SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Addict
    Join Date
    Oct 2005
    Posts
    288
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    page with two passwords

    Here's an out-of-the-box thought. What if I require more than one password on my sign-in page? Would that confound the phishing bots? (If so, then I could even allow the client to enter relatively easily remembered passwords).

    grNadpa

  2. #2
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Isn't 2 passwords really just the same as username + password combination or do you mean that users have to remember 3 things?!
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  3. #3
    SitePoint Addict
    Join Date
    Oct 2005
    Posts
    288
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by spikeZ View Post
    Isn't 2 passwords really just the same as username + password combination or do you mean that users have to remember 3 things?!
    My point is that the malicious software phising bots expect just one password in addition to the username. Hence the bizarre requirements for developing passwords (e.g. 8 characters, uppercase, lower case, number, special characters) as protection.

    Adding a second password (or as you put it "remember 3 things") I'm thinking would defeat these bots because, even it it guesses one of the passwords, it's not expecting a second one -- and therefore will fail to break into the site.

    As such, the passwords need not be so complex.

    grNadpa

  4. #4
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Afraid it would just making things more complicated for your users. Your users alone are responsible for creating strong passwords and managing them. Its not yours. The only thing you have to do is store them in a secure matter. And those bots could easily adapt to the change anyways.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  5. #5
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,702
    Mentioned
    101 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Grnadpa View Post
    Adding a second password (or as you put it "remember 3 things") I'm thinking would defeat these bots because, even it it guesses one of the passwords, it's not expecting a second one -- and therefore will fail to break into the site.

    As such, the passwords need not be so complex.
    Sadly, exactly the opposite thing will happen. Your strange and odd security measures will attract the attention of all sorts, resulting in special attention being paid to your site from groups who attempt to automate their way around such things.

    Your best bet to avoid notice is to apply the same best practice techniques that others use. Those are the most reliably known ways to reman secure without annoying your uses too much.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  6. #6
    Non-Member
    Join Date
    Apr 2013
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nothing is impossible for a malicious software trying to detect a password. Even if you put something new, you would rather attract the attention of programmers as you are the founder of this innovation. They would go to far ends just to crack this challenge! In regards to the security, if you use md5 encryption, and if you instruct your users to create a difficult password with a combination of symbols, letters and numbers, with NO word from the english dictionary and no numbers in a proper sequence, there is no way a malware can decrypt it. This is because the encrypted code of every password keeps changing and only your server will be aware of the combination. Not even you!

  7. #7
    SitePoint Wizard webcosmo's Avatar
    Join Date
    Oct 2007
    Location
    Boston, MA
    Posts
    1,480
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Too complicated, some people wouldn`t bother remembering those passwords. Just use a good captcha along with the password, like skrill.com does and you should be fine. But no way 2 passwords.

  8. #8
    SitePoint Addict
    Join Date
    Oct 2005
    Posts
    288
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks to all for your responses. I'll defer to your judgement.

    Nevertheless,
    Quote Originally Posted by logic_earth View Post
    Your users alone are responsible for creating strong passwords and managing them. Its not yours.
    No argument if we are looking for who (whom?) to blame. But, as the linkedin hack demonstrated, users are not particularly diligent in devising strong, esoteric passwords (among the top 30 passwords: link [941] 1234 [435] work[294] god[219] job[205] from mashable dot com slash 2012 slash 0608 slash linkedin-stolen-passwords-list)

    Quote Originally Posted by paul_wilkins View Post
    Your strange and odd security measures will attract the attention of all sorts, resulting in special attention being paid to your site from groups who attempt to automate their way around such things
    Okay, why would it attract attention? Some feedback mechanism the 'bot sends back?

    Finally, I find I am not alone in finding capchas (or would that be capchi?) particularly annoying. See www dot socialreflections dot com slash unreadable-captchas-can-destroy-your-business

    Again, I will defer to your comments. And thank you for your feedback.

  9. #9
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Grnadpa View Post
    No argument if we are looking for who (whom?) to blame. But, as the linkedin hack demonstrated, users are not particularly diligent in devising strong, esoteric passwords (among the top 30 passwords: link [941] 1234 [435] work[294] god[219] job[205] from mashable dot com slash 2012 slash 0608 slash linkedin-stolen-passwords-list)
    But it is still not your responsibility. You can try and educate the user on using secure passwords, however it is better that you do not enforce any strict rules. You are only responsible for making the backend secure, storing those passwords in a secure way.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  10. #10
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,702
    Mentioned
    101 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Grnadpa View Post
    Okay, why would it attract attention? Some feedback mechanism the 'bot sends back?
    Not quite. It's because anything strange and new attracts attention, as this thread well demonstrates too.
    When users of your site start to use a login process that to them is strange, some of them are liable to talk to others about it. Word gets out.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  11. #11
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,810
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by webcosmo View Post
    Too complicated, some people wouldn`t bother remembering those passwords. Just use a good captcha along with the password, like skrill.com does and you should be fine. But no way 2 passwords.
    You don't need to include a CAPTCHA with a password because the password process can be set up as an even better CAPTCHA all by itself.

    Simply record the time when an invalid access attempt is made and lock the account completely for a period of time - any further attempts even with the right password during the lock time simply reset the lock start time so as to extend the lock period.

    To make it more user friendly and more secure at the same time you can also record the number of unsuccessful attempts since the last successful one and use say a two second lock time for the first two wrong attempts and thirty seconds or even a minute if the wrong guresses continue after that.

    No bot is going to wait more than a minute between guesses and even if it did it would then take way too long to get to the right password.

    The best CAPTCHA to use on any site where you need your visitors to log into their account anyway is to require a password. That way your CAPTCHA is far less obtrusive than ones that require your visitor to read scrambled text in an image or perform some sort of calculation. Also the CAPTCHA not only identifies that it is a real person and not a bot - it also identifies which real person it is as only one real person knows the password.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •