A new concept for passwords

Code Sharing
21

@SkyTheCoder: “Again, just a concept. Feedback or opinions are greatly appreciated!”

Evidently not.

@Ignatz took the time and provided you with some very constructive critical feedback as requested. Ok, so you might not agree with it, but in my opinion the points he raised are valid and worthy of consideration borne out of many years of experience (which you don’t yet have).

IMHO your “New concept for passwords” is very similar to other concepts already out there. I think it’s fantastic that you are thinking in this way, and coming up with these new ideas - just because others have thought of it before you doesn’t diminish it - it just means that they have had more time to think through the potential pitfalls. Now you could take this idea forward and develop it more, and you would likely encounter the same issues, or you could do as @Ignatz is suggesting and take this wealth of material that already exists, read it, digest it and push it on further. As Isaac Newton said “If I have seen further it is by standing on the shoulders of giants.”

Another example of people looking at gesture recognition is for securing mobile devices is https://www.msu.edu/~shahzadm/publications/mobicom2013.pdf - although they don’t use circles this is a related take on the problem you are proposing to solve.

22

@West - exactly, the intention is not to criticise @SkyTheCoder for having ideas, but just to warn him that thousands of very smart people have been working on this stuff for many decades, and it is extremely unlikely that amateurs like us will come up with something that hasn’t been thoroughly explored.

It is still fun to play with ideas like this - and I’ve certainly played with logins and encryption in the past - but security cracking skills are so advanced that any amateur scheme can be destroyed very easily.

I saw another great quote by Phil Zimmernam, creator of PGP, the famous open source public key encryption software. This guy is a top security expert.

From Introduction to Cryptography (Page 54):
*"When I was in college in the early 70s, I devised what I believed was a brilliant encryption scheme. A simple pseudorandom number stream was added to the plaintext stream to create ciphertext. This would seemingly thwart any frequency analysis of the ciphertext, and would be uncrackable even to the most resourceful government intelligence agencies. I felt so smug about my achievement.

Years later, I discovered this same scheme in several introductory cryptography texts and tutorial papers. How nice. Other cryptographers had thought of the same scheme. Unfortunately, the scheme was presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. So much for my brilliant scheme.

From this humbling experience I learned how easy it is to fall into a false sense of security when devising an encryption algorithm. Most people don’t realize how fiendishly difficult it is to devise an encryption algorithm that can withstand a prolonged and determined attack by a resourceful opponent."*

Anyway, even if we are just rank amateurs, we can still have a lot of fun with this stuff, and I suggest you keep doing that, @SkyTheCoder.

23

What about subliminally(?) learning a sequence of notes Since music is easier to remember than numbers(not my idea)

24

@Coder - they still end up as numbers in a computer - and most people would choose popular tunes, making them easy to crack

25

@West I am open to feedback and opinions, just not when it’s about something I can’t control. It appeared that I was being criticized on the authentication and saving, instead of the GUI and the concept.

@Ignatz This was only supposed to be a step up from PINS, where you can only have 4 characters, it was not supposed to be some super-secure kind of password that you can use for everything important, and that no one could crack.

If you want to see my progress on encryption, try to decode this:

o10v44C35J42Q36X40e31k29r27y61F36M40T43Z45g46n43u34B40I28O31V48c39j11q36x43D49K33R40Y17f44m39t28z43G18N47U42b48i63o36v40C11J41Q30X30d31k27r30y17F30M39S11Z40g43n45u30B48I34O41V27c42j41q40x43D45K40R42Y29f62m27s37z44G42N39U48b43h37o29v44C34J39Q30X40d19k30r41y29F42M63S40Z48g40n61u48B40H47O12V31c43j35q43w41D44K48R39Y41f44m47s45z35G42N39U36b12h11o39v12C39J12Q46W31d53k62r11y56F40L18S49Z40g42n38u30B37H41O12V42c39j36q30w40D30K36R39Y37f43l40s31z12G35N32U40a54h63o30v26C39J39Q44W28d48k35r61y42F40L44S55Z43g34n17u30A49H13O48V29c43j39p41w63D46K46R11Y36f18l45s40z46G11N31U44a36h31o27v39C38J30P28W31d40k61r47y40E12L47S30Z53g61n30u29A41H43O55V39c42j12p41w19D44K35R35Y44e43l45s40z18G43N39T27a44h53o62v11C48J57P41W4d62k29r26y40E13L63S48Z42g39n30t35A63H35O43V39c42i44p47w44D35K39R29Y39e41l36s43z28G34N43T26a44h39o42v42C35I30P49W40d30k38r40x37E45L47S62Z28g47n12t49A44H40O36V42c46i30p49w40D43K26R27X43e41l18s30z45G45M62T37a41h42o43v45C44I36P44W40d43k61r40x22E63L10S30Z11g48m40t40A63H46O45V11b40i30p13w35D29K11R48X62e36l57s40z13G55M18T44a29h48o42v61B35I41P28W30d38k47q40x45E19L18S11Z42g18m12t49A40H18O61V29b30i43p12w48D11K47Q40X40e45l39s39z28F35M45T31a42h43o38v48B33I41P27W62d38k48q40x31E40L40S17Z61f46m30t13A40H52O61U30b40i45p22w22D29K18Q30X13e40l42s42z26F43M36T63a39h47o39u36B45I47P46W30d47j40q12x40E30L36S39Z30f42m41t44A27H47O39U46b13i32p44w34D61J36Q57

No, really. Try to decrypt it, I want to know how hard it is to crack. It’s lorem ipsum. And use a program to procedurally decrypt it, not just by hand.

26

@SkyTheCoder i agree that more abstract passwords (pictures,music,movements) are easier to remember and (maybe not) harder to crack. And the encrypted text, does for example a always stands for b or does it change each time or is that part of the challenge :-/

27

@Coder That’s part of the challenge, but I’m testing out a new “progressive seed” option where a character in one spot could be different from a different character in another spot, i.e. 47 could mean “h” in one spot and “i” in another.

28

@SkyTheCoder, this is encrypted with AlphaCoSi, right?

29

@SkyTheCoder - I’m not going to try to decrypt your text, because “Lorem ipsum” is far too small a text to work with, and also, I’m not a cryptananalyst.

If you are really interested in security and cryptography, I strongly suggest you look at one of the several MOOC courses on it, or that you read a lot (and I mean a lot) about it, including all the math. Then learn how to crack security systems so you know what to avoid in your own.

The following quotes from experts support this view. I’m including them not to beat you over the head, but because I find all of this very interesting and worth sharing. I’ve been where you are.

Schneier: When someone hands you a security system and says, “I believe this is secure,” the first thing you have to ask is, “Who the hell are you?” Show me what you’ve broken to demonstrate that your assertion of the system’s security means something.

…and from experts on crypto.stackexchange.com - comments in response to someone’s “new” system


All amateur encryption schemes are insecure. Professional schemes may, or may not, be insecure but the amateur ones always fail. The fact that you are asking this question indicates that you are an amateur.

To answer your question “After implementing a novel encryption algorithm, how would one go about analyzing its security”, well, the easy answer is “no, it’s not secure”. The reason I can confidently give that answer is that you’re a newbee, and newbee ciphers are never secure (unless they are massively overcomplicated; it doesn’t sound like that’s the case). A newbee is about as likely to create a secure cipher as a blind man would be to paint a good piece of art; neither has any reference as to what works and what doesn’t.

If you want to learn how to be an expert in cryptography, the way to learn is not to design cryptoalgorithms; instead, the way to learn is to break cryptoalgorithms. If you want to get professional review of an algorithm, well, the most reliable way would be to pay for it; however, it’s unlikely you’d learn much from it (at least, you won’t learn nearly as much as you would if you broke it yourself)

I recommend taking a read through Applied Cryptography by Bruce Schneier. Cryptography Engineering coauthored by Bruce Schneier is a more modern read and you will probably get more useful information out of it.

To know whether a given encryption system is secure, cryptographers use the following recipe:

They publish the system: complete algorithm description and sample implementation with test vectors (the code is not the description; the description should make no assumption on the involved programming language, and yet be sufficient to reimplement it perfectly in any language).
They lure other cryptographers into gnawing at it and try to break it. The “luring” is about making the algorithm interesting, either through a some kind of mathematical novelty in the structure (e.g. a reduction proof with regards to a well-known hard problem) or impressive performance (see below).
After enough time and work, if the cryptographers found nothing bad to say about the algorithm, we can begin to say that it may be worthwhile to consider in future protocol designs.

Let me stress that “enough time” means “at least five years and one hundred cryptographers”.

Is your algorithm secure against Linear Cryptanalysis? Is your algorithm secure against Differential Cryptanalysis? Both of those you can check yourself by running Linear or Differential attacks. Alternatively, publish your algorithm in a public forum devoted to cryptography, for example, sci.crypt on Usenet. Expect it to get torn to shreds by experts. Post the algorithm. Don’t post cyphertext only; if you do it will just confirm that you don’t understand Kerckhoffs’s principle

“I remember a conversation with Brian Snow, a highly placed senior cryptographer with the NSA. He said he would never trust an encryption algorithm designed by someone who had not earned their bones by first spending a lot of time cracking codes.”

So security is really, really, really, really hard. Have fun, but don’t fool yourself you’re inventing the next big thing.