Typing your password into a website is increasingly risky, especially when logging in via a wireless device or from an Internet terminal. The primary risk is interception of your login information and password by an eavesdropper or via a keystroke-capture spyware installed on the machine you are using without your knowledge. Fortunately there is a way to defend against this issue, and to protect your passwords from hackers in general. The concept is a “one-time password” and is based on the concept of a one-time pad that is used in cryptography.
A one-time password can only work once. After using it once it would expire. However, a sequence of one-time passwords may be defined in a manner such that it easy for users to figure out what the next one-time password in the sequence is, without giving away private information.
For example, each one-time password in the numeric sequence could be determined as the result of dividing a secret number by n+1, where n is the previous divisor you used for the previous one-time password. So to generate the next one-time password all you need to know is your secret number and the last value you used for n. Then on paper or with a calculator (or in your head) — but NOT on the computer or device you are using — do the division to generate the next one-time password.
For example, let’s say your secret number is 555555.
You generate onetime passwords by dividing 555555 by n = 2, 3, … infinity.
So your first onetime password is 555555/2 = 277778 (rounding up the .5). Your second onetime password is 185185, and so on.
Each time you use a onetime password it expires and can never be used again.
In order to keep track of this, you would need to write down the last value of n you used, or record it somehow, so that you can remember it for the next time you need to generate a onetime password.
Online services and Websites could either implement such systems on their own — or much better, they could integrate with a single onetime password management webservice (so that you could have a single onetime password system for all your passwords). This central service could be called onetimepassword.com and would have an API that would enable any website to check whether the onetime password you entered at their site was valid. So let’s say you login to your webmail somewhere, and enter your next onetime password as your password. Your ISP queries onetimepassword.com with your registered onetimepassword.com username (on file in your ISP account) and your onetimepassword for this session. Onetimepassword.com checks to see if the number is valid according to your secret number and current value for n, and returns either a “yes” or a “no” to your ISP.
This system works very well, but has one vulnerabilty: if an hacker were to intercept a long enough series of onetime passwords for a single user, they might be able to use brute force or other approaches to find a number series that fits the pattern, and thus infer what your secret number must be. There are several ways to protect against this:
– Use long secret numbers
– Change secret numbers frequently
– Generate values of n using a more sophisticated function. Instead of the next value of n being computed as the previous n plus 1, use a more complex equation for n values. For example, let n = a random number. The random number can be generated by simply visiting one onetimepad.com and asking for a random number. Next, either add, subtract, multiply or divide your secret number with this random number to generate your onetime password. Onetimepassword.com remembers all random numbers it has shown to all users in the last 60 minutes. It checks your new onetime password by adding, substracting, multiplying and dividing your secret number by all random numbers it has shown in the last hour. Your new onetimepassword is a member of the set or results of those operations, it is considered valid. This method would make it impossible for a spy to apply a number-series attack to derive your secret number because they would have no way of predicting n values for you, and even if they were able to eavesdrop on you and get a series of your n values, they would have no way of predicting your next n value, as long as you keep your secret number secret.
– For even more security, you could get your random number by making a phone call to an automated onetimepassword.com random number generator. Alternatively, you could use a portable random number generator that was time-synched with a random number generator at onetimepassword.com. This could fit on a credit card, for example. You could look at it to get your current random number, then simply divide your secret number by that number and type the resulting number in as your