Is "password knocking" a good idea?

  • With port knocking, you have to "knock" on specific ports in defined order to expose a port on which service is running.

    How about password knocking? For example you have three passwords: A, B and C. None of them is correct by itself, but entered one-by-one in this order they will grant you access.

    Some scenarios to make this idea clearer:

    Scenario 1.

    • You: Password A.
      • Server: Invalid password.
    • You: Password B.
      • Server: Invalid password.
    • You: Password C.
      • Server: Password accepted.

    Scenario 2.

    • You: Password A.
      • Server: Invalid password.
    • You: Password C.
      • Server: Invalid password.
    • You: Password B.
      • Server: Invalid password.

    Scenario 3.

    • You: Password A.
      • Server: Invalid password.
    • You: Password B.
      • Server: Invalid password.
    • You: Password B.
      • Server: Invalid password.
    • You: Password C.
      • Server: Invalid password.

    Scenario 4.

    • You: Password A.
      • Server: Invalid password.
    • You: Password A.
      • Server: Invalid password.
    • You: Password B.
      • Server: Invalid password.
    • You: Password C.
      • Server: Password accepted.

    I can't think of any drawbacks of this method over regular single password login. Moreover, it makes dictionary attacks exponentially harder with each added password.

    I realize it's security by obscurity and doesn't abolish the need for strong passwords. Password sequence itself is as strong as a concatenation of passwords used. Added security in this method comes from unexpectedly complex procedure.

    Is it a good idea? Is it a better idea than classic password?

    From users perspective it is very fustrating. if say you misspell one of the passowrds. It will get difficult to know which went wrong A,B or C.

    What does this method obscure that traditional passwords don't, and why do you think it's more secure? It seems to me that it's no more secure than if you just had a single password that was the concatenation of `A`, `B`, and `C`. At the same time, I don't see why it would be any less secure.

    @Justin unless the attacker knows that I'm using this kind of additional protection he will try each password only once and will most likely never find correct password sequence.

    comments are not for extended communication.

    @RoryAlsop I'm a regular user on StackOverflow, but new to this site. I'm confused by your response, and wondering whether it's applicable to all SE sites or just this one. From what I can see, your comment followed exactly 3 comments that appear (to me) to be on-topic and contributing to the discussion. That seems different than is expected on SO. Am I missing something? (Note: not a sarcastic question at all.)

    @mbm29414 I'm confused as well, and a normal user of SA. The best I can figure is that some comments were deleted, and Rory Alsop left a comment saying as to why. As to whether or not this is a good idea over a classic password, it would probably depend on your "knocking" system. Is it accumulative until pass, or does it reset each time? Basically, it won't let you in until you have A,B, and C in that order, and A, B, B, C should not work. I'm not sure how you would implement that, but if you're going to do it, that seems the most secure route.

    @gronostaj one should not rely on security through obscurity

    If your aim is to prevent dictionary attacks what's wrong with a password policy - http://security.stackexchange.com/questions/3248/recommended-policy-on-password-complexity Also, if you already *have* a proper password policy that's resistent to dictionary attacks (that's the whole point of the policy) then why the need to add this extra obscure "password knocking" procedure.

    As @tar obersved, you should not rely on security through obscurity. And by the way, it wouldn't be very much obscured; how are your user going to know to keep inserting passwords? Because you tell them. Now this does not seem a very difficult information to obtain after all! :)

    A regular password is just 'character knocking'. You have to put some characters in the right order...

    mbm - many, many comments were deleted.

    If you're looking for enhanced security, it would be better to use a two-step authentication method, e.g. send an authorization code to a user's mobile device or email address.

  • Mark

    Mark Correct answer

    6 years ago

    The system outlined in the question is actually weaker than simply requiring a single password of length A+B+C, because it permits a class of attacks that can't be used against single passwords:

    Say your three-password combination is E F G. An attacker can send the passwords A B C D E F G, making five attacks (A B C, B C D, C D E, D E F, and E F G) for the price of two. The general term for this is a de Bruijn sequence, and it lets you attack any state-based system (such as a digital lock) using far fewer tries than there are possible combinations.

    +1, none of the other answers emphasize that this scheme is weaker than a normal password of the same (total) length.

    The OP's scheme doesn't have a security hole by definition since they didn't mention implementation, although I bet most people would overlook this. +1 for noting this. However, if you implement it to reset the variables for the last three passwords every three passwords (so password1, password2, password3, evaluate, clear, repeat), it could be more secure (from an obscurity perspective).

    The post mentions that `A A B C` works, meaning it's got a rolling window of "last three passwords" rather than resetting after a group of three. This is sufficient to make it vulnerable to sequence-based guessing.

    I disagree that the scheme is weaker. De Brujin sequence gives 3x speedup, however adding two splits into the password gives us `(|A+B+C| over 2)` slowdown. (Which is 28 for password of 6 characters)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM