> Danny! I hate to tell you but your scheme is wrong! > > Note that WITH JAY'S TURING NUMBER SYSTEM, YOU CAN ONLY TRY ONE > PASSWORD PER JAY-TURING-IMAGE. > > Jay has completely defeated automatic attacks, and any such extra > scheme as you propose, is, in fact, unnecessary!
Hi, Sorry, but I don't see how this stops the possibility of automatic attacks. At the most it can slow them down. The problem is that you 'CAN' try one password per each jay-turing-image. That's the weakness. This turing image does not defeat the automatic attack. All I need is a screen capture of the turing image combined with some OCR software, quite simple. If my eye can read it then a computer can scan it and recognize it too... Don't need a super computer for that. With this (weak) 2nd hurdle tackled, I can again do my automated attack on the passphrase just like before. My attack program would now bet on the passphrase AND return the right turing number based on OCR. It is as if the turing number is not there. Of course my automatic attack will be slower because of the extra work the computer has to do. > > A good idea, but it would be superfluous, security-wise. Well, my idea also solves the problem of the stolen passphrase, which is probably a bigger treath than the automated attack. It shocks me a little to hear that this is considered unnecessary security. Sounds like : "you should take care of your passphrase, and if it gets stolen we don't care..." A 2 hurdle system with email alerts and account lock when the 1st hurdle is broken has such obvious advantages, besides the safer feeling a user will get if he knows he will be notified when his passphrase was breached... It really surprises me to see that this idea, which is quite easy to implement, gets so much resistance. Danny http://two-cents-worth.com/?102468&EG --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
