另一種不用加密也可保護你密碼的方法

之前有人提出了一個令黑客就算完全知道你密碼也無法進入你戶口/帳戶的方法,就算黑客用暴力破解法,因為每次系統要求的資料不同,所以此破解法也會失效。其實,發明者忽略了保護密碼在之前還有一個步驟,就是輸入密碼,只要黑客不是親身在場去抄低你的密碼,我就有辦令這些專記錄使用者所有鍵入的資料的木馬程式失效。
我的思路是針對此類記錄程式最大的弱點,它把所有鍵入的資料以順序來儲存, 好像是假設使用者只會同時使用一個程序,然後依順序先輸入戶口名稱及密碼,用者只要打破這個最方便使用者的腦神經運作的輸入名稱及密碼順序,由於此類記錄程式不能知道使用者是在什麼樣的情況下輸入它所記錄的資料,只能假設使用者的使用模式再從資料中反推出名稱和密碼,例如從name[enter]password[enter]中的name得知它為戶口的登入名稱,之後輸入的就一定是它的密碼。假如使用者不依此規則來輸入戶口名稱和密碼,如n[Tab]pa[mouse click]a[Tab]ss[mouse click]m[Tab]wo[mouse click]e[Tab]rd[return],由於黑客無法事先知道使用者是以悔花間竹式輸入戶口名稱及密碼,所以得到了鍵入的資料也無法重新組合出戶口名稱及密碼,甚至不能得知使用者輸入資料用來做什麼,破解戶口名稱及密碼無從談起(除非使用者長期都是用同一組模式來輸入戶口名稱及密碼,這時黑客會留意到有一些不斷重複出現的資料模式)。
我現在只是用了最簡單的方式去實現我此一針對記錄程式的弱點,實際上可以用不只用此一方法,例如不一定要依上列順序先戶口名稱再密碼不斷重複,使用者大可以隨自己喜歡的順序來把戶口名稱及密碼拆來輸入,同時亦沒有規定每次輸入戶口名稱一定要每次1字,然後夾2字密碼,因此,使用者大可以用n[Tab]p[mouse click]a[Tab]as[mouse click]m[Tab]swo[mouse click]e[Tab]rd[return],一共有38種組合(假設一定是把戶口名稱及密碼各拆成4組),而此類軟件不能讀使用者的心,所以變成有資料也無法破解戶口名稱及密碼。聰明的讀者還可以想到因為有[Backspace]一鍵,使用者甚至可以故意加入戶口名稱及密碼中不存在的字元來混淆黑客,只要此類記錄程式無法得知使用者用[Backspace]一鍵消去了什麼多餘的字元時,黑客同樣是得物無所用;我還沒有提及當使用者在同時登入數個戶口時,故意把各戶口名稱搭上不是該戶口的密碼的組合呢!

Yet Another Method to secure your password without encrpytion

Some has devised a pretty sophisticated method to defeat the Brute Force method in breaking in computer accounts, that method could also defeat the infamous key-logging method. Because both methods relies on systematic nature of the password-entering process, if it is not systematic and well-organized, that certainly increase the computational cost of accessing the account without knowing the password. What then we see is to how that method is implemented, and what computational constraint we have in that method.

My method here is never intended as a competition because is too simple and straight-forward. To break the security risk associated with key-logging program and brute force method, we only need to increase the level of ‘disorder’ of the information collected by them. That method is taking advantage of the cracker that has no idea of what consist of the targeted password. Now the method I provide here also use that idea but in a slightly different way.

My ideas are:
A. Instead of asking for the password in its original sequence, the program would ask for the password in an arbitrary order formed at the moment (which is displayed as a picture). Now if the password contain 5 digits, there are altogether 120 combinations even if the crack know all the digits; and if the password has 10 digits, there are altogether 10! of combination to guess. If we program the machine so that any three invalid guess require a break of 15 minutes between next input. Former cases require 10 hours to crack, and the later case require 30 years to crack.

B. To further increase the difficult of the cases, the program would add random character to the password for entrance. The user is required to enter also the generated-on-site character, that is to confuse the key-logging program. Moreover, that added into the time required for brute-force method to work, excluding symbols, adding one digit would increase their average succeed time by about 40 times. Bear in mind that both key-logging software and brute-force program is unable to know those generated-on-site characters.

C. In the same vein of B and A, sometimes the program would NOT ask for the whole password. Instead it may just ask for the digits in the random sequence it just created, for instance, in the order of 3456, 253, 421. As a whole, every digits of the password is asked. However, that added to the confusion of brute-force and key-logging software since they don’t have any information of the order of the sequence (Nobody including the programmer of the program would know). They have information but it is not very useful to them.

*D. Now to make this method unbreakable, the password would be updated according to a formula that is either given before the operation or a formula that is generated on-site in random interval. It maybe that in next time, the fifth digit is increased by 1, or the fourth character is ‘decreased’ by 3… etc. The information is again useless to the cracker since s/he doesn’t know the original password.

Presumably, cracker could break this method by taking snapshot of the screen which the password is entered. However, in some case it is impossible to do so; and in other cases it would require Artificial Intelligence program to identify the digits in the picture, then analysis the data inputed. That would increase the difficulties of cracker by at least thousand-fold compare to existing method.

Who would like to write such a program?