> > > > Some examples of easy to remember possibilities: > > > turing number: abcdef 123456 > > > reverse: fedcba 654321 > > > > But how do you communicate the 'reverse / offset 3 right' etc. > > instructions? They are simple algorithms that can be programmed by a > > cracker and I think really lower usability. > > Here's an idea. Set the algorithm for deciphering the Turing Code, in the > account. That way, a cracker would not know how to respond to the turing > question. Of course, this makes logging-in very comlicated.
Yes, of course that's what I meant. If the turing number is "abcdef", a simple setting in the account would tell the server how you respond to the turing number. For example "fedcba" would tell the server that the turing number will be returned in reverse order. "abc2ef" returns the turing number with a fixed "2" in the 4th position. There are a lot of very simple possibilities, easy to remember, so it is not as if you have to remember a second passphrase. (Default setting would be "abcdef" , return the turing number as is, for those who don't want this extra security.) Craig remarks: > I think you guys have lost track of the whole purpose of the Turing > number. It is to prevent automated trials by ensuring that a human > being is there. What you are proposing amounts to an additional or > longer passphrase and in no way excludes automated trials any more > than the simple number now being used. Well, I think somebody already demonstrated that recognising the turing number can be automised as well.. Of course, a hacker could do an automated attack on my turing scrammble code setting , but there is the catch. Each time a login attempt is made with the correct passphrase but a wrong turing return, an automated email (pgp encrypted) could be sent to the owner to alert that the passphrase was broken. If 3 login attempts are made with correct passphrase and wrong turing return, the account should lock for 24 hours (one could leave all this to be set by the user of course) With this system , even if my passphrase is stolen, my account is still safe. That is not the case with the simple turing number system that is currently used. My turing scrammble code setting can be very easy to remember , yet there are enough different possibilities to make it difficult to crack it in only 3 (or less) attempts before the account locks. For example if my turing return code setting is like this : ab"m"def (a fixed character "m" in position 3) Turing code Return code 123456 12m456 547882 54m882 233561 23m561 As you can see , very easy to remember, not really more complicated to login than it is now, yet much more difficult to crack. If we use upper and lower case characters we have over 52*6 = 300 possibilities to alter the turing number in this very easy to remember way (replacing only one digit with a fixed character). Include non alphabet characters and there are thousands of very easy ways to alter the turing code. The chance you can crack it in 3 attempts is small. Some other possibilities: cabcdef (returns seven digits, more tricky..) def";"abac ... The user can make it as complicated as he wants to. So, suppose the hacker cracks or steals my passphrase. Even if he can intercept (and decrypt) the email that is sent when he got the passphrase correct, that is not going to be much of a help to crack the turing return code in only 3 attempts.. When something like this is implemented I will feel really safe to keep more money in my e-gold account. Right now, I don't even know how many attempts are made to crack my passphrase Danny http://two-cents-worth.com/?102468&EG. --- You are currently subscribed to e-gold-list as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
