Computer: Security: Authentication
Less crackable password system   (-7)  [vote for, against]
Less crackable

(not my idea, It was explained to me by a friend)

The basic idea here is a password for a computer that seems like an ordinary password, but when an incorrect password is entered, the current password for the computer is changed to the incorrect password that was just entered. This effectively guards against brute force attacks, because the actual password will always be one step behind the brute forcing program. It will also alert the user that someone has tried to hack their system, when they first enter the correct password, it will register as wrong, and they will have to enter it again to gain access to their computer.
-- erenjay, Jun 25 2012

Hang on a tick.

First of all, this means I can hack into your computer by entering any (wrong) password twice.

It also means that, if I try to hack in once with a wrong password, you won't know the new password to your own computer.

Apart from those two flaws, it's faultless.
-- MaxwellBuchanan, Jun 25 2012


As with most such, this is security through obscurity. As long as the system isn't known, it might work, as soon as it's public knowledge, it's easily breakable.
-- MechE, Jun 25 2012


1) That would fall at the first post to anyone using the time-travelling computer or would that be the second post?

2)Alternatively, how about a system with ten billion hard to guess passwords that users can get by making a memorable sentence...sounds strangely familiar...
-- not_morrison_rm, Jun 25 2012


I was about to bone this, but then I thought - what if the password reset (a) were temporary and (b) kicked in only when a brute force attack seemed to be in progress and (c) kicked out again when it detected an attempt to game it?

So, if you manually type "rubbish" twice into my laptop, then my password remains as it was and you haven't cracked it.

However, if you (or a script) hit my laptop more than [some semi-random threshold] times during a period of, say, one minute, then my password gets reset to a random recently-attempted password (which may or may not be my original password) for the next [semi random period of time not exceeding, say, five minutes].

Furthermore, if this second-guessing algorithm detects someone attempting the *same* wrong password more than [some semi-random threshold] times, it reverts the password to my original one.

Then we could add some fretwork and a cuckoo clock.
-- pertinax, Jun 25 2012


If the system can detect that a brute force attack is ongoing, it can be set not to accept the password even if it comes up.
-- MechE, Jun 25 2012


Heck, if it can be set to do that, then it could be set to say something like 'the password is the current user's credit card account number' or some kind of offense as defense strategy. Or, have it accessible into a fake 'honeypot' system, in which keystrokes and clicks are then recorded. That's be kinda fun.
-- RayfordSteele, Jun 25 2012


A well-implemented password system using non-public salted hashes is pretty tough to crack as-is. If non-salted hashes are used and the hash table is public or leaked, a brute-force attack basically runs a rainbow-table lookup against the hash table and returns a list of passwords which match hashes in the table. A delay as posted by [bigsleep] works against someone repeatedly trying to gain access through the normal login process, but fails entirely when the password can be cracked before it is entered.

More appropriate may be to track the IP of everyone logging in, and throw up an IP block if several accounts are accessed from the same IP in a very short time. This won't catch attacks targeted to an individual, but it should stop attacks targeted to a service.
-- Freefall, Jun 27 2012


//A well-implemented password system using non-public salted hashes is pretty tough to crack as-is.//

The salts are generally considered to be as public as the password hashes.

That is, if you can store the salts securely, then why don't you just store the passwords securely?
-- Loris, Jun 27 2012


If we're going to all this trouble to have the computer change a password after every hit when it detects a brute force attack, why not just have it go into lockdown until the attack is over? I mean, these things don't typically last very long, do they? Just make it so there is no password and no access and nobody can get in until the assault is over.
-- Alterother, Jun 27 2012


doing that requires the ability to tell when a brute force attack is happening, and when it has stopped. My idea, however, just requires that nobody know about it to be secure.
-- erenjay, Jun 27 2012


For a networking situation and system to look for brute force attempts and shuts down services in response, especially to legit users (people who have working u/p) is making itself an easy target for DOS attacks. All you need to deny all users access is to launch a brute force password attempt which takes almost nothing on the part of the hacker.
-- WcW, Jun 27 2012


Okay, I understand it a bit better now.
-- Alterother, Jun 27 2012


[Loris], a system which makes its hash table publicly available is not one that I'd call well-implemented. That said, even if the salt is leaked along with the hash, there is still the issue of building a custom rainbow table for the given salt. Further, a system which uses a salt particular to each account (let's say the salt is the raw hash of the account name), the rainbow table must be built up for each account. While none of these methods make the crack process any more -difficult-, they make it much more computationally expensive.
-- Freefall, Jun 28 2012


Essentially speaking, any situation where a password is not derived by an entirely random process will be more vulnerable than a system where there is any sort of pattern. Any password system where repetition of a random password, at any point in the process, be it on the first attempt or an attempt after the first attempt will be far more vulnerable than a system where the password is fixed on a random, long, and uncommon string of characters.
-- WcW, Jun 28 2012


[WcW] // any situation where a password is not derived by an entirely random process will be more vulnerable than a system where there is any sort of pattern// Actually this isn't true unless the pattern is known. (The following is distilled from Steve Gibson's "Security Now" podcast) If my password is 26 "a"s in a row, it is not random, but if you don't know that it isn't random, then you can start guessing, usually starting with a dictionary attack, then maybe dictionary with standard substitutions, (a > @, O > 0, etc), but if those and similar attempts fail, you will have to guess randomly. At that point, as long as you avoid the common traps, only the length of the password matters and "aaaaaaaaaaaaaaaaaaaaaaaaaa" will take a long time to break if attacked randomly and way longer than what seems like a good password like "3Y2b^l" which has a lot more randomness.
-- MisterQED, Jun 28 2012


Would it not be simpler if everyone in the whole world agreed to use the same usernames and the same password, for everything?

That way, the hackers would not be able to hack selectively into your PayPal account and steal your millions, because 99,999 times out of 100,000 they'd wind up in the account of some loser with no money.

Foolproof.
-- MaxwellBuchanan, Jun 28 2012


Good idea [MaxB]. What username and password do you use? We will all change over to the same ones once you tell us.
-- AusCan531, Jun 28 2012


billygatesgruff, thunderbox404. Just whatever you do, don't keep it secret.
-- MaxwellBuchanan, Jun 28 2012



random, halfbakery