Password Eliminator

Disclaimer

Please do not email me about this project without reading the disclaimer above.

• look over your shoulder.
• monitor the EMF (Electro-Magnetic Fields) radiation of your monitor or keyboard.
• software beacon planted in your machine.
• guessing, hm, love earth whale god Fluffy
• brute force, e. g. try all words in the dictionary, plus female and male baby names

  Book referral for 20,001 Names For Baby

  	recommend book⇒20,001 Names For Baby
  	by	Carol McD. Wallace	978-0-380-78047-1	paperback
  	publisher	Harper
  	published	1995-05-01
  Online bookstores carrying 20,001 Names For Baby abe books anz abe books.ca abe books.de amazon.ca amazon.de Chapters Indigo amazon.es Chapters Indigo eBooks iberlibro.com abe books.com abe books.fr amazon.com amazon.fr Barnes & Noble abe books.it Nook at Barnes & Noble amazon.it Kobo junglee.com Google play abe books.co.uk O’Reilly Safari amazon.co.uk Powells other stores
  Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.

• looking at somebody’s paper or computer list of passwords in their desk drawer.
• If you are an expert, just ask a novice their password. They will always comply.
• intercepting net traffic. Passwords are transmitted usually in plain text.

Every site has its own rules for composing a password.

• minimum/maximum length
• required numerics
• case sensitivity
• random gibberish they give you.

This does not work! Why?

• I can’t for the life of me type anything if you turn off the visual feedback. I just go all thumbs at the sight of a row of **s. It totally destroys my automatic typing reflexes.
• I need a giant list of passwords for all the places I frequent. This is inconvenient to look up.
• I need a giant list of passwords. This list is very easy for someone to compromise. Ideally I would keep a master password in my head where no one could see.
• I am tempted to reuse passwords for different sites. If I do that, vendors can surf the Internet pretending to be me at other sites I used the same password.
• On some sites, I have spent 5 or more tries before I find an account ID and password it was happy with. They don’t tell you the rules ahead of time. They let you propose something, then complain about it telling you of yet a new rule it violates. They complain about passwords being too short or too long, having punctuation or not having punctuation.

There are several ways it could work. In the simplest, I convince my password manager that I am me and it deals with convincing the rest of the world I am me.

The catch is passwords are currently designed solely for humans. Browsers make a brave stab at noticing and remembering passwords for you but they don’t do that good a job. Further, they don’t back up the list, or capture passwords on first use. You still need a paper list somewhere. Cookies are another half-assed attempt. Cookies are fragile and easily lost.

We need to properly automate:

• logging on to any site and proving who you are. The process would be totally transparent. On your first visit you would click OK to agree to logon and reveal certain information. From then on you would do nothing.
• giving subsets of your demographic information to the site.
• keeping the site up to date of the demographic information you have already given it.

Handling that problem with conventional passwords, with a standard password login interface would just be a minor extension of the password protector student project. The real problem is political, persuading sites and browsers to start using it.

The proper way to do this is with digital ids that have an RSA public and private key. Digital ids have the following advantages:

• They are for all practical purposes unforgeable.
• They are fully automatic.
• They still allow for various degrees of anonymity.

1. first class

   full id: proves you really are a real person at a real address and phone number. These require considerable fuss to verify identification before issuing, much like getting a passport.

2. second class

   email id: proves you at least in the last 3 months had given email address. These can be generated by a mailbot at the certificate company, usually free.

3. third class

   anonymous: proves nothing other than you are the person who came before with this same id/password. passwords are replaced by public/private key pairs. Your effective password, the private key, is never actually transmitted over the net. You might use a fresh id for every site, or every visit, depending on how serious you were about being anonymous. These can be generated on the fly freely as needed.

Your code has to run both as a servlet on a server to manage logins and as a browser plug-into do the login handshake and reveal the agreed information. To persuade sites to use it, it needs to be free or almost free. You might consider an ad-supported version so you get paid to use it.

Thawte and Verisign could increase sales by many orders of magnitude if this caught on. Perhaps they are the ones to prod to implement it.

These digital ids could have many other uses, e.g. electronically signing email to help filter spam,

Eventually the scheme might be broadened to download your private/public key into a smart card. That becomes an unforgeable electronic id to use for all manner of things such as credit card purchases etc. That gets more complex because you can lose the card or someone can steal it. You would thus want a digital photo, retinal scan and fingerprint in there and a way of electronically revoking the card.

The basic authentication mechanism very roughly is for the site to send out a random challenge phrase for the client to digitally sign and return (i.e. encrypt with the private key) along with the corresponding public key digitally signed by a certicate authority. Using only a root certificate containing the certificate authority’s public key, the site can verify the client’s public key and with the public key can decrypt the returned challenge phase. Only the holder of the corresponding client private key could have successfully encrypted the challenge phase that way. The site never gets to peek at the client’s private key (his password so to speak). The client’s public key is, well, public. It does not matter who sees it.

The neat thing about this process is it can happen very quickly, fully automated without you having to remember or look up anything. Never do your keys get sent out over the net or displayed on your screen.

The other way to get rid of passwords at ATMs (Automated Teller Machines), entry locks etc, is to scan a fingerprint or retina and see if they match the image on file.

There have been many solutions to this problem and the related Password Protector problem such as such as Microsoft account (aka .NET Passport, Microsoft Passport Network, Windows Live ID), Apple Keychain, Kerberos and PGP. Why have these schemes failed to catch on. I think there are three reasons:

1. The schemes are perceived as too proprietary, to tied to one-platform.
2. The instructions are too geekish. Encryption folk tend to be more interested in impressing you with their brilliance and explaining how it all works inside, than helping you get your job done.
3. The user interfaces are still too geekish and clumsy. They need to be duck simple, requiring zero understanding of encryption theory. Encryption is usually an afterthought. It needs to be seamlessly built-in and transparent.

standard footer

	This page is posted on the web at:	http://mindprod.com/project/passwordeliminator.html
	Optional Replicator mirror of mindprod.com on local hard disk J:	J:\mindprod\project\passwordeliminator.html
	Please read the feedback from other visitors, or send your own feedback about the site. Contact Roedy. Please feel free to link to this page without explicit permission.
	Canadian Mind Products IP:[65.110.21.43] Your face IP:[3.147.103.8]
Feedback	You are visitor number