on It security on…
It security news from 120 sources
Security Focus – It security news
Security News Portal
The real urls:
Security Focus – It security news
Security News Portal