A Proposal for the Elimination of Passwordsby G. A. Jennings
This article is about the elimination of text-based web logins, the number one most exploited entry into websites such as WordPress.
Before getting into the details, let's criticize WordPress. First, WordPress shares the same login code page for administrator and users alike. Second, WordPress always uses the same HTML form for all logins. Third, WordPress does nothing after many failed login attempts. (My guess is that most, if not all, CMS-like web applications are the same.)
I think all hackers understand the ramifications of that kind of web design. (I once put up a fake wp-login.php page that simply logged all POSTs to it. The log file was huge in just a few days.)
I am proposing a way to eliminate HTML and the entering of text to login to a website. But first, a parable.
"An illiterate mullah ran the village maktab (religious school) teaching the children how to memorize and recite the holy Koran. Since the villagers were illiterate, their collective nescience made life comfortable for the mullah.
As fate would have it, one day an educated young man came to live in the village. His arrival suddenly threatened the power and the livelihood of the mullah. To discredit his rival, the mullah came up with a clever scheme. He called on the villagers to gather around and asked the young man to write on the board the word 'snake.' The young man complied.
He then drew a picture of a snake next to his words and turned toward the villagers, asking them: 'Which of these writings spells snake?' They all pointed to the mullah's snake drawing."
All writing before the alphabet was images, from Mayan to Egyptian to Asian. Many cultures all started with images at nearly the same time in human development because it was natural, intuitive.
This is a proposal to replace a string of text with an array of images. Before getting to the technical part, here are some visuals that all will easily comprehend. Imagine a grid of 20:
Emojis
Mahjong
Dominoes
Then imagine, when signing up for a website, the user will be presented with an array of images from a set of images of one of the categories mentioned above. From that set, a user will create their "password" as described in more detail later.
The username will remain text (as they are often an email address, which are always unique). After that, the set of images described above will be displayed.
The user picks which "set" they like best, say a set of 32 or so emojis. The user then picks some 6-10 emojis that they like and think that they will remember - and probably will be able to.
The emojis they select will then be their "password" or, more properly, their "login image set." (Verification can be either through email or even a phone number.) At this point the user has "an account.
When coming back to the website, the user, after entering their username, is presented with another set of emojis, in a different order each time. The user then just selects their emojis in their proper order to login.
No automated code - it seems to me - would be able to crack such an interface as easily as a text-based HTML form.
Designing such an image-based input is the easy part. The harder part is, "What data representing the image order selections will be sent to the server?" This kind of login will be no better than a text form if the data can be easily simulated.
Other questions can be, "How should it be encrypted? Or just obfuscated? Or with some randomly placed random data? Will that be enough to stop an automated attack?"
I leave that as an exercise for 2600 readers.