-2

I'm looking to use a single passcode string, rather than the email/pass combo that most sites are using to authenticate users. I know if they lose their passcode (unless there are forget questions) that the account will become inactive, but I want the site to be completely anonymous and I don't want to store any data in the db that can link back to an actual person.

That said, can you share any methods (or point to current examples) on how to randomly generate English words with numbers to create a passcode (similar to say: taco_eat3R, nacho_P0tatoes, etc...)?

Jeffrey
  • 4,098
  • 11
  • 42
  • 66
  • 2
    **This is a bad idea.** Without an account name, one could conceivably brute force the passcodes with common words and log in as _many users_. And it would not be the users fault, it would be yours, since their passcode was assigned to them from you. You are better off sticking to email/password and hashing the email address in a secure one way hash function (like bcrypt) and storing that with the password (which should be hashed as well). – Afforess Oct 26 '14 at 04:49
  • I can always add code to prevent brute force attacks. Email is traceable to an actual person so it's out of the question. Username/password combo isn't trackable, but I want a single input rather than two. – Jeffrey Oct 26 '14 at 05:17
  • 2
    An email address that has been hashed by a secure one-way hash function like bcrypt can not be reverse engineered back into the email address. – Afforess Oct 26 '14 at 05:25
  • related: [Best way to store password in database](http://stackoverflow.com/q/1054022/4279). Just follow the same recommendations for (email, password) pair. – jfs Oct 26 '14 at 05:32
  • Yes, even the passcode I generate will be stored by bcrypt. This is just to generate a passcode for someone incase they don't want to create one themselves. Please reread my question, I'm looking to use a passcode string instead of email/pass combo. Yes I know what the current standard is! Just re-thinking it, and asking if you all have any suggestions that can make it work. – Jeffrey Oct 26 '14 at 05:52

2 Answers2

0

If you insist on using a dictionary, then you will need long passphrases (not passwords) to defeat brute force. Diceware uses six or more words from a 7776 word dictionary, not all of which are English words.

ETA: the Diceware 8k wordlist is better suited for computer generated passphrases.

Also be sure to use a cryptogrphic standard RNG to pick the words from the dictionary.

rossum
  • 15,344
  • 1
  • 24
  • 38
-2

Generation:

  1. Store a table of English words
  2. Randomly combo two of the words together (use regex to add numerals)
  3. Cross-reference it with existing users (to avoid duplication)
Community
  • 1
  • 1
Jeffrey
  • 4,098
  • 11
  • 42
  • 66
  • 1
    This can be easily brute-forced with a dictionary attack. – Afforess Oct 26 '14 at 05:26
  • But you can limit the number of attempts based on ip. Say 5 attempts per minute per ip address. Then if an ip is continually attempting the system it can be locked out for a longer period of time. – Jeffrey Oct 26 '14 at 05:36
  • Don't try to close a thread because you disagree with it? Is that how you try to talk with people in person, by changing the subject instead of having an intellectual conversation? If you really think your way is the ONLY way, then you should leave it open so that other people see your comments and perhaps learn from them. I appreciate your perspective, it's pretty much the current standard (like I said in the description). I'm looking to re-ask the question, it needs to be done (every so often)... this is how new methodologies come about. (I can't believe I actually have to say it!) – Jeffrey Oct 26 '14 at 05:45
  • I'm sorry you took the downvote personally, but this is a bad solution to a bad idea. I don't want future users to stumble across this question and think this is the right way to do anything. If you feel I have wronged you, you can always have this addressed on the [meta stack exchange](http://meta.stackexchange.com/). – Afforess Oct 26 '14 at 05:51
  • Don't worry, I didn't take it personal. I'm just looking for creative thinkers! – Jeffrey Oct 26 '14 at 05:55