PHP Classes

View Points

Recommend this page to a friend!

      PHP Paranoid Passcode  >  PHP Paranoid Passcode package blog  >  Improving the Securit...  >  All threads  >  View Points  >  (Un) Subscribe thread alerts  
Subject:View Points
Summary:View Points about Ultra-Paranoid Comouting
Author:Felix Ivan Romero Rodríguez
Date:2015-11-04 21:20:09

  1. View Points   Reply   Report abuse  
Picture of Felix Ivan Romero Rodríguez Felix Ivan Romero Rodríguez - 2015-11-04 21:20:09
Excellents viewpoints from this article, and how security is seen. Also I like to add muscle training could be diffcult for some users to remember and specific cadence taking count of paused time between keystrokes. A solution to this narrowed solution is work with fuzzy rhythm. In this way cadence will flow with several rhythms from the same user. Best Regards

  2. Re: View Points   Reply   Report abuse  
Picture of Dave Smith Dave Smith - 2015-11-04 21:45:44 - In reply to message 1 from Felix Ivan Romero Rodríguez
Interesting thought. I had to sit down and consider whether applying fuzzy logic to an authentication system is a truly a good thing or not.

While there certainly needs to be some level of tolerance, since nobody could hit the rhythm exact, the more tolerance there is, the less secure. Add in fuzzy logic and it would seem you are saying the system should also help the user get it right.

I am not so sure that is a good thing. Imagine if we applied fuzzy logic to our current authentication systems. I supply a username/password pair that is close to authentic and the system says... Hey Dave, that was pretty darn close, come on in :)


  3. Re: View Points   Reply   Report abuse  
Picture of PHP-4-Business PHP-4-Business - 2015-11-05 15:02:35 - In reply to message 2 from Dave Smith
Yes I agree it's a fine line between necessary tolerance and too much help. One server I log into has a passphrase that's over 30 chars long. What I've found is that I do tend to maintain the same rhythm when typing the passphrase but what often happens is that there are hiccups in my typing; brief pauses where I have to stop for a second and think what comes next, before resuming the pattern at it's usual rhythm. Perhaps that's just old age! :-)

I also think you need to consider the 'keyboard effect'; viz. I'm fine on my usual keyboard but if I swap to the lappie then the rhythm is slower (and error rate is much greater!). You wouldn't want to prevent a genuine person logging in just because they weren't using their regular keyboard (otherwise you might as well use machine-dependent tokens or similar for auth, if only allowing log-in from one specific 'puter).

Perhaps the answer is some sort of relative rhythm rather than absolute, i.e. what's important is not the absolute tempo but the relationship between the gaps?


  4. Re: View Points   Reply   Report abuse  
Picture of Dave Smith Dave Smith - 2015-11-05 15:28:19 - In reply to message 3 from PHP-4-Business

It would be like the trainer is teaching you and at the same time you are teaching the trainer who you are. Eventually you reach a consensus and your authentication identity is born.

I like it.


  5. Re: View Points   Reply   Report abuse  
Picture of PHP-4-Business PHP-4-Business - 2015-11-05 15:54:04 - In reply to message 4 from Dave Smith
Yes that would be good, and would certainly help people who only use 6 fingers or less, or else some rhythms might be unattainable.

Without going fuzzy I think it also needs to allow for a different overall tempo as well. In my experience I type with approx. the same relative gaps between characters on the lappie vs. the desktop but the overall time to type the same passphrase is slightly longer (maybe a second overall?) due to a different keyboard size and layout.