Computer: Security: Password
Disposable Passwords   (+22, -1)  [vote for, against]
Use unsafe computers without fear

Sites that require a username and password to open your account (banking, email, etc.) should have the option of allowing the user to create a temporary "disposable" password that can only be used once. Any subsequent attempt to use the same disposable password will fail. This will avoid "replay" type attacks that can occur from having your keystrokes logged on a compromised computer.

For example, if you're going traveling and you think you may need to access your bank. Before you go, you log in from a safe computer (home) and create a disposable password. If you need to access your bank, you can log in from any PC without fear of it logging your keystrokes and people obtaining your password, since it's invalid immediately after you use it. Worst case scenario, they know your username (or bank card number), but not your password.

Options could include creating multiple disposable passwords (that need to be used sequentially...?) for multiple occasions, or creating time windows in which they are allowed to be used for enhanced security.
-- darren-b, May 24 2008

One-time passwords http://en.wikipedia...i/One-time_password
Also known as S/KEY. [jubilex, May 26 2008]

I sense a bake sale in your future. Lots of hot tasty buns. +

Why not take it a step further and try disposable phone numbers. See a girl at the bar, but afraid she might be touched in the head. Give her the disposable phone number you set up with your carrier before you left the house. If she turns out to be nuts after your first follow-up date, then there's no worries.

Plenty of applications.
-- (mans)laughter, May 24 2008


This is partially (very partially) baked, or was, in Germany with the bank DB24. I don't know if this is a german exclusive thing or not, but any time you wanted to pay a bill or transfer money you used a disposable number (not reusable) on a sheet of numbers given to you in the mail.
-- mylodon, May 24 2008


I know of at least 3 banks that have a "one time PIN" system. You still use your normal username/password, but once you get in, unless you punch in the key from a token you can't actually transact. Natwest in the UK, Citibank Singapore and Commonwealth Bank in Australia.

[+] for having a once-off password so they never even find out your normal password.

Edit: 4x banks. The lovely folks at DBS Singapore just sent me yet another token.
-- sprogga, May 24 2008


My bank sends me a text message to my phone every time I want to complete a transaction. You can do nothing if you have my account number, my login name and my passwords if you don't also have my phone.

This in reaction to the above anno's.

Idea is good though.+ for the time window.
-- zeno, May 25 2008


This reminds me of the "virtual credit card numbers" offered for online payments. I think this innovation is far more useful, though. [+]
-- imagine002, May 25 2008


Just a comment, in retrospect: This is best suited for low-cost applications. Things like banking and corporate email are best served with SecurID (or similar). So, for example, this would be good to protect your web email or HalfBakery account. : )
-- darren-b, May 26 2008


I believe a similar system is used for communication between U.S. nuclear submarines and Washington. (At least it was in a movie... can't remember which one. Hunt for Red October?)
-- kevinthenerd, Jul 19 2013



random, halfbakery