ITT: Gold Rambles About Passwords
Posted by Gold Prognosticus Jan 05 2015 23:04 GMT in Gold Prognosticus
- Like?

The problem with passwords is that they are often easy to steal or guess, and that either you need to re-use simple passwords across multiple sites in order to be able to remember them all or use a password manager to store them, in which case spyware needs only copy the encrypted data file and keylog the master password in order to steal all of them.

I propose a solution in which a user would have a small USB device that contains an inaccessible storage microchip containing a unique identifier and private encryption key for each login, as well as a public section with the required software/drivers. When the user wants to log into a website or application, the server then uses the respective public key stored for that logon to encrypt a random string as an authentication challenge. The client then sends the challenge string and a master password to the USB device, which then decrypts and returns the challenge string based on the respective private key. This response is returned to the server, thus authenticating the user and triggering the server to commence the user's session.

If spyware should steal the master key to the tool it is useless as the private keys are permanently stored on the USB device and are never visible to either the client or the server. If someone were to steal the USB device it would be impossible to use as they would not know the master key (and even if they were to disassemble the device to get at the closed storage it would be a simple matter to encrypt it based on the master password). The odds of someone simultaneously stealing both the digital and physical elements of the system are very slim, thus greatly increasing security while reducing the number of passwords a user needs to remember to one.

Thoughts? (Assuming anybody has a clue what I'm talking about :P)


Replies:

market it
Reply by Ignorant Jan 05 2015 23:22 GMT

well isnt the server logging, at some point in the process, both the master and the private keys? so wouldn't it be possible for someone to say, dupe the system given the proper information (which is readily available inside the server handling all this). Not that this isn't waaaay more secure than a simple password but its still not really bulletproof...

Reply by Super-Claus Jan 05 2015 23:26 GMT
Presumably the first time the client access the server the device would generate a private/public key pair, storing the private key internally and forwarding the public key to the client to give to the server to use for future authentication. It might be possible for someone to steal the public key from the server but that wouldn't give the hacker access to that account, only potentially allow them to imitate the server side of the authentication process (assuming there are no other signing/secure communication in use at the lower levels of the connection).
Reply by Gold Prognosticus Jan 05 2015 23:39 GMT
as bad as passwords are they're a million miles better than shit like phone number authentication and whatever unholy crap they're going to come up with in the next 5 years
simply put if generally you're not a *crag*ing idiot you have nothing to worry about
Reply by lain Jan 08 2015 09:10 GMT
two-factor auth isn't so bad
Reply by Francis Jan 08 2015 22:24 GMT
Sign-in to post a reply.