Concept of "Password Mode"
-
Let me prefix this with having no background in the world of security whatsoever, but I did have an idea that I believe could have some merit and I thought I’d see what others thought. It occurred to me that an OS with a "private key" of my choosing, several algorithmic options to use in conjunction with that key and some specification (length/charset) of the desired output, could have a mode designed to "alter" my input based on those data points. No actual password would be stored, but my password of "password1" could be turned into 180 characters for me by the OS while in what I call "password mode". Unless someone is using my private key, my selected algorithm, and my character set criteria, then nobody could reproduce the same output as me by typing password1. In my mind, this private key works similar to a cypher (yes I am that far out of my depth) and could be my dogs name or an entire paragraph from my favorite book. The algorithms would need to do all of this in such a way where each subsequent character is an entirely new (but repeatable) character footprint. So, even if you type 11111 for your password, each new instance of 1 has an entirely different burst of (20'ish) characters representing the next instance of the 1 key. This probably wouldn't change how we would log into an OS, but I do believe everyone using garbled 120+ character passwords overnight would go a long ways towards securing ourselves on individual websites. I also believe it would be extremely helpful to keep my password and change my private key when I find out a wesbite I use has been compromised.
-
Let me prefix this with having no background in the world of security whatsoever, but I did have an idea that I believe could have some merit and I thought I’d see what others thought. It occurred to me that an OS with a "private key" of my choosing, several algorithmic options to use in conjunction with that key and some specification (length/charset) of the desired output, could have a mode designed to "alter" my input based on those data points. No actual password would be stored, but my password of "password1" could be turned into 180 characters for me by the OS while in what I call "password mode". Unless someone is using my private key, my selected algorithm, and my character set criteria, then nobody could reproduce the same output as me by typing password1. In my mind, this private key works similar to a cypher (yes I am that far out of my depth) and could be my dogs name or an entire paragraph from my favorite book. The algorithms would need to do all of this in such a way where each subsequent character is an entirely new (but repeatable) character footprint. So, even if you type 11111 for your password, each new instance of 1 has an entirely different burst of (20'ish) characters representing the next instance of the 1 key. This probably wouldn't change how we would log into an OS, but I do believe everyone using garbled 120+ character passwords overnight would go a long ways towards securing ourselves on individual websites. I also believe it would be extremely helpful to keep my password and change my private key when I find out a wesbite I use has been compromised.
Wow. You essentially invented password hashes, salt and pepper. Again.
I have lived with several Zen masters - all of them were cats. His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
-
Let me prefix this with having no background in the world of security whatsoever, but I did have an idea that I believe could have some merit and I thought I’d see what others thought. It occurred to me that an OS with a "private key" of my choosing, several algorithmic options to use in conjunction with that key and some specification (length/charset) of the desired output, could have a mode designed to "alter" my input based on those data points. No actual password would be stored, but my password of "password1" could be turned into 180 characters for me by the OS while in what I call "password mode". Unless someone is using my private key, my selected algorithm, and my character set criteria, then nobody could reproduce the same output as me by typing password1. In my mind, this private key works similar to a cypher (yes I am that far out of my depth) and could be my dogs name or an entire paragraph from my favorite book. The algorithms would need to do all of this in such a way where each subsequent character is an entirely new (but repeatable) character footprint. So, even if you type 11111 for your password, each new instance of 1 has an entirely different burst of (20'ish) characters representing the next instance of the 1 key. This probably wouldn't change how we would log into an OS, but I do believe everyone using garbled 120+ character passwords overnight would go a long ways towards securing ourselves on individual websites. I also believe it would be extremely helpful to keep my password and change my private key when I find out a wesbite I use has been compromised.
Bogatitus wrote:
having no background in the world of security whatsoever
So, the good news is that with no background whatsoever, you've basically described how most password systems work. You did munge it a little with asymmetric cryptography (a private key infers a public key), but that's okay. Maybe you should look into crypto systems; it's a very rich field of study that you apparently have an interest in.
"Never attribute to malice that which can be explained by stupidity." - Hanlon's Razor
-
Bogatitus wrote:
having no background in the world of security whatsoever
So, the good news is that with no background whatsoever, you've basically described how most password systems work. You did munge it a little with asymmetric cryptography (a private key infers a public key), but that's okay. Maybe you should look into crypto systems; it's a very rich field of study that you apparently have an interest in.
"Never attribute to malice that which can be explained by stupidity." - Hanlon's Razor
There are a million things I'd love to dig into if I wasn't already spending 75 hours a week as a 3D modeler for construction company + 30 more doing industry specific hobbyist programming. Based on your comment though, I guess I am proposing they reinvent the wheel, but encapsulated around the users. Not quite the level of isolation I want, but it does seem like even a Chrome plugin could mostly do this for me as long as it existed for iOS, Android and Windows. Still, would be nice for OS level integration on mobiles so all the various standalone apps could recieve the altered input. Maybe I am just too ignorant on this topic to understand and I can accept that... Online or in the real world if someone wants to steal something they are going to steal it, all we can do is make it more trouble than its worth. With that said, wouldn't doubling down even on our current protection methods (as proposed) cause some kind of useful distruption?
-
There are a million things I'd love to dig into if I wasn't already spending 75 hours a week as a 3D modeler for construction company + 30 more doing industry specific hobbyist programming. Based on your comment though, I guess I am proposing they reinvent the wheel, but encapsulated around the users. Not quite the level of isolation I want, but it does seem like even a Chrome plugin could mostly do this for me as long as it existed for iOS, Android and Windows. Still, would be nice for OS level integration on mobiles so all the various standalone apps could recieve the altered input. Maybe I am just too ignorant on this topic to understand and I can accept that... Online or in the real world if someone wants to steal something they are going to steal it, all we can do is make it more trouble than its worth. With that said, wouldn't doubling down even on our current protection methods (as proposed) cause some kind of useful distruption?
Bogatitus wrote:
Online or in the real world if someone wants to steal something they are going to steal it, all we can do is make it more trouble than its worth.
There is no 100% security, you just need to make it more difficult to steal from you than from your neighbor ;) ;P :laugh:
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
There are a million things I'd love to dig into if I wasn't already spending 75 hours a week as a 3D modeler for construction company + 30 more doing industry specific hobbyist programming. Based on your comment though, I guess I am proposing they reinvent the wheel, but encapsulated around the users. Not quite the level of isolation I want, but it does seem like even a Chrome plugin could mostly do this for me as long as it existed for iOS, Android and Windows. Still, would be nice for OS level integration on mobiles so all the various standalone apps could recieve the altered input. Maybe I am just too ignorant on this topic to understand and I can accept that... Online or in the real world if someone wants to steal something they are going to steal it, all we can do is make it more trouble than its worth. With that said, wouldn't doubling down even on our current protection methods (as proposed) cause some kind of useful distruption?
Just saw this -- too bad I didn't see it when you first posted. Anyways, the idea you propose sounds like what I've done in my app which allows you to draw a geometric shape and then generates a long (SHA-256 hash-based) password for you. You can read all about it and get the code here at CP: Users Hate Passwords (We're All Users): Never Memorize a Password Again[^] I've written the app as a iphone, Android, WinForm and web app. You can try the web app at the official site (it's all client-side javascript, nothing is saved): C'YaPass : Never type a password again[^]