PHP Classes
elePHPant
Icontem

Improving the Security of Your User Passwords in PHP with Ultra Paranoid Computing - PHP Paranoid Passcode package blog

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us
  All package blogs All package blogs   PHP Paranoid Passcode PHP Paranoid Passcode   Blog PHP Paranoid Passcode package blog   RSS 1.0 feed RSS 2.0 feed   Blog Improving the Securit...  
  Post a comment Post a comment   See comments See comments (14)   Trackbacks (0)  

Author: Dave Smith

Posted on:

Package: PHP Paranoid Passcode

Usernames are distributed, passwords are weak and can be broken, personal information can be stolen and bio-metrics can be faked. What devices can you trust to keep you secure? Ultra-Paranoid Computing says none.

Read this article to learn what is Ultra-Paranoid Computing and how can you implement it in PHP to make your users use more secure password entry method.




Contents

Introduction

What is Ultra-Paranoid Computing

Rubber Hose Resistant Passwords

What You Don't Know

The Paranoid Passcode Package

Conclusion

Paranoid Computing

Introduction

I first ran across the concept of Ultra-Paranoid Computing in a short segment on Nova's program Rise of the Hackers, featuring Dr. Patrick Lincoln. The most memorable part was researchers sitting around in their lab all day playing guitar hero, how can I get that gig? As I contemplated the work behind the playtime, I found it to be quite interesting.

What is Ultra-Paranoid Computing

As I understand it, Ultra-Paranoid Computing is security research based on the idea that every device can and will be compromised. This leaves a big question to be answered, exactly how does any system know just who is on the other end of the line?

We currently use authentication factors to determine how secure an authentication system is, ranging from what you know, to what you have, and finally ending up with what you are. If you are not familiar with these factors, you can read more in this other article.

Rubber Hose Resistant Passwords

No matter how secure a system may seem, there is always one weak link, and that is the human factor.

Complex passwords are too hard to remember, so they are written down, support services meant to help users wind up helping imposters breach security, and of course, to the ultra paranoid, there is always the possibility that you may be beaten with a rubber hose until you give up your secret access code.

How do you get around the human factor? You use an authentication system that is even more secure than bio-metrics, I will call it the what you don't know factor.

What You Don't Know

Consider the saying that practice makes perfect. No matter what we are doing, if we practice enough we will improve and eventually it will be second nature to us.

The project researchers used, learning to play a song on the guitar as their example. Playing the song is a progression of rhythmic notes that you must practice over and over until you can play it without even thinking about it

This is training your muscle memory and once you reach the point that you do not need to think about it anymore, you are using this muscle memory to perform the song, not conscious thought.

Some will argue that this is what you know, you just know it really well. I say that an authentication code consisting of a long set of different key presses in a set rhythm that a user can perform without even thinking about it is much more than what you know.

The user can't write it down for someone to find, third parties can't reveal it and if you break my fingers to get me to talk, you are still going to have to take the time to learn it yourself.

The Paranoid Passcode Package

This PHP Paranoid Passcode package will generate a passcode using a secret key and mapping it to the number pad keycodes on a standard keyboard.

It will also generate the rhythm, the time paused between key presses, which combined with the passcode will make a very secure authentication system. It comes with the trainer to help you practice the passcode until it becomes part of your muscle memory.

Here is quick example to instantiate the package and generate the passcode/rhythm pair.

include('parapass.class.php');

$para = new paraPass();

//passcode length
$passLength = 30;
$passcode = $para->generatePasscode($passLength);
$rhythmString = $para->generateRhythm($passLength);

This example uses the generatePasscode method to return a random passcode of the specified link and the generateRhythm method returns a random rhythm. It is important to note that we are using the passcode length when generating a rhythm, the returned rhythm will be the passcode length minus one, since there are one less beats that keystrokes.

Conclusion

Keep in mind that Ultra-Paranoid Computing is in the experimental stages. Realistically, how many users will take the time necessary to train their muscle memory with a passcode?

Right now our users expect everything with as little hassle as possible. As more and more private information becomes public and users become more security savvy and paranoid, what they don't know may become the next official authentication factor.

If you liked this article or you have a question regarding implementing Ultra-Paranoid Computing in PHP, post a comment here.


You need to be a registered user or login to post a comment

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

5. View Points - Felix Ivan Romero Rodríguez (2015-11-04 21:20)
View Points about Ultra-Paranoid Comouting... - 4 replies
Read the whole comment and replies

4. Great for Bitcoin and other crytocurrency sites! - Robert Lefebure (2015-11-04 19:18)
I'm finding any site dealing with Bitcoin is a hackers honeypot... - 2 replies
Read the whole comment and replies

3. Started putting in FIDO - David (2015-11-04 11:19)
FIDO (Yubico) Key... - 1 reply
Read the whole comment and replies

1. But is it really useful? - Stephan (2015-11-04 08:03)
But is it really useful?... - 2 replies
Read the whole comment and replies




  Post a comment Post a comment   See comments See comments (14)   Trackbacks (0)  
  All package blogs All package blogs   PHP Paranoid Passcode PHP Paranoid Passcode   Blog PHP Paranoid Passcode package blog   RSS 1.0 feed RSS 2.0 feed   Blog Improving the Securit...