0

So one of the problems with password is that users reuse them or use some weak password. For the latter, even enforcing pattern does not work as users will simply go for something like P@ssw0rd1 that is easy to guess.

So instead of a user or email and password login, why not a pin and password? The pin will be generated during sign up (It can be as complex as the webmaster makes it to be and not necessarily a 6 digit pin like your bank card).

This way, even if the user decides to make a simple password, the account will always be protected by a secure and unique passphrase whether the user likes it or not.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 2
    While this does protect against specific attacks, PIN and Password are both "Something you know". Adding other factors, such as "Something you have" or "Something you are" makes the authentication more robust. That's why companies are moving towards [MFA](https://en.wikipedia.org/wiki/Multi-factor_authentication) instead. – Fire Quacker Feb 27 '20 at 06:38
  • 1
    Here are a few related questions: [Does Username + Password + Pin improve login security?](/q/20978/129883) and [Why does the user pick the password?](/q/85934/129883) and [Is it a good idea to give users an additional password that they do not control?](/q/52311/129883) – Fire Quacker Feb 27 '20 at 06:45
  • Using the PIN to determine a number of SHA2 rounds before feeding the KDF _would_ make it more complex to reverse with off the shelf solutions like john and cat... – dandavis Feb 27 '20 at 19:05
  • 1
    @dandavis Security by obscurity silliness. If you're writing professional software and have passwords that protect anything of significant value, then you should just assume that a hacker is at least a little professional and so knows enough to (easily) adapt to that change... Or that they can learn. Or pay someone else to do it. Even if you're hacked by a total script kiddie, they *could* post a data dump publicly or sell the same information to someone who can tweak a few lines of code. – Future Security Feb 28 '20 at 00:38
  • @FutureSecurity: Sure, there will always be someone better, but obscurity isn't the point, adding work is. If you have both a pin and pw, the suggested concatenation of the two makes for a much more precise/targeted match rule (just digits at the end) for rippers. While the sha rounds themselves aren't very expensive, appending that to the password instead of a few PIN digits produces more work to be done. – dandavis Feb 28 '20 at 01:35
  • @dandavis It's not more work, though. It's more homebrew-algorithm work and less strong-kdf work. You have a limited amount of time you can dedicate to password hashing. Time should not be wasted. Ideally 100% of your computing time should go to something like Argon2 - There's more I can say, but I don't want to take over the comments section. A few of my answers I've written, though, go into better detail explaining how various "alternative" password hashing ideas like that, hybrid schemes, and sometimes even PBKDF2, are weaker than boring Argon2/scrypt. – Future Security Feb 28 '20 at 02:19

1 Answers1

3

Some banks actually do this. The issue is the same as with just generating a random password for the user and not allowing them to input one. They will inevitably write it down. Also, using a pin as username frustrates targeted attacks but for short pins and large sites, attackers can pick a random pin and chances are it will belong to some user. You would need to make it longer to be effective.

Finally, if the pin is ever leaked, it can be difficult to change, if it acts as the username.

At the end of the day, pin and password are the same type of authentication: using something the user knows. Therefore anything you can do with a pin, you can also do with a password, just append the two for a longer password. Using it as username unnecessarily complicates things.

Peter Harmann
  • 7,778
  • 5
  • 20
  • 28