Home

Previous Entry | Next Entry

A method for using passwords in a hostile environment

  • Oct. 24th, 2006 at 8:31 AM

A couple of years ago, when I was in Paris, I had to use computers in internet cafes. The possibility that my banking credentials would be intercepted by a keylogger was always on my mind. I came up with one possible solution for the problem of using secure credentials on an insecure terminal:

Summary: A secure website to change passwords for you.

My idea is this:

Make a website that can change passwords on your favorite websites (Gmail, your bank, and so on). Give this website a list of passwords and corresponding "change codes" to use. Keep this same list of passwords and "change codes" on your person. When you have used a password in an insecure, go to this website and click on the "Change my password" button. To verify that it really is you requesting the change (and not some random internet user) you would be prompted for your "change code". After verifying your change code, the website would change the password to the next password on your list.

Tags:

Comments

( Leave a comment )
[info]threephaseboy wrote:
Oct. 24th, 2006 11:02 pm (UTC)
If the website required a dongle (like SecureID or whatever), getting the temporary code wouldn't let an attacker gain access. Some european banks use this already.
For low security stuff, I had an idea for an authentication mechanism similar to what Ham Radio BBS's use: basically you create a NxN table of random chars, print it out, carry it on a card or whatever, and when you log in the server asks you for some random chars from it, like {(2,3),(8,1),(9,9)} etc. Not terribly secure (listen long enough and you can recreate the table) but possibly "good enough" for low security applications.
I wrote a quick and dirty perl implementation of this once.
Your idea would probably be more secure.
| Reply | Thread
[info]joel wrote:
Oct. 25th, 2006 03:44 pm (UTC)
I like the authentication mechanism that Ham Radio BBS's use. I guess you could set up a secure website which would proxy sites for you: Log in using the NxN table and it would log you in to your banking site via proxy.
| Reply | Parent | Thread
[info]threephaseboy wrote:
Oct. 25th, 2006 05:32 pm (UTC)
It's not exactly what they use, the one I have has a passphrase, and when you login it asks for certain chars from it, so not as secure as using an NxN table (recovery would probably be on the order of 5-10 logins)
| Reply | Parent | Thread
[info]joel wrote:
Oct. 25th, 2006 05:48 pm (UTC)
Why not use RSA challenge-response?
| Reply | Parent | Thread
[info]threephaseboy wrote:
Oct. 25th, 2006 09:09 pm (UTC)
FCC regulations prohibit the use of any codes or ciphers on amateur bands.
| Reply | Parent | Thread
( Leave a comment )