My brother just finished all the projects for his first CS course. He seems to have enjoyed it, which is definitely good. As he finished early, he stated that he didn’t know what he would work on. Although there is a possibility that this statement was purely rhetorical, I proceeded to try to get him to think about what he could do.
The first program I built outside of class that could be used for anything was essentially a quiz/game-show program. It was extremely basic, but that’s all I could muster. (Come to think of it, I also built programs that would generate sequences of numbers or act as scripts, as I knew nothing of spreadsheets and had only passing experience with batch files. I really didn’t know much back then.)
In the middle of expressing that, my brother interrupted me, asking if I remembered the password protection program I built for my calculator in high school. I must admit that when he mentioned it I had no idea of what he was talking about. I dredged up a memory of the program. What initially came to mind was the fact that it didn’t really work. I did it in TI-86 Basic, so it only worked if the calculator turned off its display automatically as opposed to someone actually turning it off.
The part my brother remembered was much more interesting. I have no idea why I chose the specific algorithm. Perhaps I didn’t want to junk up my calculator with extra variables. Maybe the thought just struck me, and I had to try it. I don’t know.
Although the situation inferred that a valid password had to be entered, instead of entering a valid password, the user was required to enter the same string 3 times into the password prompt. Anyone that didn’t know the trick could try to guess or brute-force it, but why would anyone be willing to try the same sequence 3 times?
Come to think of it, this is pretty similar to a captcha. Pose a question that will not be answered correctly unless the person that attempts it has extra information about the problem to be solved.
I suppose that as long as no one has the key, it is as valid as any other approach to security. In a sense, this type of approach is just as effective as a password. Consider this; instead of entering a password, an algorithm is entered, defining a transformation that should occur to any input. The computer runs several test cases, assuring that the solution appears correct.
There are as many possible algorithmic transformations as there are possible passwords. The two approaches should theoretically provide the same level of security. On the other hand, the effective generation of these algorithmic passwords could be much more difficult for the average user. However, both methods could be combined to increase security.
As a matter of fact, something that seems equivalent exists; currently ssh can be configured to require both a password and a key. Although the key is not considered an algorithm per se, such security measures are very similar in expressive power to the algorithmic approach, albeit much more easy to set up.
One difference exists between the algorithmic/key/password approach and the program I built.
Requiring a user to enter 3 passwords correctly, while giving no positive confirmation would significantly increase protection from run of the mill password checkers. Of course, is such an approach actually more secure than having a password 3 times as long? Technically no, but practically, yes.
Security through obscurity. Although only a madman would rely entirely on it, if combined with a theoretically sound approach it can be extremely effective.