> What you are suggesting may be a good idea. It just does not serve > the same purpose that the turning number was aimed at. > > > That's basically the big advantage of the "2 hurdle" concept > > The 2 hurdle concept and its equivalence to a longer passphrase have > been discussed at length on this list before. >
Hi Craig, all, I was not here when the equivalence of 2 passphrases to a longer passphrase was discussed, but clearly it has not been discussed properly. A 2 passphrase (2 hurdle) system is vastly superior to a single longer passphrase and I will try to show you why with a simple example. As long as this is not understood, you will also not understand why my system really eliminates the usefulness of automated attacks. Allow me to compare the 2 systems. I will use small numbers to demonstrate my point. System 1: A single passphrase of 6 digits numbers (eg: 235678) , this makes for 1000000 possibilities System 2: 2 shorter passphrases of 3 digits each ( eg: 214 and 567) , this also makes for 1000000 possibilities. According to you these accounts are equally safe. Well this not the case. In my system the account is automatically locked whenever a succesful attempt is done on the first passphrase, but it fails on the second one. And it is this what makes this system so much better. Now, if a hacker does an automatic attack at 100 attempts per second, the first account will be cracked in 83 minutes on average. But, for the second account he will need 1000 days, or more than 3 years on average! The hacker will also run through the 1000000 possible combinations in the same amount of time (166 minutes), but the 1st time passphrase 1 is guessed correctly he has only one chance in 1000 to guess the 2nd passphrase too. 999 out of 1000 the 2nd passphrase is wrong and the account locks for 24 hours, the hacker will see only "failed login" messages over the entire range of 1000000 possible passphrase combinations. I get an email alert and can change my password if I want to, so the next day the hacker is at square 1 again. As you can see easily, the 2 passphrase system is not at all equal to a 1 passphrase system. If you have a reasonable secure 2nd hurdle, it will quickly take eaons to crack an account, no matter how fast computers get in the future. That's why it will be totally futile to try automated attacks on system 2. It does not really matter what system you use for the 2nd hurdle, a turing return code, a second passphrase, whatever, I am not arguing about that. As long as you use 2 hurdles with a lock after 1 or 2 breaches of the 1st passphrase, you have all the advantages of this system. A one long passphrase system cannot have these properties. I favor the turing return code approach because it has certain advantages. It can be reasonably easy to remember (compared to a 2nd passphrase), you can watch me type and still not know what algorithm I am using, it cannot get saved into people's .pwl file, ... And further you cannot deny that this 2 hurdle system reduces the danger of a stolen passphrase, which is a really big plus if you ask me. You can say that the turing number was not made to address these problems. Ok, but does that mean that we should not use this ? Danny --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
