Usable Security

Bill suggested that logins could be strengthened against attacking eavesdroppers by using a challenge-response login simple enough to calculate in your head.  Your secret might be an algorithm like “count the number of vowels in the challenge, add the third digit that appears in the challenge, and use the sum modulo 10 as the second digit in your answer”.  Your answer might contain lots of other chaff, like “bb73jnsxi9ehl;3″, so that it’s hard for an attacker to figure out your algorithm.  Your answer might also use some of the conventions from baseball signaling (characters that mean “ignore the next character”, “the next character is the answer”, or “cancel everything so far”).

Given this list of challenges and responses, can you figure out the secret?

We discussed how realistic something like this would be: what kinds of users would be able to use it or would want to use it, whether banks would go for it, how support costs would be affected, and so on.

This entry was posted on Friday, July 14, 2006 at 09:33 under General. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.