On Friday, November 21, 2003, at 10:44 AM, FileMatrix wrote:
... Here are my suggestions: ...
Sidd:
George makes some intriguing suggestions here.
But just to focus on one small point for a moment, George mentioned that he would like the ability to copy and paste his PIKs into an encrypted file. This never occurred to me because I printed out my PIKs and read them off a piece of paper whenever I log in.
But the way Pecunix displays the PIKs makes it difficult if not impossible to copy and paste them. So maybe Pecunix could also display each PIK in pure text in a form somewhat like George suggests:
1-a 2-4 3-T 4-u 5-X 6-b 7-Q 8-N 9-e 10-j 11-Y 12-u 13-A 14-m 15-9 16-h
That would let the user copy and paste the PIKs with NO other changes to the login system.
Later you might want to consider the merits of George's suggestion to reduce the combo boxes to just the digits 0 - 9, but this is an entirely separate and optional issue.
T0-M1-B2-C3-R4-V5-Z6-G7-J8-P9-D0-H1-N2-L3-F4-S5
By the way, George, although this approach would simplify choosing from the combo boxes, you are definitely cutting the probability sample space if you do this. But whether that matters or not is another question.
Right now a Pecunix PIK uses the digits 2-9 and the upper and lower case alphabet except for India, Lima, Oscar. That's 8+23+23 = 54 characters. Now, ignoring for a moment the fact that a PIK does not contain repeated characters, that's roughly O(54^16) possible PIKs, or about O(10^27). Your scheme would have exactly 10^16 possible PIKs because you would obviously have to allow repeated digits.
Now cutting the number of PIKs by a factor of 10^11 may not be a serious concern because you need both a PIK and a secret login name to log into a Pecunix account. So 10^16 may be quite enough PIKs, especially if it simplifies the user interface (considerably!) and poses no real threat to security.
By the way, I have not yet shown my wife how to log into my Pecunix account, though I've been meaning to do so. (Hmm, maybe I better just give her read-only access for now so she doesn't run out and buy drapes with it. :-) I'll let everyone know how she reacts to the process.
George wrote:
"At the end of the registration process, display all user information in an
edit-box and put a button to copy the text to the clipboard, so that the
user could save it into a file:
-----------------------
* User name = ...
* User address = ...
* Account name = ...
* Password = ...
* Full access PIK = ...
* Limited access PIK = ...
* Read-only access PIK = ...
* Secret information = ...
* Log-in URL = ...
* PGP signature check URL =
-----------------------"
VERY nice suggestion, George. Again Sidd, all of this could be done with NO other fundamental changes to the system.
But George, I honestly think that most "ordinary" users will just PRINT OUT their PIKs, exactly as I did because I was trying to be as "ordinary" as possible and then assess how secure I felt with that. Your method of pasting into an file, encrypted or not, is probably something only a sophisticated user would do. Most users will just want to press "Print" and then keep the sheets in their briefcase or something.
However, cutting down the combo boxes to just the digits 0-9 could very well make the system feel a lot easier to use. But if you did this, you might want to list the letter "prompts" in alphabetical order to make it easier for users to search for the associated digit:
B2-C3-D0-F4-G7-H1-J8-L3-M1-N2-P9-R4-S5-T0-V5-Z6
I note here that it seems that George has cleverly not used vowels, perhaps to avoid accidentally spelling out an offensive word in the login prompt sequence? :-)
Anyway, a random login prompt sequence chosen from the PIK above might be:
H: (combo 0-9) N: (combo 0-9) Z: (combo 0-9) D: (combo 0-9)
That might be nice.
-- Patrick http://fexl.com
--- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
