A Passhint is not a Password

image

We have used a combination of characters as secret passwords since the beginning of computers.. It might had been adapted from centuries of usage of a similar system of verification, which probably worked without computers & only needed a secret code to access the information.

The present system builds a user account based on a username (e mail address or character combo), a password (an arbitrary string of  n number of characters) & usually a hint question (an easy to remember question, in order to verify the user, in case of forgotten passwords) to create a new account. To access the data in the account, the system usually verifies the user name & password associated with it. A one step verification (username to match with the provided password) for providing access.

The current system has its flaws & its easier to break the system with a simple permutation combination program by any kid who can write such a program. Let us not call them hackers! Hence we had been innovating different systems to create secure accounts. Encryption, Biometrics, device feedback systems, etc. to create secure accounts, the latter, which have virtually eliminated the need for a password.

But would passwords be a thing of the past as newer technology outdates existing systems of authentication? It is difficult to predict at this point of time, as newer technologies are restricted by usage & the popular username password combination fits well for certain systems of transactions, eg, ATM.

So, the question I had been trying to answer is – what can be done to our existing systems to make accounts more secure and also give hackers a difficult time in order to open a knot, which keeps changing its shape & form every time, it is used. What if, we allow ourselves to type a different password every time to access our account & how is it possible?

Let us take our single step verification system with its username, password & hint question again. But this time, the sequence of arrangement is USERNAME-PASSHINT-PASSWORD. Everthing is similar to the earlier system, but in the passhint field, the user is prompted to set a range for the password, eg, some mathematical series, a favourite book or chapter, your favourite lyrics, etc. so that a user defines the range for a possible password to the system. The user then sets an arbitrary password, which is a character or a series of characters previously set on the passhint field and creates an account. All set, user is verified through email & we are good to use our new account. To log in, we type our username & a variable password from the range previously set while creating our account.

Good enough! But what if a hacker hacks our passhint & somehow access the range we set for our password? He would be able to access our account by typing gibberish from the Passhint range we set earlier.. That I guess would be more difficult since the passhint is not provided on login screens for our regular logins & in order to do that, the server has to be compromised, which is a bit difficult compared to brute force hacking of passwords from public computers using free software. But in a scenario where 8 to 20 fixed password characters can be hacked in matter of minutes with todays technology an arbitrary character password could hold longer, or to an extent would be impossible to crack, on condition that the passhint remains secured.

Still doubtful?? Please feel free to comment & mention whats troubling you!

Advertisements