Is "password knocking" a good idea?

Question

With port knocking, you have to "knock" on specific ports in defined order to expose a port on which service is running.

How about password knocking? For example you have three passwords: A, B and C. None of them is correct by itself, but entered one-by-one in this order they will grant you access.

Some scenarios to make this idea clearer:

Scenario 1.

• You: Password A.
  • Server: Invalid password.
• You: Password B.
  • Server: Invalid password.
• You: Password C.
  • Server: Password accepted.

Scenario 2.

• You: Password A.
  • Server: Invalid password.
• You: Password C.
  • Server: Invalid password.
• You: Password B.
  • Server: Invalid password.

Scenario 3.

• You: Password A.
  • Server: Invalid password.
• You: Password B.
  • Server: Invalid password.
• You: Password B.
  • Server: Invalid password.
• You: Password C.
  • Server: Invalid password.

Scenario 4.

• You: Password A.
  • Server: Invalid password.
• You: Password A.
  • Server: Invalid password.
• You: Password B.
  • Server: Invalid password.
• You: Password C.
  • Server: Password accepted.

I can't think of any drawbacks of this method over regular single password login. Moreover, it makes dictionary attacks exponentially harder with each added password.

I realize it's security by obscurity and doesn't abolish the need for strong passwords. Password sequence itself is as strong as a concatenation of passwords used. Added security in this method comes from unexpectedly complex procedure.

Is it a good idea? Is it a better idea than classic password?

Answer 1

The system outlined in the question is actually weaker than simply requiring a single password of length A+B+C, because it permits a class of attacks that can't be used against single passwords:

Say your three-password combination is E F G. An attacker can send the passwords A B C D E F G, making five attacks (A B C, B C D, C D E, D E F, and E F G) for the price of two. The general term for this is a de Bruijn sequence, and it lets you attack any state-based system (such as a digital lock) using far fewer tries than there are possible combinations.

Answer 2

From a raw security perspective, your password is simply "A B C", and the relative strength of the password is calculated accordingly.

From a user perspective, this is arguably too difficult to be usable. The server isn't giving any indication as to the current state (is it looking for the second password yet?) and therefore the user can't tell which password to provide.

From an defense perspective, there's a small amount of value here. Password attacks become a bit more complicated to carry out and existing attack tooling will have to be re-written to accommodate this weird scheme. That may be enough to convince an attacker to move on, but if you're an important target, then it won't help at all.

Answer 3

I'm going to address a few points here.

First off, assuming that the attacker doesn't know the password scheme is a bad assumption, and you're correct that it's security through obscurity. If every user can learn this login scheme, then the attacker can too. Because of that, the knock is no better than if there was just a single password ABC.

You might think, "Doesn't having more passwords increase the number of brute force guesses exponentially?" The answer is no. Consider an alphabet of length z, and three passwords of length a, b, and c. The number of possible passwords for each is, respectively, z^a, z^b, and z^c. If you're to try all possible values for each password in every possible order, you'll need z^a * z^b * z^c guesses, which is equal to z^{(a + b + c)}. It just so happens that the length of the single password ABC is a + b + c, so the number of guesses required is also z^{(a + b + c)}.

There's also the design concern that users will be confused and/or frustrated by this system, especially if they're having trouble remembering their passwords. People have enough trouble remembering one password for each site they visit (and that's why many people reuse passwords). Three passwords would be even harder to remember, and I wouldn't be surprised if some of your users used the same string for all three.

Requiring three form submissions to log in will certainly slow down a brute force attack, but you could just as easily achieve that by adding a delay in the server-side password verification.

Answer 4

It's security through obscurity -- if widely adopted, attackers will just try three times. At which point you might as well just have a single password but set a longer minimum password length to ensure it's as long as three separate passwords concatenated.

Answer 5

This is indistinguishable from your password simply being A || B || C.

Answer 6

Two-factor auth is more user-friendly yet more secure.

Without, one password is still hardly less secure than password knocking.

An attacker who can find your password is likely to find out about your knocking scheme as well.

Choosing to knock is like choosing an algorithm. Consider it public.

Though passwords are security by obscurity, they can be replaced by completely different ones very easily.

That said, there are schemes that are somewhat similar to your "knocking" but a bit more useful:

• Randomly requesting one out of multiple secrets (passwords, phrases, iTANs...).
  This is much quicker than entering all of the secrets, and is more secure because the attacker only gets to know one secret at a time (which can be invalidated after use).
  The chances of the attacker being able to authenticate correlates with the relative number of secrets they know. Still, it requires the user to know all secrets and their order.

• Input Timing, i.e. analyzing the times between and for all password characters while the user is typing.
  This is harder to find out about and to fake than knocking and has been researched a couple times IIRC. Drawbacks:

  • Timing varies slightly each time a user enters the password, though it may still be enough to distinguish users
  • Timing may even change entirely when the user chooses to enter it differently, e.g. during the initial phase after choosing the password (the user is still learning to enter the password), or when they cannot enter it the way they usually do (injuries, holding a sandwich in one hand...)

Security by obscurity is good when you can quickly modify your obscurity scheme, i.e. "change the maze" with little effort, rather than the concrete its walls are made of (make sure the maze cannot be bypassed).

Answer 7

The concept of port knocking does not really apply directly to logging into websites. At least not in the sense that you have suggested. With port knocking, you connect to different ports in a certain order to open the desired port. In your example, you are putting all the passwords into one site. As others have pointed out, this isn't really any different from putting all the passwords together. Unless all the passwords you use are very long, you might as well just concatenate them and use one password. The obscurity of this method is also not so helpful, because someone will have to build it and someone will have to know how to use it, which is enough for an attacker to find out how it works. Also, you just explained it to the world.

Instead, maybe you could use different websites to represent different ports. Let's say you are trying to log into website D. When you connect to website D, it won't even display a page unless it can see that you have logged into websites A, B, and C, correctly and in that order. This way the attacker would not only have to crack the different passwords, but they would have to be done on 3 different sites, and used in the right order to even access site D, where another password would be required.

This is still relying on a certain amount of obscurity, but it is more distinguishable from simply splitting up a password on one site.

Answer 8

Positive

• It would fool standard brute-force attacks. Automated attacks from botnets or simple tools would not work out of the box.
• It might be possible to fool a keylogger this way. In the logs it would look like the user remembered the password on the third try. If the attacker uses this password it would not work. But only if he does not know or guess what's going on. But he does own you anyway in this case.
• The user is forced to use multiple words => longer password.

Negative

• Too complicated for a normal user.
• Like port knocking, it is partly security through obscurity. If the attacker knows he can adapt the attack.

Total

Like port knocking it does add only a small advantage against simple attacks. The main benefit would be longer password and that can be enforced more easily be password rules.

Anyway, if your users do not mind it is something you can do. In the end, every security feature counts. But I would not advice to do it.

Answer 9

Just a note: this methodology is already used in password-recovery schemes in some parts of the industry. If you forget your password, you can use your e-mail address to initiate a sequence of personal questions to recover your password (though many times it is just one question). It is made more palatable to the user, by usually limiting the context to a sequence of well-chosen questions that provide the user with an opportunity to use (hopefully) secret but well known answers.

Also, some of the better banks provide an additional set of security questions if they do not recognize the computer you are logging in from (in the same vein as the aforementioned password recovery scheme).

For example:

Enter your password:  *****

Your computer is not recognized, please answer the following additional questions:

What city did your mother grow up in?  *********
What is your favorite movie? *************

This can enable savvy users to provide fairly obscure answers to a range of questions which they choose, while still allowing for an easy-to-remember sequence of 'passwords'. Of course, typical users might still use easy-to-guess answers for the "unrecognized computer" questions, but the onus has always been on the user to provide good passwords, anyway.

Answer 10

PROS: This system does share some benefits with two-factor authentication.

1) Most browsers and password saving systems do not support it, so will remember only one of the passwords at most. So it at least won't be stored in plaintext somewhere.

2) People who use the same password everywhere will have to use at least two passwords which are not shared with other sites.

CONS: The system, however, is overall flawed, and I'd argue it is worse than single-password authentication.

1) Because their preferred, password-protected password storage system that they use for the more important passwords cannot be used, odds are they'll use something less good for this one password. Post-it, text file, whatever.

2) Others have claimed that this is as strong as the password "ABC". It is not. I would say that in the worst case, it is only as strong as the password "A".

This is because I (and the typical user) would use the passwords "password1", "password2", "password3" This password generation system gives me the benefit that I can ctrl-c, ctrl-v the password and then just type the number.

If I cannot use similar passwords, then you have reduced the scope of possible passwords that I can have: rather than as secure as ABC, you now only have the same security as ABD where A!=B!=C: you've made the cracker's job easier by reducing their search domain.

And I'd still choose whatever predictable sequence that the password entry script permitted: "Jan", "Feb", "Mar" perhaps.

And since I'd be using a natural sequence, this is likely to be the order that a password cracker would have in the dictionary, so a password-cracking machine will naturally try those passwords in the correct order and walk right in. Any cracker knowing your system absolutely would order their dictionary in this manner.

3) The other factor that reduces security is that to change the password, you now need to change three different fields. This would discourage many from changing their passwords.

4) This is terrible, terrible user experience, as others have noted. Unless you have a captive audience (employees, students, etc), you will lose custom through this user-hostile approach.

Answer 11

As others have stated, this is equivalent to just having a password that's equivalent to A\nB\nC or the like. However, there is one advantage I can think of to this scheme: it helps to reduce phishing-type things; if a system accepts the first password in lieu of accepting the others, then you know that the system is compromised and simply logging your username and password.

However, in that case it's better to just attempt login with a random password before attempting login with your actual password; otherwise you've just compromised a good chunk of your password since now the first third (roughly) has been logged by the compromised system.

Answer 12

I don't think it's even security through obscurity as some have said—the three password login is presented publicly, no? Sure it will take some work tweaking a few tools, but nothing too difficult.

As for the brute-force complexity. The number of possibilities are the same as having one single password with length A + B + C. So for this reason the only defensive you get with this scheme is frustrating the attacker a little at first. Furthermore, if the scheme became common, then standard tools would quickly adapt.

Answer 13

"The fewer the moving parts, the less there is to go wrong."

In addition to not providing any notable benefit, this idea is more complex to implement than a single password. As such, there are more points of potential failure. For instance...

Depending how it was implemented, it might allow a denial attack wherein Malcolm sends password X at regular intervals. If he times it right such that he interrupts a legitimate attempt, the system receives A X B C and denies you entry. Similarly, if he times sending password C right after you've sent A B then the system lets him in and not you.

A response-timing attack might be able to figure out that A was the correct first password in A B C where it would not notice that D was the prefix of single-password DEF.

Answer 14

As many have mentioned, for dedicated attack purposes, it is no stronger and no easier/harder to remember than a concatenation of passwords. However, there is some operations security (OPSEC) value to be had which is independent of password strength. Not much value, mind you, but as someone who spends a lot of time on the Worldbuilding Stack Exchange site, my imagination ran wild.

Consider if you want a service to not only be restricted to authorized users, but you want to prevent someone from accidentally stumbling on its existence. This is no longer a simple entropy problem, but rather a spy-vs-spy information theory problem. Your job is now to minimize the signal-to-noise ratio (SNR) of anyone glancing across your password input. This is now unrelated to password strength.

One approach would be to set up a dummy behavior. Make it look like it is a log in for a different system. Only accounts with the correct privileges are redirected to the meaningful content. You could even let others sign up for your dummy project to let people poke around and satisfy their curiosity.

However, we're talking spy-vs-spy now. Someone's going to realize that James Bond really isn't all that interested in a forum discussing the latest trends in rubber duckies, and start prying. James Bond is good at not revealing information, but at some point, with a gun held to his [latest] girlfriend's head, it's going to be suspicious if he doesn't reveal his rubber-ducky-forum password to Dr. NoGood. Dr. NoGood's no fool; he'll figure it out.

So we set up James with two passwords. One lets him into his normal rubber ducky forum, the other into the top secret nuclear missile simulator. We can't ignore real-life password security here. His nuclear missile simulator password is going to have to be long: as long as the concatenation of your three passwords. His ducky password is probably shorter. Good thing too, because someone has watched him log into his ducky account before. They know how many characters to start brute-forcing. We don't want them to accidentally find the secure password before we find the ducky one.

So, given that it's still secret that the missile simulator exists, returning "invalid password" part way through will hopefully discourage brute-forcers from continuing. Plus you can do a huge climactic reveal when James "types his password wrong twice," before the wall next to him suddenly creeks open to reveal the vault beyond.

Answer 15

To add to all the other great answers, this type of password protection scheme would not provide any protection against keyloggers or man in the middle attacks. Since you would still be putting your password in within a sequence, the keylogger can replay your actions and still gain authorization. 2-factor authentication as suggested by @Archimedix would be the most effective way to mitigate this.

Answer 16

As others have mentioned, functionally, this is the same as one long password. To make the implementation less confusing, it could be implemented by asking all three passwords in the same screen.

Something along these lines is done by my online broker where it asks for the member password and trading password during the login. We have to get both the passwords right in order to login. Besides, I have to change my member password every 10 days or so and there are rules about not repeating the previous three passwords, etc.

My bank (ICICI Bank) previously implemented two passwords, one for viewing to be entered to login and get access to information, and another for transacting to be entered anytime an action which would result in a financial transaction was performed. My Visa debit card is also secured by a system they call 3-D Secure where, irrespective of the payment gateway, they take me to their own site to enter a password to complete the transaction. I know that this is the genuine Visa site, because they let me customise the message to display.

So the idea is not unprecedented, though not implemented in exactly the same manner as you say. Adding multiple passwords is something that at least the bankers and stock brokers seem convinced about.

Answer 17

Stop useless technical complexity

According to a previously correct answer,

A\nB\nC

is approximately the same as

A B C

(or maybe lighter, regarding @Mark's answer, about Bruijn sequence).

From there, if you really need to keep your secret:

1. Use standard tools strongly tested for a while. (If you're not sure, prefer to share and ask around, instead of using any kind of obscurity.)

2. Keep them up to date.

3. Teach your users about passphrases (see xkcd: Password Strength and discuss on IS)

4. Keep in mind that social engineering (on Wikipedia) is the first way of security flaws. (Another famous xkcd: Security).

5. Monitor your system, and check your logs.