h a l f b a k e r y(Serving suggestion.)
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Why not memorise an additional number which is a hash of the password that you can display on the login form to prove you got the password typed right before you waste an attempt
Lotus notes did this
Please log in.
If you're not logged in,
you can see what this page
looks like, but you will
not be able to add anything.
Annotation:
|
|
Someone looking over your shoulder may be unsure exactly what password you've just typed in. However, if they've got a few of the letters from watching you type, and they know the hash (because it's displayed on screen), then it's a much simpler task to 'brute-force' guess the remaining letters until the hash is correct. |
|
|
If you lock yourself out of your Google account, it's gone for good, there's no customer support. |
|
|
There must be an amendment that solves hippo's mentioned problem with this scheme. |
|
|
Good security advice is that you have a different password for every account that you own. This means that you should memorise a different secure password for every service. |
|
|
Banks, email, pension, shops, employer passwords and so on |
|
|
If you lose your phone and use a password manager and you have 2FA enabled, you have 3 attempts. |
|
|
//Someone looking over your shoulder may be unsure exactly what password you've just typed in. However, if they've got a few of the letters from watching you type, and they know the hash (because it's displayed on screen), then it's a much simpler task to 'brute-force' guess the remaining letters until the hash is correct.// |
|
|
Actually, that's not /necessarily/ the case. Not to any significant degree, anyway.
I mean, the 'user memorised hash' doesn't have to be a big complicated cryptographically secure hash, because if I understood the idea correctly, its purpose is just for client-side user confirmation.
It could be more like the 'check digit' of a credit-card number. I'd go for something like two alphanumeric characters, that is, 1296 values. Or maybe actually just a subset of that - 1024 values (or even, 256), to make the calculation straightforward. It doesn't have to be stored server-side. It would be something shown as they type, so they could confirm that the value they've entered has a good chance of being correct. With long passwords you can't check on the screen, or short passwords with numbers and symbols, it would be very handy. |
|
|
When the user enters a password, they would be shown the short hash of what they typed. Obviously on a correct password a shoulder-surfer could learn this information, which marginally improves their chance of cracking it. But they can do better - if the hacker is already watching them type, the doors are kind of already blown clean off any security. |
|
|
A hash is a dish consisting of chopped meat, potatoes, and fried onions. If you substitute the potato element of this dish with alphabet pasta (known as alphabetti spaghetti in the UK), you could make a genuine password hash. |
|
|
I would reduce the hash to 4 icons. If I've typed it correctly I'll see duck, stapler, peanut, walrus. |
|
| |