Skybuck Flying
2009-05-17 00:19:47 UTC
Hello,
A member of the dutch goverment had an interesting idea:
"He wants to create a universal login" meaning: "People can login at
different companies, goverment sites, services/whatever, so that they don't
have to remember all kinds of different logins/passwords". Furthermore he
says it's becoming a problem... it's like digital equivalent of having a
"big bundle of keys".
I was wondering how such a system could be implemented without actually
revealing my password. Me having a littttle bit of experience with
encryption one idea which somebody else once told me... I think it was Tom
said to do the following:
Simply add some extra information to the key and then hash it. I think this
could be a good idea... it might made the key a little bit less strong.. but
so far it's the best I can quickly think of.
So this basic idea can be further expanded into the following idea:
Each company/goverment/services/whatever adds it's own text to the key. This
would need to be done at the user side. The user then supplies his key...
adds the necessary text... and hash it... this hash is given to the
goverment/company/service... each time they need it...
So from the user perspective the idea looks as follows:
User Side = Goverment/Company/Service Side:
Hash( "User password" + "Company Name" ) = Stored Hash.
Now for a real world example:
(I would prefer the tiger hash but ok maybe stronger hashes out there ;))
User Side = Goverment/Company/Service Side:
SomeHash ( "MyGreatPassword" + "DutchGoverment" ) = 46546465khgkwhertgkwherk
SomeHash ( "MyGreatPassword" + "GreatCompany" ) = hfhertyertyer45678901234
SomeHash ( "MyGreatPassword" + "GreatService" ) = dhh465herh4747herht47546
This way only I know the real password... the goverment/companies and
services only know the hashes that come out of it...
So they can compare that against what I supply... if it matches they know
it's me/the real thing !
Seems like pretty good idea to me...
What you encryption and/or hashing experts think of it ? ;) :)
This idea could also be expanded to websites and e-mail and simply
everything... but then I would become a little bit worried about what
happens if somebody gets hold of all/many of the hashes... then maybe it
could become a little bit more easy to reverse the hash and discover the
password + text ?!?
So far I already like this idea better then just providing a real password
to a website... since that might leak information about my kind of
passwords... and maybe even other information... ;)
Also let me/us (:)) know if you have any other much better idea's for a
universal login ! ;)
Bye,
Skybuck.
A member of the dutch goverment had an interesting idea:
"He wants to create a universal login" meaning: "People can login at
different companies, goverment sites, services/whatever, so that they don't
have to remember all kinds of different logins/passwords". Furthermore he
says it's becoming a problem... it's like digital equivalent of having a
"big bundle of keys".
I was wondering how such a system could be implemented without actually
revealing my password. Me having a littttle bit of experience with
encryption one idea which somebody else once told me... I think it was Tom
said to do the following:
Simply add some extra information to the key and then hash it. I think this
could be a good idea... it might made the key a little bit less strong.. but
so far it's the best I can quickly think of.
So this basic idea can be further expanded into the following idea:
Each company/goverment/services/whatever adds it's own text to the key. This
would need to be done at the user side. The user then supplies his key...
adds the necessary text... and hash it... this hash is given to the
goverment/company/service... each time they need it...
So from the user perspective the idea looks as follows:
User Side = Goverment/Company/Service Side:
Hash( "User password" + "Company Name" ) = Stored Hash.
Now for a real world example:
(I would prefer the tiger hash but ok maybe stronger hashes out there ;))
User Side = Goverment/Company/Service Side:
SomeHash ( "MyGreatPassword" + "DutchGoverment" ) = 46546465khgkwhertgkwherk
SomeHash ( "MyGreatPassword" + "GreatCompany" ) = hfhertyertyer45678901234
SomeHash ( "MyGreatPassword" + "GreatService" ) = dhh465herh4747herht47546
This way only I know the real password... the goverment/companies and
services only know the hashes that come out of it...
So they can compare that against what I supply... if it matches they know
it's me/the real thing !
Seems like pretty good idea to me...
What you encryption and/or hashing experts think of it ? ;) :)
This idea could also be expanded to websites and e-mail and simply
everything... but then I would become a little bit worried about what
happens if somebody gets hold of all/many of the hashes... then maybe it
could become a little bit more easy to reverse the hash and discover the
password + text ?!?
So far I already like this idea better then just providing a real password
to a website... since that might leak information about my kind of
passwords... and maybe even other information... ;)
Also let me/us (:)) know if you have any other much better idea's for a
universal login ! ;)
Bye,
Skybuck.