An idea to make one-time passwords even more secure
11 views
Skip to first unread message
David Whiting
Nov 5, 2009, 7:36:45 AM11/5/09
to Clipperz
In a recent discussion someone expressed concern that one-time
passwords (OTPs) could be a risk if printed out, especially if you are
absent-minded (and people who are absent-minded really need clipperz
for passwords). The concern was that if you are using a public machine
and someone is running a key-logger they could get your user id. If
you then drop or forget the bit of paper (or phone or wherever you use
to record the OTPs) then someone could get both your id and OTPs and
log in.
My online bank gets me to enter a randomly selected subset of
characters from my password. E.g. if my password is "inE3dclipperz"
when I log in I might be asked for the 2nd, 4th and last-but-one
letter (i.e. "n3r"). The next time I log in I am asked for a different
subset, e.g. the first, 6th and last (i.e. "icz"). If this feature was
added to the use of OPTs it would make them much more secure. When
using a public machine if someone used a key-logger to get my ID and
then got hold of my list of OPTs they could still not log in because
they would still need to know my usual password (or the correct subset
of it).
David
passwords (OTPs) could be a risk if printed out, especially if you are
absent-minded (and people who are absent-minded really need clipperz
for passwords). The concern was that if you are using a public machine
and someone is running a key-logger they could get your user id. If
you then drop or forget the bit of paper (or phone or wherever you use
to record the OTPs) then someone could get both your id and OTPs and
log in.
My online bank gets me to enter a randomly selected subset of
characters from my password. E.g. if my password is "inE3dclipperz"
when I log in I might be asked for the 2nd, 4th and last-but-one
letter (i.e. "n3r"). The next time I log in I am asked for a different
subset, e.g. the first, 6th and last (i.e. "icz"). If this feature was
added to the use of OPTs it would make them much more secure. When
using a public machine if someone used a key-logger to get my ID and
then got hold of my list of OPTs they could still not log in because
they would still need to know my usual password (or the correct subset
of it).
David
Adam McMaster
Nov 5, 2009, 10:51:23 AM11/5/09
to david.r...@gmail.com, Clipperz
Not sure if it's been mentioned before, but I've always thought that
one-time user names would be a useful addition, so a keylogger would
get no useful information whatsoever. Though how you would implement
that without the user having to store the OTP and OTU together, I
don't know :)
one-time user names would be a useful addition, so a keylogger would
get no useful information whatsoever. Though how you would implement
that without the user having to store the OTP and OTU together, I
don't know :)
Josh Borke
Nov 5, 2009, 11:06:12 AM11/5/09
to Clipperz
On Nov 5, 10:51 am, Adam McMaster <a...@blamethebull.com> wrote:
> Not sure if it's been mentioned before, but I've always thought that
> one-time user names would be a useful addition, so a keylogger would
> get no useful information whatsoever. Though how you would implement
> that without the user having to store the OTP and OTU together, I
> don't know :)
Why not just append one of the OTP fields to the username. That way
if you lose your slip of paper the malicious entity has to figure out
which OTP field to append to the username in addition to knowing your
OTPs. Also, if you lose your paper, shouldn't you get rid of your
OTPs and start fresh at the first opportunity?
-josh
Giulio Cesare Solaroli
Nov 5, 2009, 3:00:10 PM11/5/09
to Clipperz
Hello all,
it is very nice to follow a discussion carried on only by our users! :)
@David: no security system can be perfectly secure -> http://xkcd.com/538/ :)
@Adam: we have opted for requiring also the username, in order to
avoid that a lost paper with OTPs on could lead to a successful access
to a Clipperz account, as Josh has rightly suggested.
We also added an extra feature that greatly enhance security: as soon
as an OTP is used, it is immediately disabled, even when matched with
the wrong username.
In this way, whoever finds the paper with OTPs written on, has just
one option for each valid value printed on it, to try to guess the
matching username.
Cheers,
Giulio Cesare
it is very nice to follow a discussion carried on only by our users! :)
@David: no security system can be perfectly secure -> http://xkcd.com/538/ :)
@Adam: we have opted for requiring also the username, in order to
avoid that a lost paper with OTPs on could lead to a successful access
to a Clipperz account, as Josh has rightly suggested.
We also added an extra feature that greatly enhance security: as soon
as an OTP is used, it is immediately disabled, even when matched with
the wrong username.
In this way, whoever finds the paper with OTPs written on, has just
one option for each valid value printed on it, to try to guess the
matching username.
Cheers,
Giulio Cesare
David Whiting
Nov 5, 2009, 3:54:26 PM11/5/09
to Clipperz
Giulio,
I agree. I guess the most secure way to do this would be to have one-
time accounts, where the account is deleted after each use :)
Here's another idea: I could sort my printed list of OTPs so that the
letters and numbers of my normal password are found at least once in
each row in the order they appear in the normal password. I could then
replace these letters or numbers with an exclamation mark. E.g. if my
normal password is "inE3dclipperz" I would create and sort OTPs like
this:
4fai wey5 - w5gn skt36 - ...
93fg lnpp - n3t7 gho9 - ...
0s5g he3k - 99ff d2k7 - ...
and so on, and then replace the letters found in my usual password
with ! like this (i, n, e, ...):
4fa! wey5 - w5gn skt36 - ...
93fg l!pp - !3t7 gho9 - ...
0s5g h!3k - 99ff d2k7 - ...
Someone who has logged my user id and then got hold of my list of OTPs
would then first need to realise that I have done this (Doh! I should
have kept this idea quiet!), and then guess for each OPT what letter
or number had been replaced. Or they would need a $5 wrench. The OTPs
only seem to use numbers and lowercase letters, so I would ignore case
and skip the other characters. Using my current clipperz password that
would still allow me to print out a list of 24 OTPs that would be
rather difficult to use. It probably would be simple to create a
little script to do this so I would not have to do it manually each
time I lose my slip of paper. I'll mull on this idea a little more ...
David
--
On Nov 5, 9:00 pm, Giulio Cesare Solaroli <giulio.ces...@gmail.com>
wrote:
I agree. I guess the most secure way to do this would be to have one-
time accounts, where the account is deleted after each use :)
Here's another idea: I could sort my printed list of OTPs so that the
letters and numbers of my normal password are found at least once in
each row in the order they appear in the normal password. I could then
replace these letters or numbers with an exclamation mark. E.g. if my
normal password is "inE3dclipperz" I would create and sort OTPs like
this:
4fai wey5 - w5gn skt36 - ...
93fg lnpp - n3t7 gho9 - ...
0s5g he3k - 99ff d2k7 - ...
and so on, and then replace the letters found in my usual password
with ! like this (i, n, e, ...):
4fa! wey5 - w5gn skt36 - ...
93fg l!pp - !3t7 gho9 - ...
0s5g h!3k - 99ff d2k7 - ...
Someone who has logged my user id and then got hold of my list of OTPs
would then first need to realise that I have done this (Doh! I should
have kept this idea quiet!), and then guess for each OPT what letter
or number had been replaced. Or they would need a $5 wrench. The OTPs
only seem to use numbers and lowercase letters, so I would ignore case
and skip the other characters. Using my current clipperz password that
would still allow me to print out a list of 24 OTPs that would be
rather difficult to use. It probably would be simple to create a
little script to do this so I would not have to do it manually each
time I lose my slip of paper. I'll mull on this idea a little more ...
David
--
On Nov 5, 9:00 pm, Giulio Cesare Solaroli <giulio.ces...@gmail.com>
wrote:
laboo
Nov 14, 2009, 3:00:09 PM11/14/09
to Clipperz
I have to disagree on the points you make here Giulio.
Yes, OTPs are a good thing, but they don't sufficiently address the
problem of key loggers.
Clipperz has a single point of failure. Loss of my username/password,
which I must enter frequently, is a master key to everything I've
stored on Clipperz. If your vision is for me to store my credit card
numbers and bank account information, you've simply got to protect my
username and password from key loggers. And not just when I'm on the
road using OTPs.
I find it hard to believe you do not understand the real and present
danger of key loggers. My understanding is that this is fast becoming
the way in which most people have their online banking information
stolen.
I don't pretend to know what the best answer is, but letting me enter
my password using a (scrambled) mouse-driven virtual keyboard would be
a step in the right direction.
That being said, I love just about everything else about Clipperz. I
just can't recommend it to PC users until you address key loggers.
Thanks for Clipperz and thanks for listening.
laboo
On Nov 5, 12:00 pm, Giulio Cesare Solaroli <giulio.ces...@gmail.com>
wrote:
Yes, OTPs are a good thing, but they don't sufficiently address the
problem of key loggers.
Clipperz has a single point of failure. Loss of my username/password,
which I must enter frequently, is a master key to everything I've
stored on Clipperz. If your vision is for me to store my credit card
numbers and bank account information, you've simply got to protect my
username and password from key loggers. And not just when I'm on the
road using OTPs.
I find it hard to believe you do not understand the real and present
danger of key loggers. My understanding is that this is fast becoming
the way in which most people have their online banking information
stolen.
I don't pretend to know what the best answer is, but letting me enter
my password using a (scrambled) mouse-driven virtual keyboard would be
a step in the right direction.
That being said, I love just about everything else about Clipperz. I
just can't recommend it to PC users until you address key loggers.
Thanks for Clipperz and thanks for listening.
laboo
On Nov 5, 12:00 pm, Giulio Cesare Solaroli <giulio.ces...@gmail.com>
wrote:
> Hello all,
>
> it is very nice to follow a discussion carried on only by our users! :)
>
> @David: no security system can be perfectly secure ->http://xkcd.com/538/:)
>
> @Adam: we have opted for requiring also the username, in order to
> avoid that a lost paper with OTPs on could lead to a successful access
> to a Clipperz account, as Josh has rightly suggested.
>
> We also added an extra feature that greatly enhance security: as soon
> as an OTP is used, it is immediately disabled, even when matched with
> the wrong username.
> In this way, whoever finds the paper with OTPs written on, has just
> one option for each valid value printed on it, to try to guess the
> matching username.
>
> Cheers,
>
> Giulio Cesare
>
>
> it is very nice to follow a discussion carried on only by our users! :)
>
> @David: no security system can be perfectly secure ->http://xkcd.com/538/:)
>
> @Adam: we have opted for requiring also the username, in order to
> avoid that a lost paper with OTPs on could lead to a successful access
> to a Clipperz account, as Josh has rightly suggested.
>
> We also added an extra feature that greatly enhance security: as soon
> as an OTP is used, it is immediately disabled, even when matched with
> the wrong username.
> In this way, whoever finds the paper with OTPs written on, has just
> one option for each valid value printed on it, to try to guess the
> matching username.
>
> Cheers,
>
> Giulio Cesare
>
nyd
Dec 8, 2009, 3:14:32 AM12/8/09
to Clipperz
Dear Giulio,
Disabling OTP even when matching wrong user name would be a
nice way to enable denial-of-service for the user.
Assume that an malicious user get hold of a list of 5 OTP's. He
tries them all. Everything is now disabled.
Now the hapless user has to give his user name + original
master password to login. This is the ideal situation for the key
logger. Dream come true perhaps.
On the users side they should assume that OTP is like currency.
Put your list of OTP's on separate papers. User id on a separate
paper.Or hopefully memorized.
Anyway key logger has one hopefully used OTP which cannot be
used again.
May be the ideal thing would be to see if the same IP is trying
a list of passwords again and again. Unfortunately, this can also
happen with the real user who has mistyped some letter in his OTP.
I got no solution for this other than to be careful.
To repeat, disabling OTP with wrong user name is dangerous.
- Nyd
On Nov 6, 1:00 am, Giulio Cesare Solaroli <giulio.ces...@gmail.com>
wrote:
> > -josh- Hide quoted text -
>
> - Show quoted text -
Disabling OTP even when matching wrong user name would be a
nice way to enable denial-of-service for the user.
Assume that an malicious user get hold of a list of 5 OTP's. He
tries them all. Everything is now disabled.
Now the hapless user has to give his user name + original
master password to login. This is the ideal situation for the key
logger. Dream come true perhaps.
On the users side they should assume that OTP is like currency.
Put your list of OTP's on separate papers. User id on a separate
paper.Or hopefully memorized.
Anyway key logger has one hopefully used OTP which cannot be
used again.
May be the ideal thing would be to see if the same IP is trying
a list of passwords again and again. Unfortunately, this can also
happen with the real user who has mistyped some letter in his OTP.
I got no solution for this other than to be careful.
To repeat, disabling OTP with wrong user name is dangerous.
- Nyd
On Nov 6, 1:00 am, Giulio Cesare Solaroli <giulio.ces...@gmail.com>
wrote:
>
> - Show quoted text -
Giulio Cesare Solaroli
Dec 8, 2009, 12:54:41 PM12/8/09
to mlib...@gmail.com, Clipperz
Hello Laboo,
sorry for the long delay in answering.
Are you aware that there are already keyloggers able to take snapshots
of the screen around where the mouse clicked, also with some delays in
order to circumvent virtual keyboards hiding the key on mouse clicks?
If you have a "keylogger" installed and you use your passphrase you
are (potentially) screwed; this regardless of how you enter your
passphrase.
I understand that using always an OTP is much less convenient, but
this as far as you can get on a untrusted/unsecure computer.
Regards,
Giulio Cesare
> --
>
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=.
>
>
>
sorry for the long delay in answering.
Are you aware that there are already keyloggers able to take snapshots
of the screen around where the mouse clicked, also with some delays in
order to circumvent virtual keyboards hiding the key on mouse clicks?
If you have a "keylogger" installed and you use your passphrase you
are (potentially) screwed; this regardless of how you enter your
passphrase.
I understand that using always an OTP is much less convenient, but
this as far as you can get on a untrusted/unsecure computer.
Regards,
Giulio Cesare
>
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=.
>
>
>
Giulio Cesare Solaroli
Dec 8, 2009, 12:56:58 PM12/8/09
to nyd...@gmail.com, Clipperz
Hello Nyd,
if we don't disable OTP when used with a wrong username, we would
allow brute-force attacks to anyone finding a list of OTPs, as they
could keep on trying different usernames at will.
And guessing a username is usually much easier that guessing a passphrase.
This was the idea behind the choice we made.
Regards,
Giulio Cesare
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=en.
>
>
>
if we don't disable OTP when used with a wrong username, we would
allow brute-force attacks to anyone finding a list of OTPs, as they
could keep on trying different usernames at will.
And guessing a username is usually much easier that guessing a passphrase.
This was the idea behind the choice we made.
Regards,
Giulio Cesare
> --
>
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com.
> To unsubscribe from this group, send email to clipperz+u...@googlegroups.com.
>
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=en.
>
>
>
Giulio Cesare Solaroli
Dec 8, 2009, 1:02:33 PM12/8/09
to david.r...@gmail.com, Clipperz
Hello David,
we went for a completely random creation of OTPs, as this allowed us
to greatly simplify the user interface to handle them (creation /
duplicate check / security enforcement / etc..)
While your idea makes some sense, I think it would be quite difficult
to create such an OTP, and also would be quite easy to forget the
criteria to rebuild it when you actually need it.
I am still believing that the current arrangement provides the best
tradeoff between convenience and security. Keep in mind that this is
not a perfect solution (whatever this means); it is just a tradeoff.
Regards,
Giulio Cesare
> --~--~---------~--~----~------------~-------~--~----~
>
>
we went for a completely random creation of OTPs, as this allowed us
to greatly simplify the user interface to handle them (creation /
duplicate check / security enforcement / etc..)
While your idea makes some sense, I think it would be quite difficult
to create such an OTP, and also would be quite easy to forget the
criteria to rebuild it when you actually need it.
I am still believing that the current arrangement provides the best
tradeoff between convenience and security. Keep in mind that this is
not a perfect solution (whatever this means); it is just a tradeoff.
Regards,
Giulio Cesare
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com
> To post to this group, send email to clip...@googlegroups.com
> To unsubscribe from this group, send email to clipperz+u...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>
Reply all
Reply to author
Forward
0 new messages