2008年5月19日 星期一

Yet Another Method to secure your password without encrpytion

Some has devised a pretty sophisticated method to defeat the Brute Force method in breaking in computer accounts, that method could also defeat the infamous key-logging method. Because both methods relies on systematic nature of the password-entering process, if it is not systematic and well-organized, that certainly increase the computational cost of accessing the account without knowing the password. What then we see is to how that method is implemented, and what computational constraint we have in that method.

My method here is never intended as a competition because is too simple and straight-forward. To break the security risk associated with key-logging program and brute force method, we only need to increase the level of ‘disorder’ of the information collected by them. That method is taking advantage of the cracker that has no idea of what consist of the targeted password. Now the method I provide here also use that idea but in a slightly different way.

My ideas are:
A. Instead of asking for the password in its original sequence, the program would ask for the password in an arbitrary order formed at the moment (which is displayed as a picture). Now if the password contain 5 digits, there are altogether 120 combinations even if the crack know all the digits; and if the password has 10 digits, there are altogether 10! of combination to guess. If we program the machine so that any three invalid guess require a break of 15 minutes between next input. Former cases require 10 hours to crack, and the later case require 30 years to crack.

B. To further increase the difficult of the cases, the program would add random character to the password for entrance. The user is required to enter also the generated-on-site character, that is to confuse the key-logging program. Moreover, that added into the time required for brute-force method to work, excluding symbols, adding one digit would increase their average succeed time by about 40 times. Bear in mind that both key-logging software and brute-force program is unable to know those generated-on-site characters.

C. In the same vein of B and A, sometimes the program would NOT ask for the whole password. Instead it may just ask for the digits in the random sequence it just created, for instance, in the order of 3456, 253, 421. As a whole, every digits of the password is asked. However, that added to the confusion of brute-force and key-logging software since they don’t have any information of the order of the sequence (Nobody including the programmer of the program would know). They have information but it is not very useful to them.

*D. Now to make this method unbreakable, the password would be updated according to a formula that is either given before the operation or a formula that is generated on-site in random interval. It maybe that in next time, the fifth digit is increased by 1, or the fourth character is ‘decreased’ by 3… etc. The information is again useless to the cracker since s/he doesn’t know the original password.

Presumably, cracker could break this method by taking snapshot of the screen which the password is entered. However, in some case it is impossible to do so; and in other cases it would require Artificial Intelligence program to identify the digits in the picture, then analysis the data inputed. That would increase the difficulties of cracker by at least thousand-fold compare to existing method.

Who would like to write such a program?

沒有留言: