Advertisement

Hardware alternatives to username password combos

Started by January 26, 2011 08:42 PM
1 comment, last by Hodgman 13 years, 9 months ago
I was thinking about a huge flaw I discovered in username password systems that are prevalanet on the net, in particular when I wrote a website game that allowed users to make free accounts, it appeared the majority of users were using their standard username and password, and although I didn't try it I think if I tried those usernames and passwords from my webgame db in popular online services, I'd get some matches.

One solution I thought of was using a program to generate usernames and passwords that lives in the taskbar (my personal computer taskbar) and is accessed with my "primary" username and password combo. When I want to join a website, this program would generate a random complex unique username password combo, save it to my program, then hopefully automatically fill in the fields or at least let me copy & paste the web site login info.

This program could be implemented as some sort of cloud service to, to ensure non-password lossyness, and would prevent this attack. A hardware solution might also work, where you put that program inside a usb dongle or whatever, then use that 'key' to login to web sites, with a copy of the data in the cloud and on your pc as well. (both optional) Be nice if it integrated with popular web browsers.

Something like the MAC address could be used to rapidly authenticate games also, such as allowing users to log in quickly from known mac address, although slightly different hardware might be required due to spoofing and openness of MACs, although other secret hardware numbers could be used as well, including hashes of components, plus other forms of verification in the event of hardware replacement or other, like phone # verification and whatnot. The username password is very popular, but I think it's a little weak and good alternatives should be found if at all possible, especially ones that are more user convenient and secure at the same time.
*-----------------------sig------------Visit my web site (Free source code and games!) @ http://SpaceRacer2025.blogspot.com--------------------------------------*
One solution I thought of was using a program to generate usernames and passwords that lives in the taskbar (my personal computer taskbar) and is accessed with my "primary" username and password combo.
Keepass.

I don't like the idea of relying on hardware remaining constant to allow access to my passwords, that seems like inviting problems.
Advertisement

I was thinking about a huge flaw I discovered in username password systems that are prevalanet on the net, in particular when I wrote a website game that allowed users to make free accounts, it appeared the majority of users were using their standard username and password, and although I didn't try it I think if I tried those usernames and passwords from my webgame db in popular online services, I'd get some matches.
1) It's a widely known security flaw. Most corporate IT policies will have a paragraph devoted to warning people of this danger.

2) Why are you storing your users passwords? If your database is compromised, then as you've illustrated, their emails/facebooks/paypals may now be compromised because of you. It's standard practice to store a salted version of user's passwords to avoid this.

This topic is closed to new replies.

Advertisement