Plans with Passwords

Document Introduction

This Series & Dataroom - Anti-Hack Jobs

This document belongs to the dataroom of, Anti-Hack Jobs, of which in turn, belongs to Australian based KangaBytes as the owner and author of all content within this document.

The Anti-Hack Jobs advisory, is to advise in respect to, how best to protect the data of your customers, from hacking events.

The use of these tips, requires a license. Please visit the online dataroom at www.kangabytes.tips/pass.html for this information.

This Document - Plans with Passwords

This document focuses on, Passwords of the account user/ower. That is, what the every day, account user must operate, in order for that person to gain access to, their own account within the respective website service of which that person is seeking the access to.

In this respect, the focus is on, systems of passwords, of which will help to remove various types of hacking risks.

For the purpose and scope of Anti-Hack Jobs and this dataroom, a Password is an authentic access tool, of which the True-holder of that account needs to use, for that true-holder to gain access into their own account area.

QUINCYCLE - How it works

Opening Summary

How it works
• A person sets up a series of five passwords.
• Four of these passwords in a QuinCycle list, must be used across consecutive log in events.
• Once the account holder reaches the last password in this cycle-list, the next password after that, shall be the second password in the list, a following log in after that, the third password in the list gets used.
• Naturally, this cycle gets repeated, again and again for as many times as it happens.
• One of these passwords, is to be known as the wild-start password. {See the following List}

The Wild-Start password....
• This password, is the first of the five in a QuinCycle system, and, functions as the one in the list, of which the true-holder shall always make use of, whenever the true-holder has forgotten where they are within the QuinCycle.
• Should at any time, the true-holder, forget where they are within the cycle, the true-holder has this wild-start password to make use of.
• During the conversion of an older password system, such as from any pre-existing mono-password system, the existing mono-password used within that system is to become the Wild-Start password, after conversion to a QuinCycle system.

QuinCycle - Marketing & Pitching

Who will like this one

This will be very popular with everybody of who, both cares about their secuirty, and, know they can handle the memory of five passwords and so on.

QuinCycle - Wordings & Meanings

Lower case vs Upper case letters, does NOT in any way alter the meaning of the word.

QuinCycle

Means, the password system, of which is in turn, my advisory tip, focused on, a system of five passwords as described within this section of this document.

Stage Cycle & Cycle Stage & Cycle Tracker

To do with, the registration of, which QuinCycle is the current and valid QuinCycle to be used.

Stage Cycle means the system, or the whole cycle itself.

Cycle Stage means, or is used in respect to, a specific step in the cycle.

Cycle Tracker is, the system or memory feature, of which registers and tracks, as to which Cycle Stage, the user/account is currently located at.

Cycle Limit & Cycle Length means, the maximum quantity of passwords in a cycle. With, QuinCycle the Cycle Limit is Five.

WildStart & Wild-Start

Means a particular one of the five passwords, of which a True Holder will use, whenever that True Holder has forgotten as to which Cycle Stage they are currently at.

WildStart & Wild-Start are idetical in meaning to each other.

mono-password

A password system, of where, there is only one password, and for that one single password to be used, for each and every log in event.

QuinCycle - The Customer/User

When a new customer comes and opens up an account with that website, that customer shall only set one password, to get the account up and going with. This one password shall be the Wild-Start password.

All of the other QuinCycle passwords are to be set by the True-holder, later time.

The True-Holder setup

The True-Holder, goes to a page within their account area, and within that page, will set/update each one of their respective QuinCycle passwords, as the True-Holder currently does with their one password. Except that, now with QuinCycle being in place, there are now four extras of these password fields to be set.

Then during log in

The True-Holder then, simply enters the correct one of these four passwords into their password filed of the log in form.

During the log in process. The True-holder needs to remember as to which one of these four QuinCycle passwords, of which had been used during their previous log-in event, and, to remember as to which of their QuinCycle passwords follows that in respective sequence, and, to know, that following QuinCycle is the password to be used for this log-in event.

Should the True-holder be confused as to where they are within this cycle at any time, the True-holder will always use the wild-start password to log in with.

When the Wild-Start password gets used at any time, the True-holder will simply start from the start of the QuinCycle list.

To ensure easy access, for people with limited abilities, the Wild-Start password, shall never have any limit at all in how often it gets used.

QuinCycle - What you need

In the Account area
• An expanded password field, containing four additional {input type=password} tags.
• Where you are converting from a Mono-password system, you may as well use that Mono-Password, as the Wild-Start password for your QuinCycle list.

HTML Log in form
• Nothing needs to happen to the HTML form itself.
• You only need one single {input type=password} tag, just like you do today with any existing Mono Password system of which we currently use.

Log in Authenticator Script
• Frist off you need to check the password entry against the wild-start password. If yes, then reset the Cycle Tracker to zero, and authenticate the user.
• Next to do is, you need then, to check, the current location in the cycle, and then see if the password entry is a match with that particular QuinCycle password.
• If the previous point is a yes, then, Authenticate the user, then adjust the Cycle Tracker to one, not Zero, as the rules require.

Additional Database Table Columns You Need include:
• Extra colums to hold each of these extra passwords in. In MySQL four extra columns of either {TINYTEXT} or {CHAR(?)} should do.
• One column, to hold the cycle tracker, of which keeps track as to where in the cycle of which the True-holder is currently at. In MySQL, you need something like {DECIMAL(1,0)}, or {ENUM('0','1','2','3','4')}.

QuinCycle - Alturnate Options & Ways

Custom Cycle-length

One option you may have, to the QuinCycle plan is, to give the True-holder the ability to choose as to how long the cycle is going to be for them.

For example, where a customer is only confident with say, two passwords of which they alturnate between, then, that should be their right to do as thus. At least this is still better than, that customer staying with the WildStart password only.

Changes you will need include,
• An extra input field, located within the password setting page, this will enable the user to select as to what length of cycle they want.
• An extra database column, to record this choice. In MySQL, you need something like {DECIMAL(1,0)}, or {ENUM('0','1','2','3','4')}.
• The Log-In processor script needs to consider this setting, to know when the cycle is at the cycle-limit for that customer, and as a result, to know when to reset the Cycle Tracker.

Greater Cycle-Length

Some customers may have enough confidence in a longer cycle of passwords, say, seven, or ten.

Changes you will need include,
• Extra password fields within the password setting page. Each one of these, are for each of the respective additional passwords you want the customer to have..
• Where a database column like {ENUM('0','1','2','3','4')} is used, you need to expand the options contained within, to be as thus {ENUM('0','1','2','3','4','5','6','7','8','9')}.
• Where you seek to combine this add-on, with the other add-on above for Custom Cycle-Lengths, then the previous point with ENUM columns, is done twice. Once to mark where the cycle is at, and the other is to register the customer settings.
• The Log-In processor script needs to consider this setting, to know when the cycle is at the cycle-limit for that customer.

QuinCycle - The Hacker

How this feature works with the Hacker,
• Should the hacker somehow, find out the most recently used password of a True-holder, say the hacker has placed a spyware on the device of the True-holder.
• The hacker then tries to make use of this password to log in, for the purposes of stealing the data with.
• As the valid password has changed to the next password in the list, the hacker is blocked.

How this hampers the hacker
• The fustration and confusion as to why this is not working.
• To be blocked from accessing the account, no matter what, and not know why?

Types to foil.
• Doxing : Will become worthless because, noboby can be certain of, the viability of that password.
• Phishing Attack : Again, that phished password, may no longer be valid.
• Man-in-the-Middle : This will only work, if, the MitM activity was able to read all passwords.
• SQL Injection : Where important staff, are required to use QuinCycle system, will most likely prevent this from happening too.

QuinCycle - Some Risks of Note

Risk #1:
• Always a risk that, the hacker may bombard the account with that password, with the expectation that, this password will cycle back into being the correct password again.
• Mitigation; you may set a trap, of which will be triggered upon a quantity of times that a particular password gets used in a row.

Please Note: This list of risks may NOT be complete. You are advised by us, to seek your own, independent advice in respect to this.

TIMECYCLE - How it Works

Opening Summary

This is a series of passwords, of which can only be used, during a particular period of time. Such as, on a particular day of the week.

Each respective TimeCycle password can only be used on that particular day of the week.

At the same time, that particular TimeCycle password, can be used, an unlimited quantity of times on that day of the week.

TimeCycle - Marketing Pitch

Advantage Example

One of the best uses is, with a pensioner, who will only ever need to access their online bank account, just once every two weeks, when their pension gets deposited into their bank account.

The other 13 days in a fortnight, that pensioner has no real purpose to be in their account at all.

Where the pensioner has a Thursdays only password, and should the hacker find out this password, during this time, the hacker shall be blocked on, 6 out of 7 days in every week.

Should that pensioner need to use their account on another day, for a last minute thing, that True Holder may use, say the QuinCycle WildStart password.

TimeCycle - Alturnate Options & Ways

Other TimeCycle patterns

You do not need to have, respective TimeCycle passwords to operate on respective days of a week. You may choose other patterns instead, such as, hours in a day, month in the year and so on.

You may let your customer choose, to have one password to function only, for a two hour period, on one particular day of the week.

These other patterns may be fixed to, where the customer has no other choice, OR, you may give the customer the ability to choose which cycle pattern they want. This will further confuse anybody with a stolen list of passwords.

Some ideas to inspire you include;
• specific day of the month
• specific time of day, on one of those days
• specific time of day, on any/all days

Yet another option

A pensioner may choose a specific TimeCycle password to work only over a two hour period of a Thursday. That same Pensioner, may choose another TimeCycle for use during all other hours of a Thursday.

TimeCycle - The Customer/User

A new Customer

A new customer should be required to set only the Wild-Start password of the QuinCycle system, and then, the customer will then set their TimeCycle passwords when they are doing their QuinCycle passwords too.

Should your system NOT include the QuinCycle system too, then, the one password of which does get chosen during the application stage, will be set for all passwords throughout your TimeCycle scope/list. Your customer will then, edit the other six TimeCycle passwords from inside their account area.

How the Customer Sets them

There will be a password setting page, just like there is today. Only that, this password setting page shall contain seven input tags, one for each of the seven passwords.

To Log in

The log-in page MUST show the time of day, and day of week, in a large/dominat font size, near the top of the page, and/or near where the password is to be inserted by the True-holder as they log in.

This is to remove the risk that comes with multiple time zones, and with international users.

The True-Holder will simply insert the correct password, based on what day of the week it is.

TimeCycle - What you need

In the Account area
• An expanded password field, containing six additional {input type=password} tags, (seven of these in total).
• Next to each of these input tags, there MUST be, a {label} text, containing a day of the week. This will indicate as to which day of the week, is associated with which respective password field.

HTML Log in form
• You shall need to, clearly show the day of week, and the time, based on whatever timezone your server is in.
• You only need one single {input type=password} tag, just like you do today with any existing Mono Password system of which we currently use.

Log in Authenticator Script
• The script needs to check as to what the current day of the week is, and to then check the entered password against their password setting for the current day.
• There needs to be, a small overlap of two respective days, at and around midnight, to cover lags and delays in the system, and with the user.
• One example is, an overlap between 23:55 and 00:30 each night.
• In other words, a particular TimeCycle will work from 23:55 the previous day, work for the whome 24 hours of that day, and continu to work until 00:30 on the following day. That works out to 24 hours and 35 minutes during which each TimeCycle will be operative within.

Additional Database Table Columns You Need include:
• Extra colums to hold each of these extra passwords in. In MySQL seven columns of either {TINYTEXT} or {CHAR(?)} should do.
• Unlike as with QuinCycle, you DO NOT need anything to track the cycle for each user.

TimeCycle - Handy Tip

There is no reason as to why, each customer needs to have seven unique TimeCycle passwords at any one time.

A True Holder should be able to, say, set one password for each of their Monday to Friday passwords, and, another password for both their Saturday and Sunday passwords.

Therefore DO NOT require your customer to set, seven unique passwords for each day of the week.

TimeCycle - The Hacker

The Hacker

How this feature functions with the Hacker,
• Should the hacker somehow, find out the most recently used password of a True-holder, say the hacker has placed a spyware on the device of the True-holder.
• The hacker then tries to make use of this password to log in, on the following day, or days afterward.
• As the valid password has changed to another password, for that other day of the week, the hacker is blocked, unless that hacker trys to hack in, on the very same day of the week. This gives the hacker, six chances out of seven, to be blocked.

How this hampers the hacker
• Can only work for the hacker, if, the hacker works on the correct day of the week. All other days in the cycle, the hacker will be blocked from gaining access to the account.
• Do the maths for the previous point, the hacker shall be successful for once, to six failures. Thus, the hacker is six times more likely to be blocked, than to be let in.

TimeCycle - Some Risks of Note

The Hacker, only needs to know as to, on what day of the week, of which this password was detected on, and wait until say seven days until the next occurance of that particular day of the week and give it a go then.

Please Note: This list of risks may NOT be complete. You are advised by us, to seek your own, independent advice in respect to this.

LIMITUSE - How it Works

Opening Summary

This is a series of passwords, of which can only be used, a limited quantity of times in a row, and then, all use of that password is thereon blocked.

LimitUse - Cross Notes

Compared with the QuinCycle password system, with this LimitUse password system, the same password is repeated over consecutive log ins.

Compared with the TimeCycle password system, with this LimitUse password system, you do not need to use up the UseageLimit with a LimitUse, all on the same day, at the same time, the UseageLimit of multiple/different LimitUse passwords, can be used up on the same day.

LimitUse - Handy Tip(s)

The True-Holder setup

As always, I urge you to only require one password to be set, during any application stage.

Where QuinCycle is available within your system as well as LimitUse system too, then, the True-Holder will simply set their list of LimitUse password(s) after they log into their account later in time.

Otherwise, the first LimitUse password, will be set to, whatever password is set during the application form stage. Other LimitUse passwords, will be set by the True-Holder during a future log-in session.

Multiple LimitUse passwords

It is vital that, you give each True Holder access to multiple LimitUse passwords, and there are many reasons for that idea.

Points I need to say include;
• You will need to have more than one of these LimitUse passwords. Say, a minimum of two, to say five.
• The True-Holder will also need access to an emergency fall-back password, just like the Wild-Start password in the QuinCycle system.

Where your customer has access to both the LimitUse system, and the QuinCycle system too, then, the WildStart password of the QuinCycle system, will provide that vital backup for your customer.

Furthermore

In addition to, having a Counter Reset button, why not have a Password Cancel button too. This button simply needs to set the UsageCounter value, to equal the UseageLimit, and that password can no longer be used.

Near where you have the log off button, why not have a button, of which does the Password cancel, on all LimitUse passwords of which are not zero. Do not touch those UsageCounter who are zero, as their LimitUse password has not yet been used, meaning these passwords should still be safe for use in the near future.

LimitUse - The Customer/User

Setup and operation

The True Holder will simply set their list of LimitUse passwords, along with the UseageLimit, from a page located within their account area.

Should there be the abiliy to reset the UseageLimit value, then, this page also needs to have some means to set as to what will cause this reset. Including the existence of a Reset button, should be in this page too.

UsageCounter indication

You need to determine, as to what the security risk level is for your website, to determine, what level of indication you wish to give to the True Holder. Options to consider are as below.

Options to consider, include,
• Two figure values. One, is the current UsageCounter value, and the other is the UseageLimit value.
• A word hint, like, to use the following list, New/Low/Medium/High/Almost Gone/Expired.

Then during log in

The True-Holder simply enters one of these passwords during their log in process.

LimitUse - Marketing and Pitching

Ideal User

The most ideal user is, somebody of who, is travelling, and especially where, the customer is likely to encounter risky wifi on that trip.

The same customer may, make use of the time while at home before their holiday, to set these passwords, and, to then keep on using their QuinCycle and/or TimeCycle passwords while at home until they head off on this holiday.

That customer will be able to travel safely, knowing that, whatever LimitUse passwords they set, can only be used a few times each, and will just expire before any hacker can make use of this same password.

The True Holder gets to choose, as to which password system they need, for the operating environment of which they are currently in.

LimitUse - Wordings and Meanings

Meaning of UsageCounter

Means the quantity of times of which, that particular LimitUse password has been used.

Meaning of UseageLimit

Means, the maximum quantity of times, of which that specific LimitUse password can be used, before that LimitUse can no longer be used, until the UsageCounter for that LimitUse password is reset.

LimitUse - Alturnate Options & Ways

Options may include;
• The quantity of LimitUse passwords of which the customer can have, will be up to the website owner.

UsageCounter value reset may happen with any of the following,
• The website may give the customer the right to choose what a reset trigger is. perhaps clocking over at midnight, or, the use of another LimitUse word, use of a password in another password system, or a reset button within their account area.
• The use of the WildStart password of the QuinCycle password system.
• To require, that particular LimitUse password to be changed.

Not have automatic resets

One option could be, is, once the True-Holder reaches their UseageLimit for the use of that password, you may prevent any reset of that UsageCounter, unless that password gets changed.

LimitUse - What you need

In the Account area
• An expanded password filed, containing one additional {input type=password} tag for each LimitUse password you permit your customer to have.
• Right next to each of these LimitUse password tags, you also need to have one {input type=number} too. This is used to set the UseageLimit for that LimitUse password.

HTML Log in form
• Nothing needs to happen to the HTML form itself.
• You only need one single {input type=password} tag, as you do with any existing Mono Password system of which we currently use.

Log in Authenticator Script
• The Authenticator needs to go through each of the LimitUse passwords, until you find a match.
• Where a match has been found, the Authenticator then needs to check the UseageLimit and UseageCounter for that LimitUse password. Finally, where UseageCounter value is less than the UseageLimit value, the next step is to increase the UseageCounter value by one, and, the log in request is then approved.
• Otherwise, where the response is negative to any of the previous two points, the authentication test is deemed as a fail, and, access is blocked.

Additional Database Table Columns You Need include:
• A {TINYTEXT} or {CHAR(?)} column, for each LimitUse password of which you permit your customer to have.
• And then, two {TINYINT} or {DECIMAL(?,)} columns, for each LimitUse password of which you permit your customer to have. One of these two is for your, UseageCounter while the other of this pair is for your UseageLimit value.
• You also need some means, to register, approved reset causes, where this option is available to your customer. This can be done with a list of valid reset triggers contained within a {SET} Column.

LimitUse - The Hacker

The Hacker

How this hampers the hacker
• The fustration and confusion as to why this is not working.
• The hacker may presume that, the True-holder has changed their password, and, not try this password again.

Best of the lot is, with those of who, set up fake wifi connections, via where the hacker can read whatever the users are doing. Such a hacker shall NOT get to use that password with any success.

There is no point whatsoever in trying to find out what the password is, as, that password is never going to work again anyway.

LimitUse - Some Risks of Note

Please Note: This list of risks may NOT be complete. You are advised by us, to seek your own, independent advice in respect to this.

Risks from Hackers

There is always a risk that, the hacker may strike before the UseageLimit has been reached. There is no possible way to mitigate this risk, other than, to ensure a low UseageLimit value.

Customer Risks

There is always the risk that, the True-Holder will need to make use of, the last UseageCounter of a password, at a time of when, the True-Holder will NOT have the chance or ability to change what the LimitUse password is. And, there are many valid reasons for why such an ability will not be there at such a time. Hence, you MUST have an alturnate/backup means of access, such as a second LimitUse password, or, the Wild-Start password too.

Caution & Warning

MUST NOT be mandatory

There will be many of your customers of who, will see this complex system to have that customer feeling like they are "In their Element", and will in turn, result in a significant boost to the security of accounts on your system.

DO BE WARNED, that many of your customers will NOT be able to cope with such complexity. The right to choose must always be up to your customer.

Just having the option there

It can be said that, it does not matter if, all of your customers refuse the complexity of these systems, and just use their Wild-Start password each of the time. Regardless of this, your system may be saved, when hackers do know that your website has any of the advised systems as part of your website.