When i write this package i was hesitating about the name i will choose,
So in the complete lake of inspiration i call it first and simply CTC for
Click to connect.And after writing it i just forget it somewhere and said to
myself :soon i will publish it.But one day while browsing the PHPCLASSES PACKAGES
BLOG rubric i found an article of Dave Smith that was talking about SECRET PATH.So i decided
finally to call my package PHP MNEMONIC SECRET PATH LOGIN. Secret path for what it means and MNEMONIC
for the help the package brought to user in the process of keep in head and memory his password...
Finally i think that it will be called as you( developers that will download it) name it.
This package use a secret path approach that consist to make users click on different cases of
some table with as background some own chosen picture as many times as they want to build their
own secret path which would be salted and encrypted before saved in a database as login password.
With this mnemonic they will be able without knowing a difficult password, to connect to their account
securely.The package allows each user to upload many pictures; to choose both keyboard pass and CTC pictures pass;
or just one of the two methods but also allows when users has uploaded at least two pictures with secret path,
to choose a random login picture to connect. One can even increase the mnemonic level by showing a grill to let
user know exactly where he click even if this is less beautiful.
The package got a constant called complexity that make the password more secure when increased
or less when turned down.
For example a complexity of 10 leads to 100 compartments to click on
so if we add the detail that user can click 1,2,3...or as many times he want, that leads to
a secret path seriously complicated to know even for a computer that could be broken while trying
to find it with a force brute algorithm.By default i use 50 as complexity that leads to 50*50(2500) compartments to click.
suppose a second that complexity is 50 and you click 3 times so the possibilities of choice is 15 625 000 000.
then suppose that user is completely lunatic and want to click just 30 times to make a stronger secret path, this increase the number
of possibilities to about 8.6736173798840354720596224069595e+101 as he can click on the same compartment or change ...
The mathematical notion behind this, is :
when we take n the times, user choose to click
and p the number of compartments, the order of click count but also user can click on the same compartment so a result is a
n-list of compartments chosen in a set containing p compartments.The number of possible results is pow(p,n)...
The max of complexity suggested is 100 in order to not break the design.
The min of complexity suggested is 2 .
The main difficulty for a brute force algorithm will be that nobody knows how many times user click and in what order
but also the generated password is salted before hashing.
This way the secret path will be very difficult to guess.
One other contribution is that the package fortify the human factor that will be no more weak because no more need to write a password
somewhere.And This brings more security to the PHP authentication system.
Of course programmers need to combine it with TLS protocol to be sure that there won't be a password sniffing and others.An alternative could also
be to use the precious package PHP Form Encryption of Francisco del Aguila <faguila@alboran.net> that can be found in the
PHP CLASSES REPOSITORY,to make the form submission more secure.Maybe the next release will include it directly...
Sorry for the design too; maybe this will be also changed in the next release.
The package doesn't got specific documentation, the only way to know more on the code is to look at the implementation.
But the main functionalities of the package come from This file src/ctc.php which contains a class with the same name;
And this another file src/clicktoconnect.php.The two files are really easy to understand.
For the how to use it is simple: copy the folder where you want to use it; import the database and all is done.Of course
you need to change your database details and other in the config.php file.
For issues and other, use the forum or contact me at leizmo@gmail.com
Ps: the default password is admin for the user mail leizmo@gmail.com ,pseudo zinsou and the fake
phone number 069659655.
The package doesn't take care of registration and the design is really minimalist.
It is just a system to show how to help user to remember of their password with mnemonic secret path.
Also keep in my mind that for the development i used Jquery and jquery-ui files which were stored locally
But the uploaded package use jquery from http://code.jquery.com so if the package doesn't work as expected
open your development tool to be sure that jquery has been really loaded.
I know you know but Never forget that your salt must be choose once and definitively before start registering users
with this in production or you must have a new salt policy otherwise you and your users couldn't connect if you change the salt.
This is because i don't use the password_hash function on each password.
An example of policy when you change your salt is:
add a field in the table of users that keep track (eg: set(oldsalt,newsalt))
if the user didn't yet change his password on the new salt you keep use the old for him
and if he did you can use the new one.
|