Reply to post: Files as passwords

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Saul Dobney

Files as passwords

We're going in this direction, but basically make the password equivalent to uploading a file. It could be a proper security certificate, but for ease of use it could also be an image file which would be easier to recall for the user, and easier than continually setting up certs. That would make cracking hashes from a stolen database file practically impossible.

Users could then store the key files/images in an encrypted folder locally which means attackers would have to have the folder plus the encryption password for each user.

For additional security a small bit of client-side code could hash the URL (offer unique URLs for login) with the key file and only send the hash - that way the receiving server never sees the actual key-file after the account set up, so spoof sites phishing can't sit and harvest password attempts to use later to compromise accounts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019