> > > > I think you guys have lost track of the whole purpose of the > > > > Turing number. It is to prevent automated trials by ensuring that > > > > a human being is there. What you are proposing amounts to an > > > > additional or longer passphrase and in no way excludes automated > > > > trials any more than the simple number now being used. > > > > As Mr. Van den Berghe demonstrated, it's much more difficult to crack > > than a longer passphrase. > > I won't argue the security/passphrase issues. They have been hashed > over on this list ad infinitum. My point remains: the purpose of the > Turing number is not security per se but to eliminate automated > trials. How well the turning number actually does this is > irrelevant. This proposal does not serve to advance that purpose.
Hi Craig, all, My proposal eliminates automated trials very well because it makes them totally useless. That's basically the big advantage of the "2 hurdle" concept I am proposing. I am not going to discuss passphrase issues, cryptocards, etc, which have probably been discussed at nauseum already. But I want to point out the big advantage of a 2 hurdle system. Automated trials need only one thing to work: if you can make sufficiently much attempts to crack a passphrase, you are bound to succeed after trying long enough (which may be very long of course depending on the speed of your system). With my proposal you cannot crack my account even if you have an infinitely fast computer and as much time as you want. Why? The 1st hurdle to take is the original passphrase. If you get that one right (after numorous attempts), you still have to take out the 2nd hurdle : my turing return algorithm On this second hurdle we can limit the number of attempts (e.g 2), that's what makes this concept vastly supperior to a 1 hurdle system with a longer passphrase. Let's look at a few different possiblities from the hackers point of view: Facing the 2 hurdles the hacker has to do automated bets on both the passphrase and the turing return code (we assume here that the hacker has found a way to read the turing number automatically, what is not very difficult to achieve). Scenario 1: passphrase wrong, turing return wrong -> the hacker gets a "failed login" message. Scenario 2: passphrase wrong, turing return correct -> the hacker gets a "failed login" message. He has no way to know that he got the turing return code right. The hacker can get the turing return code right many times, he doesn't know it.. Scenario 3: passphrase correct, turing return wrong -> the hacker gets a "failed login" message. He has no idea that he guessed the passphrase correctly, so he goes on trying with other passphrases and turing return codes. Optionally the user of the account receives an automated email that his passphrase has been broken once, this allows him to change it. Scenario 4: the hacker gets the passphrase correct for a 2nd time (after many more attempts), but very likely the turing return will be wrong again -> the hacker gets a "failed login" message. Again he has no idea that the passphrase has been guessed correctly. Optionally the user of the account gets a second warning email and again optionally the account can be locked for 24 hours. Scenario 5: Once the account is locked for 24 hours, the hacker always receives a "failed login" message even if he gives the passphrase and turing return code correctly. So, again he does not realise that the account is locked because he succesfully cracked the passphrase before. As we can see the hacker is always in the dark about eventual partial succes. That's how this system makes automated trials totally useless. It is very unlikely that the automatic trial guesses the turing return code correctly on the first 2 successes it gets on the passphrase. Eventually, after enough trials, it will get both the passphrase and the turing return correct, but it is almost certain that the account is locked already when that happens. We can effectively make a fool proof system with this 2 hurdle concept. An added bonus is that this system also offers protection when your passphrase is stolen. It does not really matter what is used as the 2nd hurdle, it can be a turing return algorithm, a "what is the name of your pet animal?" kind question, or any other intermediate security ,easy to remember, thing (we don't need very high security on the 2nd hurdle because we have effectively limited the number of succesful bets you can make here to 2) I prefer the turing return algorithm, because it gives extra protection. You may be looking over my shoulder when I key in the turing response, you probably still cannot guess my algorithm. As you can see, many advantages, without the need for a more complicated login or remembering a 2nd passphrase. You don't need any cryptocard or whatever. The cryptocard can be lost.. The turing return algorithm can be kept quite simple, so no need to write it down. This means that , unless you can scan my brain (you could try with hypnosis...), you cannot crack my account, even if you know my passphrase and have a quantum computer. Danny http://two-cents-worth.com/?102468&EG --- You are currently subscribed to e-gold-list as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
