CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
December 31, 2012, 06:07:00 AM Last edit: December 31, 2012, 08:20:54 AM by CIYAM Pty. Ltd. |
|
After some brainstorming about this whole difficult passphrase and keeping it safe I have come up with the following: http://ciyam.org/memory_key.htmlPlease note that the form doesn't actually post anything to my or any other website and of course it can be run offline. R21L03A251E16Y72D03E13O122X21R19F31Z34
|
|
|
|
CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
December 31, 2012, 06:12:30 AM |
|
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
December 31, 2012, 06:53:33 AM |
|
OMG Malaysia's actually listed! I noticed that a single change in the options does not change the entire code generated - i.e. 'avalanche effect'. Maybe V2 will impose elements like this? It's easy to identify the code as being generated by your website currently, and a bruteforce might be possible.
|
|
|
|
CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
December 31, 2012, 07:00:32 AM |
|
OMG Malaysia's actually listed! Yup - I have been there (at this stage it is a very personalised implementation although I have put some things in that are not from my real life). I noticed that a single change in the options does not change the entire code generated - i.e. 'avalanche effect'. Maybe V2 will impose elements like this? It's easy to identify the code as being generated by your website currently, and a bruteforce might be possible.
Yup - the script could be improved (this was just a sneak peek really to get some feedback) and of course the key could always be hashed. In regards to the brute forcing please check out just how many options there already are (the # of combinations possible is already huge and of course those options with less than 100 entries could be expanded so that it ends being equivalent to a traditional 12 character password) - also note that I plan to use this in combination with a small traditional password (or PIN) and to perform key hardening using an algorithm such a scrypt (and likely will be holding another competition to give it a real world *test*).
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
December 31, 2012, 07:16:57 AM |
|
... In regards to the brute forcing please check out just how many options there already are (the # of combinations possible is already huge and of course those options with less than 100 entries could be expanded so that it ends being equivalent to a traditional 12 character password) - also note that I plan to use this in combination with a small traditional password (or PIN) and to perform key hardening using an algorithm such a scrypt (and likely will be holding another competition to give it a real world *test*).
I know the combinations make it hard to bruteforce, but someone close to the target might have most of information handy - the region and event for example. Just another part of security I would say. Another feature I would suggest is the use of icons/photos as question choices to help facilitate memory retention. Seems easier for older people where their memory is like a sieve.
|
|
|
|
CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
December 31, 2012, 07:26:52 AM Last edit: December 31, 2012, 07:41:14 AM by CIYAM Pty. Ltd. |
|
I know the combinations make it hard to bruteforce, but someone close to the target might have most of information handy - the region and event for example. Just another part of security I would say. Of course a big part of the strength of a "memory key" must be that it is derived from an event that is very personal (i.e. don't pick "where was I on 9/11?" as the "hint" you would keep written down to reconstruct your key but instead pick something like "what was the color of that crazy dog that I threw a rock at?"). Even better use an event that *only* you know about (could even be one that happened in a dream or nightmare). Another feature I would suggest is the use of icons/photos as question choices to help facilitate memory retention. Seems easier for older people where their memory is like a sieve.
Yup - indeed I was thinking along the same lines (in another thread) - I think if others are interested in working on this then I might create a project for it on CIYAM Open and help fund it. Even elderly people with early dementia typically can remember childhood and adolescent memories quite well (so generally it would be a good idea for the more senior end users to tap into their older more stable memories).
|
|
|
|
mc_lovin
Legendary
Offline
Activity: 1190
Merit: 1000
www.bitcointrading.com
|
|
December 31, 2012, 08:29:46 AM |
|
I like it, you should allow the user to throw in an extra blob of text to input though to make it more secure. P.S.: I don't see Canada in there!
|
|
|
|
CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
December 31, 2012, 08:42:50 AM |
|
I like it, you should allow the user to throw in an extra blob of text to input though to make it more secure.
Thanks - suggestion noted (and also I think that the last select could have quite a lot more added to it). Other ideas I've also had were to include things like ISBN #'s for books or product codes (for DVDs, etc.) which would be included in some sort of bundled DB (as it needs to be used "offline") to try and make having to add anything "manually" hopefully unnecessary. P.S.: I don't see Canada in there! Sorry - haven't been there (yet) - but if we do end up starting up a project for this that will be right up there on the list!
|
|
|
|
CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
December 31, 2012, 09:42:02 AM Last edit: December 31, 2012, 10:05:02 AM by CIYAM Pty. Ltd. |
|
Just worked out a great way for being able to narrow your time down to a quarter hour (rather than just picking morning or afternoon)- find a photo from one of your holidays where something you remember clearly happened either just before or afterwards (but was not documented in any way) and use the time that the photo was taken. The hint would then be a clue to help you find the photo (so you can be sure to get be able to get the time and month exact) - even if someone worked out the photo the photo itself won't really give away anything other than the time (without having "been there").
|
|
|
|
CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
December 31, 2012, 12:50:58 PM |
|
A happy new years to all fellow Aussie Bitcoiners! Let's hope that 2013 will bring us a local exchange for AUD that can be relied upon and has *volume*.
|
|
|
|
greyhawk
|
|
December 31, 2012, 04:58:18 PM |
|
Huh, this works pretty well
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
December 31, 2012, 05:06:01 PM |
|
Another example, with the results after the equal sign (=) and in bold would be mine.
GENDER = M NUMBER of Children and their sex = 3G2B (2 by marriage, 3 via Oops!) ADDRESS (# + 1st Letter) = 406W SS1 or SS1R (R=reversed) (the first 3 digits of a US SS #) SS2 or SS2R (R=reversed) (the middle 2 digits of a US SS #) SS2R = 27 SS3 or SS3R (R=reversed) (the last 4 digits of a US SS #) Birthday (using the first letter of the month and no 0's with exception of the year available in various formats for other countries) = M41960 BIBLE Verse = J11 (John 1:1) YOUR Initials = BKJ (J = Jr.)
Thus, mine would be M3G2B406W27M41960J11BKJ
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2222
Chief Scientist
|
|
December 31, 2012, 07:38:16 PM |
|
How will you know if people tend to pick the same types of events, and, therefore, create big non-random clusters of choices that might be easily brute-forced? Taking an idea from https://gist.github.com/3840286... .... you could store a small number of bitcoin at private key = SHA256(memory_key), store the bulk of bitcoin at scrypt(Name+PIN+memory_key), and tell users to choose a new memory key if the SHA256(memory_key) coins are either ever spent or if that key ever gets funds from somebody else. Because that means somebody else chose the same memory key.
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
jago25_98
|
|
January 01, 2013, 12:33:44 AM |
|
Great to see.
For added bonus, make it for an event you would like to happen. You're basically creating a sigal, something from magick. Perhaps it will come true?! ;-)
|
Bitcoiner since the early days. Crypto YouTube Channel: Trading Nomads | Analyst | News Reporter | Bitcoin Hodler | Support Freedom of Speech!
|
|
|
CIYAM (OP)
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
January 01, 2013, 01:19:33 AM |
|
How will you know if people tend to pick the same types of events, and, therefore, create big non-random clusters of choices that might be easily brute-forced?
Of course that is probably the biggest weakness of this type of system (and despite warnings some people will just go ahead and use "where was I on 9/11") although I think perhaps a small amount of training would possibly help a lot. .... you could store a small number of bitcoin at private key = SHA256(memory_key), store the bulk of bitcoin at scrypt(Name+PIN+memory_key), and tell users to choose a new memory key if the SHA256(memory_key) coins are either ever spent or if that key ever gets funds from somebody else.
Because that means somebody else chose the same memory key.
Good suggestion.
|
|
|
|
BkkCoins
|
|
January 01, 2013, 07:44:33 AM |
|
If you made this web page so you could seed it eg. when you access it (or when saved somehow) each choice is randomized then you could use this as a two-factor authentication. You would need the saved web page plus the knowledge to gain access since every other person should have a different randomized version of the page.
|
|
|
|
K1773R
Legendary
Offline
Activity: 1792
Merit: 1008
/dev/null
|
|
January 01, 2013, 07:46:16 AM |
|
How will you know if people tend to pick the same types of events, and, therefore, create big non-random clusters of choices that might be easily brute-forced? Taking an idea from https://gist.github.com/3840286... .... you could store a small number of bitcoin at private key = SHA256(memory_key), store the bulk of bitcoin at scrypt(Name+PIN+memory_key), and tell users to choose a new memory key if the SHA256(memory_key) coins are either ever spent or if that key ever gets funds from somebody else. Because that means somebody else chose the same memory key. nice one
|
[GPG Public Key]BTC/DVC/TRC/FRC: 1 K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM A K1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: N K1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: L Ki773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: E K1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: b K1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
|
|
|
|