This was my ideas as posted in comp.infosystems.www.servers.unix group.
Sept 22, 2005.
http://groups.google.com/group/comp.infosystems.www.servers.unix/browse_thread/thread/265a81b96e1af49e/d927f7fdc6217910?hl=en
I don't know your case, but I have been thinking of this approach for
some time, but I don't know whether it applies to you or not:
I am using the bank PIN system, but with a litle bit of a twist.
Suppose, I (as a user) already know my PIN number as 123456.
I will also be assigned with "challenge phrase" (I can choose from
countless number of possibilities -- I will explain soon), and I (and
the bank) will be the only one that know this phrase
Example, my "challenge phrase" that I use would be:
"Add my first PIN with the fourth number of the "challenge list"
...........
When I try to log into the system or ATM,
I will write in my login ID and press enter (or for ATM, my ATM card)
The system will give me few sets of numbers, eg: 3452 5643 3443 5645
This is the "challenge list"
Since my challenge phrase is to add my first PIN ( which is 1)with the
4th number of the challenge list (which is 2), I will ended up with the
number 3
I will enter in the "answer", 323456 as the "challenged PIN".
There are vast possibilities for the "challenge phrase", it would need
our mind to calculate it (or we can put a calculator in the web page to
assist calculation)
Next login, the system will give new sets of "challenge list (CL)"
but our original PIN, and "challenge phrase (CP)" would be the same
unless we change it after login. The the challenged PIN (CPIN) will
also differs each time we login. This way, even the keyboard reader
cannot know the actual PIN.
Another example, if my CP is multiply 1st PIN number with 8th number of
the CL, and substract 4th number of PIN with 11th number of the CL,
then my CPIN will be 323056
The possibilities are endless...
no PIN are transferred through the net. If the CP is very good, the CL
and CPIN can even be transferred clear text, and still nobody can
guess...
additional possibilities for the CL can also be: "use the 4th number of
the CL as your CPIN, use the 3rd number of the CL as your 2nd CPIN, use
the 16th number of the CL as your 3rd CPIN, and so on...."
then there will be no calculation needed....
This method can also be used as your second authentication, after the
usual username-password combination.
I hope somebody could calculate the "statistical probability" that
someone can crack the CPIN.
I think It is as same as trying the PIN one by one by brute-force.
Rosdan
17 February 2012
User Challenge Password
Subscribe to:
Posts (Atom)