Password security - Another idea

[Dennis L. Mumaugh]

In article <900 at eta.unix.ETA.COM> bstrand at woods.unix.eta.com (Brad Strand) writes:
>The recent discussions regarding Unix password security (and the lack
>thereof) got me wondering about other authentification schemes.  One
>such scheme that I haven't seen mentioned here, is replacing the password
>with a 'pass-function'.  By that I mean that instead of having a
>password such as "xyzzy", each user would have his/her own personal
>function F, perhaps like
>
>    F(C) = 4C + 3
>
>The idea would be for the system to replace the "password:" prompt
>with a prompt more like, "How about C?", where C is some reasonably
>small (maybe 16-bit) random "Challenge" number generated by the system.
>The user must then apply his/her pass-function to this particular C,
>and enter the resulting F(C).  

Your idea is good except that most of the users will be mathematically
illiterate.   Hence their choice of function will be rather limited.

A better ideas I have heard of a long time ago was that of
challenge response using a sequence of words pre-established by
the user:

	Computer: mumble
	You: zark

Then:
	Computer: hurkle
	You: twongly

After exhausting the challenges:
	Computer: mumble
	You: quark

The major problem is that the list of challenge/response groups must be
kept, and the computer has to remember each response for the last
challenge.  And whether for a given challenge what the correct
response out of many it should be.  Of course human factors being what
they are most people won't remember which of the responses the
challenge wants next so we have to accept any of the valid, but
a monitor or person watching your typing may figure out what's going
on soon enough.

Thus the /etc/shadow might be:

dlm:mumble;zark,quark,feeble/hurkle;twongly,ungly/snark;agony,fit:

Of course one should still encrypt and hide the file.

-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm at arpa.att.com