[Cryptography] Say 'unguessable' not random

Kent Borg kentborg at borg.org
Sat Aug 27 10:49:41 EDT 2016


On 08/26/2016 10:12 AM, Patrick Chkoreff wrote:
> I wonder if something like a banking site should generate unguessable 
> passwords for new users. It could display the password to the user and 
> instruct him to write it down. Then when he pushes the "Continue" 
> button, it would require him to enter the password.

That reminds me of how one of my bank accounts does it: I have an 
8-character alphanumeric password that they chose for me.

This might seem like a too-short password to some, so let me continue, 
and annoy some of you further...

When I login they only ask for a few of the characters.

I am guessing they couple this with a significant tracking of my 
behavior: my IP address, my client versions, time of day and week, 
whether I have logged in recently, what my transactions were while 
logged in, whether I have the cookie they gave me last time, number of 
failed logins and the details surrounding those attempts, etc. Okay, the 
probably don't track all of those but I bet they have thought about all 
of those and they are on the list of security features they might add.

The "username" is not my standard (and very guessable) "kentborg"*, it 
is an account number, but not the bank account number, the number on my 
ATM card. My old ATM card (the one lost, that I left in a machine and 
walked away one stupid day).

   * I use "kentborg" mostly everywhere, so it is well known,
     and that was a problem for my brokerage account: someone
     was trying to break in. My password was high-quality, so I
     wasn't very worried, but the brokers were and kept making me
     change my password--too many failed attempts. So I changed
     the username, too, it is now also a high-quality "password".
     Problem seems solved. Good, I want to retire some day, rather
     not have that money stolen.

And they are watching other stuff. One day my account locked me out and 
when I phoned I was told I had some specific MS Windows malware and I 
needed to have an expert clean my computer before they would turn my 
online account on again.

This was odd, because I am on Linux. But I think I know what happened: 
they don't allow pasting into the account field but I got around that 
with the center-click paste feature in X windows. Their security 
monitoring detected that and IDed it as some specific malware.  The 
human I talked to on the phone was insistent that I needed to have an 
expert fix my MS Windows machine, but when I said it didn't apply to me, 
I was easily escalated to someone more knowledgeable who understood what 
I was talking about and turned on my account again.

But back to the overall password approach they use, I bet there will be 
disagreement, but I think it is excellent. It has a lot of really cool 
features. It forces the customer to write down the password (which is a 
good thing even though there is plenty of obsolete religious dogma that 
screams in opposition). It is very resistant to spyware. It has 
escalation options that don't rely on "security questions"**: I have not 
recorded the pattern, but they can know when they have asked for each 
password character and can keep one in reserve. It has very few driveby 
login attempts to worry about because the account number is pretty dang 
secret. It is non-standard enough (single character fields, one for 
every character of the password, but most are dummy, fill in the1st, 
5th, and 6th...or something like that) that automated password entry 
from some buggy password utility probably won't work so they avoid being 
attacked at that integration--the html might also be rather scrambled so 
the entry fields are hard to automatically ID and the instructions might 
be just graphics (raising hell with screen reader software).

    ** I get asked a security question *every* time I login because
     I always login from a fresh browser context which doesn't
     have their cookie.

I have had this account for a few years and they did change my password 
once, the old one was only 6-characters. I am guessing 6 was plenty big 
for their basic design, but it didn't have the safety margin of being 
able to withhold some character for emergencies, and let some other 
character age out far enough to assume spyware probably doesn't know it.

-kb, the Kent who hopes he hasn't posted this description before and 
would be boring people.


More information about the cryptography mailing list