Tuesday, June 03, 2008

Paranoid about your passwords?

I came across this today. It's pretty handy if you are sick of trying to think of (and remember) complex passwords.

For those familiar with authentication schemes, it essentially blends the concept of challenge/response questions with passwords. The way I like to think of it is by using the following example...

The challenge (called "phrase" on the site) could be something like "what is my password for site x" and the response (called "password" on the site) is just a word you use as a "password key" so to speak. The site will spit out an actual password, which you can use as your real password for whatever site you use it for.

Metaphorically, it's like going to a locker (perhaps at an airport or a train station) to get your house keys so you can go home. Thankfully, you only have to go to a website instead of navigating through traffic or the public transport system to get your house keys.

Apparently there's no "magic" behind how it generates your password for you. Read about it here.

It's not foolproof, but it's certainly better than using a weak, simple password because it's better than single factor authentication. I wouldn't go as far as calling it a 2 factor authentication mechanism because using the traditional definition requires that the authenticating site handle the authentication factors directly and that the authentication factors are two out of the following three: something you know (e.g. password), something you have (e.g. smartcard), something you are (e.g. fingerprint).

But if you think about it, handling your password this way requires that you know something (what challenge/response combination to use) and also generates you a "token" of sorts (usually this comes from something you have - in this case, you could argue that this is the website). I know it's the same token each time so it's effectively a password but it's not something that's easy to guess. One could view it as a "pseudo token" that is generated based on knowledge that you have. Call it 1.5 factor authentication if you like. Or maybe "obscured/indirect authentication". Can anyone think of a better name? In any case, I'm really stretching the multi-factor definition here. But hopefully you know what I'm getting at. In short, it's better.

It's a very simple concept (now we can all say "crap why didn't I think of that") and a good one I think if you want to add that extra little bit of security to your everyday passwords.

1 comment:

Anonymous said...

I think the web site should register 3 additional images it selects and presents them each time for you to choose yours. The set would have to be fixed at time of registration or re-registration.