Very good point.
Another idea:
Generate a random âkeyboard layout convertorâ-image and corresponding âprogramâ to convert keystrokes correspondingly.
Maybe even change this image after each keystroke.
e.g. at first keystroke q is converted to #, w â l, e->., r âŚ, t âŚ, y ⌠etc
at second keystroke q is converted to d, w ->7, etc
Not very quick, but if you donât have to type your password often, it could be a workable solution.
Hi @Tom_Carlson
I visited this subject some time ago; the first post is followed by a second post that refines and corrects some initial ideas. The crux of the problem is finding a puzzle that is trivially solvable by the human brain, but near impossible to reverse engineer.
Maybe you can find some inspiration from this previous brainstrorm:
1 Like
How would this work??
x number rows of letters/numbers⌠They are placed in alphabetical order but at different random starting positions and are moving at varying random speeds. Each row is moving in alternating directions
You start at the top. As the letters go by the user can press a particular âhot keyâ when their desired letter or number is in the target. then the second, then the third then the forth etc⌠Optionally, They may also type anything else, so that any keylogger just intercepts gibberish⌠The letters would not stop moving when the hotkey was pressed, so a camera wouldnât work too well.
The program would discern the password, But a keylogger would need to log the rhythm of the hotkey presses and somehow synchronize it with the random starting positions of the letters and the random velocities⌠If this wasnât complicated enough, the user could also specify which row they start at⌠So somebody with a camera wouldnât know if their responses where to row 1, row 5 or row 10 âŚ
Tom, the are ways of increasing the entropy, though Iâm not suggesting this as a solution. Iâm showing how data stored on SAFE could be used to create a set of credentials. Other systems could be created using this principle. Youâve pointed out the obvious flaw in my example, so⌠can we improve it?!
Why donât use an account and an application in the SAFEnet to avoid keyloggers and other threats?
Might work as follows:
1 / We entered an account with the SAFE App Launcher that only have inside a single App. (We could call this App SAFEBridge)
2 / This application, for example, could have a system of One time password as two-factor authentication, token proprietary as RSASecurID or paper hardcopy with Transaction authentication number.
3 / This application, once we authentify, open our true account that will be secured. Now we can close the first account.
In this way an attacker with a keylogger could access the first account but not the second one.
Of course, if we are in a secure environment, we can enter to the second account on a regular basis.
2 Likes
What do you mean by [quote=âTom_Carlson, post:3, topic:2934â]
Prior to login, there is just no information at all thatâs available.
[/quote]
?
When you login to a standard web form, your credentials are submitted, validated then youâre logged in. Itâs not like all your account info is accessible at the login page.
Iâve heard @dirvine say in a couple of videos that biometric login will eventually be available, but it wasnât clear if that might replace the passcode field (different to the password field).
There is another option. Token Controlled Access is being developed by Cryptonaut420 on Github (cryptonaut420 ¡ GitHub) collaboratively with Adam B Levine creator of Lets Talk Bitcoin. Token controlled access could be a way to securely access ones maidsafe data without worrying whether or not a computer has been compromised by key logging software. The token is as secure as the private key of a bitcoin address. Proof of ownership is what allows access. This is an idea worth looking at.
Since many will be using maidsafe as a way to monetize their content there will be a need for shared accounts, but shared in a way where access can be removed by the primary party, this could also be done with tokens. The name of this endeavor is called Tokenly and is quite powerful in the scope of possible applications in the online and physical world.
what about using bitid with trezor or similar to login?
Itâs secure because seed is offline and you can use it even in a compromised PC.
Am I the only one who doesnt like biometrics devices to log in?
You are not the only one. I do not like them one bit. All the movies where people are dismembered in order to access a biometric lock reinforces this dislike.
4 Likes
The password should not be replaced by any one thing, but instead should be supplemented by additional layers of security. The goal should be the holy trinity of security.
Something you know.
Something you have.
Something you are.
Thatâs not true. That information is available, itâs just not available to you. It is, however, available to the webserver. The webserver has the ability to access the database prior to your successful login. Thatâs how itâs able to check your password. Itâs also how it does two-factor authentication.
In maidsafeâs case, there is no server and there is no data thatâs accessible by the maidsafe client, until you decrypt that 1st blob with your passcode. [EDIT: public data is accessible without logging in]. That makes us need to think a little differently, when it comes to what is possible prior to successful login.
Exactly, the data is still on the server though, and even if you could hack and query a secure webform, the server would still have to âsendâ the data to the client/browser to load the website files locally. As you may know, thatâs where caching comes in, to make websites faster. Thatâs why I was asking for clarification.
Another improvement: sound commands.
Then not only the key strokes have to be logged and screen captured, but als sound recordedâŚ
Sound commands like âtype random character nextâ', âtype next character of passwordâ or 'âtype next character of password , using keyboard conversion 3 on screenâ etcâŚ
Iâve been thinking, when combining keyboard, screen and sound interface is a realistic way to give a password, circomventing keylogger and screen capturing without sound recording, then it can be easier then described in my previous response, of course:
There are 95 ascii characters to chose from when typing a password.
Imagine a system password input app, showing a new keyboard convert layout image after each keystroke with a unique, random number between 0 and 99 assigned and displayed on this image for each of these 95 characters.
When the computer says (literally: a sound and not a screen interface) a random number between 0 and 99, add it to the number, assigned to the next character of the password, like it is shown on the keyboard convert layout image on the screen, and do modulo(100), meaning of course if result > 100, donât type the first 1 of the result on the keyboard.
If the computer says e.g. ârandom 23â, type 23.
I didnât know yet this one existed.
Keystroke Recognition from Wi-Fi Distortion
https://www.schneier.com/blog/archives/2016/08/using_wi-fi_sig.html
2 Likes