With port knocking, you have to "knock" on specific ports in defined order to expose a port on which service is running.
How about password knocking? For example you have three passwords: A, B and C. None of them is correct by itself, but entered one-by-one in this order they will grant you access.
Some scenarios to make this idea clearer:
Scenario 1.
- You: Password
A.- Server: Invalid password.
- You: Password
B.- Server: Invalid password.
- You: Password
C.- Server: Password accepted.
Scenario 2.
- You: Password
A.- Server: Invalid password.
- You: Password
C.- Server: Invalid password.
- You: Password
B.- Server: Invalid password.
Scenario 3.
- You: Password
A.- Server: Invalid password.
- You: Password
B.- Server: Invalid password.
- You: Password
B.- Server: Invalid password.
- You: Password
C.- Server: Invalid password.
Scenario 4.
- You: Password
A.- Server: Invalid password.
- You: Password
A.- Server: Invalid password.
- You: Password
B.- Server: Invalid password.
- You: Password
C.- Server: Password accepted.
I can't think of any drawbacks of this method over regular single password login. Moreover, it makes dictionary attacks exponentially harder with each added password.
I realize it's security by obscurity and doesn't abolish the need for strong passwords. Password sequence itself is as strong as a concatenation of passwords used. Added security in this method comes from unexpectedly complex procedure.
Is it a good idea? Is it a better idea than classic password?
Aucun commentaire:
Enregistrer un commentaire