So here is my first blog at this site. I never really wrote a blog before, just a series of random posts or news articles on my own site.
Security is obviously important to prioritize when you make code but many only first code something with "looks and functionality" in mind. Indeed, sometimes it is best to leave security to those who do nothing but eat, drink, and hardly sleep on nothing but security and how someone may break a system. I am no expert, but I do enjoy thinking of new things to make things as secure as possible without making the entry barrier too scary. The best way to really test it is to have someone else test it. It is easy to think of what to expect within your own realm of expectation but another user may be more crafty. Thing is, security can come in many different flavors but some are more effective than others and much of it only prevents "script-kiddies" and the like from breaking stuff.
One of my latest things I've worked on is a way to replace passwords for a long-term future, or at least introduce something that can be a much stronger and additional layer of security at the very least. Security is always an interesting subject to think about. You have to really think outside the box and not within your own realm of limits and own software. You also have to expect some of your users will be morons. They will give away their information either willing or unaware via common everyday browsing or posting on other sites. You can control your user's security only as much as you give them rope. Which if you don't give them much, the range of predictability and desirability in a site close in on itself (do not think less is more!).
No one likes remembering a password, or at least most common people do. What if you could simply just have some file on your computer and it would be your key to entry? The best example and easiest to make complex is an image. Now I know what many security aware are thinking. Mr. Fox is going to totally use some common image as his password and all hell will break lose for him! This is where this password system will get fun. Also from now on, I'd like to call my system "Scrypass".
Now you have this image, right? Even if you picked like your ref sheet (bad idea perhaps) you MERELY need to change one pixel to screw up the combination in technical terms of this password. You can simply change the hue or even the transparency and your scrypass would be totally different! You might even use the same image on all sites able to use this technology and lo and behold you change one pixel or even something like a different hue, we're talking about changing a character strength of 16,777,216 versus 94ish (if I recall). This means that changing one pixel is going to be quite difficult and making a "rainbow image" program will be completely out of the question if we use brute force protection and hash our image correctly with something like SHA2/3 or blake2 + salted user basis unique to that site. I mention blake2 because its hashing seems to work well with large files. I would of course like to do more experiments before I can deem the collision rating of the system near to or zero.
Amazing, something like this would indeed make security much more convenient for user accounts. I don't know if something like this exists, but I do know that if it does or doesn't, I shall aim to make it more popular. Now here is where we can transform that security even further! Pins are usually easy enough to remember. Now think of an "additional layer" for the scrypass system that "crops" this image and part of that is also hashed into your user account. What we then have is an image that can be as unique as a family photo and 1k to 5k by 1/5k in width and length that also is used for this "pin" which means without the pin, the image is useless (protection against someone who stole your scrypass) but without the image this pin is also useless. And no typing would be needed, thus keylogging is pointless and only someone literally watching you point to cords of your image will be able to do what you've done (there are still problems with the system as it isn't flawless).
Now I am not saying something like this will take storm anytime soon. Hell, users like things they are used to and fear change (why some people stay on a site even though its changed so much, like Youtube). But I am saying that it is definitely something that needs to be polished up and begin experiments to see something that will be the next generation for passwords. This isn't an end all to passwords, but at least it will be another option. One problem is that the user will need to keep a thumbdrive for their password if they are on the go a lot. Plus options outside of site login can be troublesome as well as some other concerns.
I probably scared half of you away within the first two paragraphs. It is okay. I promise the next ones won't be so scary!
The quick and easy version is: I wish to make an improved password system using files you can keep on your computer and not even have someone think twice about it being relevant to your account. You also won't have to worry about long passwords, as the more common images are 500X500 and up: this means for each pixel we add 16,777,216 new combinations possible! I hope this blog entry has been amusing for some.