aspose file tools*
The moose likes Security and the fly likes 0ffline p@ssw0rd Generator Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "0ffline p@ssw0rd Generator" Watch "0ffline p@ssw0rd Generator" New topic
Author

0ffline p@ssw0rd Generator

Andres Delrotti
Ranch Hand

Joined: Aug 11, 2005
Posts: 137
Hello,

This is the setup. You have a regular web application. To do a certain tra.nsaction in that application, you would need a extra p@ssw0rd. This p@ssw0rd can either be sent through email or the application's m0bile app version can generate it for you. The latter meaning it can generate the password even if it is 0ffline. Is it possible to do this? the only thing i can think of it have a predefined hard coded set of passw0rds in both the m0bile app version and the web app but the this kind of thing is very vulnerable and has a high security risk.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42262
    
  64
Hardcoded passwords seem like a bad idea. Why does this need to work if the device is offline?

Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.


Ping & DNS - my free Android networking tools app
Jayesh A Lalwani
Bartender

Joined: Jan 17, 2008
Posts: 2393
    
  28

Is it a password? or a token that will be used one time and then discarded? What are you really trying to do here? You want to authenticate the user? Why can't you use standard basic authentication over https?
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30749
    
156

Ulf Dittmer wrote:Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.

I've used Authenticator for two factor on my iPad when my iPad din't have a network connection. Also Authenticator doesn't work if your iPad time is horribly wrong which shows that number is being determine based on the time as one of the factors. (rather than requesting it from google each time.)

Andrea: The token ("extra password") is the second part of two factor authentication. The mobile app generating makes sense. It is a "thing you have." You could roll your own. Have a unique number generated when the user first sets up the mobile app. Then use that number and other factors like the time to generate a token value that is only valid for a short time. As long as your server knows that app's number and the algorithm, it can check the token is right. Another alternative is to use a set of randomly generated values that the mobile app stores and your server knows about. Google two factor also has that. I have a bunch stored in case my iPad breaks and something happens to my phone at the same time. Horrible luck I know, but I'd certainly want to be able to get into my email if that happened!


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Andres Delrotti
Ranch Hand

Joined: Aug 11, 2005
Posts: 137
^^
Jeanne: so how would the main app synch their algorithm with the algorithm in the mobile app for the main app to recognize the password as valid? the only way I can see this is passwords computed based on current time. the thing is, this is still vulnerable and could easily be hacked. Can google generate the extra password even if their mobile app is offline?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: 0ffline p@ssw0rd Generator