Ph: 23456789
blog icon Twitter Icon RSS Icon
[Home]
 Purchasing  Sales Support  Technical Support  Contact Us  Blogs, Twitter & RSS  Privacy Policy  Site Options  Steve's Projects Page  Steve's Old Resume
[Products]
 General information  User testimonials  Purchase SpinRite  FAQ  Demo Videos  Knowledgebase: SATA  Knowledgebase: BIOS  SpinRite v5.0 pages
[Services]
 ShieldsUP!  Password Haystacks  Security Now!  DNS Spoofability Test  Perfect Passwords  PPP Passwords  Tech TV video clips  Newsgroup Discussions
[Freeware]
Security»
 Leaktest  Securable  Shoot the messenger  Unplug n' Pray  DCOMbobulator  MouseTrap  MouseTrapCmd
Utilities»
 DNS Benchmark  Wizmo  ID Serve  ClicKey  Free & Clear  IDentity (ASPI)
Obsolete»
 FIX-CIH  TIP (trouble in paradise)  OptOut  XPdite  NoShare  LetShare  Patchwork
[Research]
Recent»
 Ultra-high entropy PRNG  Pure CSS web menus  NAT router security  PDA max battery life
Pending»
 GRC NetFilter  TrustPuppy
Historical»
 Worm wars of 2001  File downloader spying  Sub-pixel font rendering  Earthlink browser tag  ZIP & JAZ click of death
Dormant»
 OpenVPN  The Assimilator  ASPI ME
Health»
 Health Homepage  Vitamin D
[Other]
 PDP-8 Computers  Big Number Calculator  Portable Sound Blaster

white spy    PPP Logo

GRC's Open, Ultra-High Security,
One Time Password System    black spy
[image]
High security multifactor authentication using a
series of single-use "passcodes" does not need
to be expensive.  In fact, it can be free...

samplepasscard

Generate your own unique set of
Printable Paper Passcards right now:
Sequence Key:
GRC's server supplies a new, unique, high-quality, pseudo-random 256-bit PPP "Sequence Key" whenever this page is displayed or refreshed. You may use the key provided as a secure demonstration, or copy & paste your own PPP Sequence Key into the field above before generating PPP Passcards.
Passcode character set:
This is the standard and conservative PPP set of 64 characters. It was chosen to remove characters that might be confused with one another. Using 4-characters per passcode, 16,777,216 passcodes are possible for very good one time password security:

TUVWXYZabcdefghijkmnopqrstuvwxyz!#%+23456789:=?@ABCDEFGHJKLMNPRS

This is a much more "visually aggressive" (somewhat more interesting and certainly much stronger) 88-character alphabet which supports the generation of 59,969,536 possible 4-character passcodes:

PRSTUVWXYZ[\]^_abcdefghijkmnopqrstuvwxyz{|}~!"#$%&'()*+,-./23456789:;<=>?@ABCDEFGHJKLMNO

Provide your own passcode alphabet of any composition and size:


Passcode length:  
Passcodes can be any reasonable length, ranging from just 2 to as many as 16 characters each. Shorter passcodes are quicker and easier to transcribe, but also easier to guess. Therefore, longer passcodes provide greater security at the cost of convenience. Four character passcodes (with a large enough character set) provide sufficient security for practical one time password purposes.
Passcard label:  
If passcards are being used by multiple users, or for multiple sites, a distinguishing label can help prevent mixups. Passcard labels are limited to 30 characters.
First passcard to generate:  
Normally you'll want to start with the first card (number 1). This system will generate that passcard and the next two (1, 2, and 3) for you to print. Then you might want to start with number 4, to get cards 4, 5, and 6  . . . and so on. The strength of this system is that the sequence of passcodes is cryptographically derived, absolutely unpredictable, and will not repeat until 3.4×1038 passcodes have been generated.
Passcard size:  
When printed with default web browser settings, the default size of "14" yields convenient and legible "credit card" size passcards. This makes it easy to carry PPP passcards tucked out of sight behind a credit card in a wallet. However, if you wish to print larger or smaller passcards, you may change the size field above as desired.


With the fields above filled-in, click this button to display a
printable page containing the three cards you have requested.

What is "Multi-Factor Authentication"
 . . . and why might you need it?

Almost without exception, today's Internet users prove their identity online using a fixed account name and password. In the past, this simple system provided sufficient security. But with the growing popularity of online banking and eCommerce, the value of stealing online identities has skyrocketed. And the increasing presence and "spyware" and "malware" on innocent users' computers means that users can be "watched" while logging onto their banking and other eCommerce sites. Once their logon credentials have been "captured" and stolen, Internet criminals can easily assume their identity.

The trouble with a username and password is that they never change. We create them, write them down or memorize them, then use them over and over again. What has been needed is an inexpensive system that provides something which changes everytime it is used. GRC's Perfect Paper Passwords system offers a simple, safe and secure, free and well documented solution that is being adopted by a growing number of security-conscious Internet facilities to provide their users with state-of-the-art cryptographic logon security.

To hear or read more about the important and fascinating topic of "Multi-Factor Authentication", you are invited to listen to the free audio (mp3) podcast Leo Laporte and I produced to address this topic. The link below will take you to large high-quality and smaller lower-quality audio files as well as text transcripts in web or PDF format:

http://www.grc.com/securitynow.htm#90


To learn more about the design, operation, and security of GRC's Perfect Paper Passwords system, you are invited to listen to a detailed description of the background and operation of this system, including a detailed discussion of the design and development path that led to this result. This discussion took place over three episodes of our weekly "Security Now!" audio podcast with Leo Laporte:

The first episode (#113) explains the problem I was working to solve. It explains the security issues and considerations leading up to the decision to design a paper-based one-time password system:

Higher quality: 64 kbps mp3, 27 MB  (Right-click and "Save Target As...")

or smaller size: 16 kbps mp3, 6.7 MB  (Right-click and "Save Target As...")

The second episode (#115) explains the development of this one-time password system, examining the many directions not taken, and thoroughly detailing the finished PPP system:

Higher quality: 64 kbps mp3, 40 MB  (Right-click and "Save Target As...")

or smaller size: 16 kbps mp3, 10 MB  (Right-click and "Save Target As...")

The third episode (#117) discusses the evolution of this one-time password system from version 1 to version 2 and examines interesting questions such as whether it's better to have truly never repeating one-time passwords or this system's "equally unlikely" but possibly repeating passwords.:

Higher quality: 64 kbps mp3, 26 MB  (Right-click and "Save Target As...")

or smaller size: 16 kbps mp3, 6.5 MB  (Right-click and "Save Target As...")


Notes about GRC's PPP online demonstration form above...
The form above defaults to, and these PPP pages describe, the "PPP Standard" system based upon 4-character passcodes drawn from a 64-character alphabet. Since this yields nearly 17 million possible passcodes occurring in a cryptographically unpredictable sequence, it delivers a highly-secure balance between security and convenience. By providing a 64-character hexadecimal sequence key and other optional customizing data, this page may be used to generate and print valid passcards for use with any compliant PPP implementation that lacks its own passcard printing facility. Many free and open source implementations of this PPP system are currently available, and more are on the way. GRC offers a complete and free (though not open source) PPP CryptoSystem implementation for Windows platforms, and other open source solutions are already available for Windows, Mac, Linux, and Java-equipped cell phones. The "PPP Software" page provides further details. GRC employees are using this system to enable their own secure roaming access to GRC's private corporate network. One of the values of this system compared with hardware authentication credential tokens, is that it supports fully local "TNO" (Trust No One) authentication without relying upon any third parties or third-party relationships. This PPP secure authentication system will appear in GRC's future commercial "CryptoLink™" product to offer secure roaming access features to individual users and corporations. Everything is free: (Although GRC's code is not open source.) To further document and promote the use of this system, GRC has made a Windows implementation of the entire PPP CryptoSystem freely available for download and use. It is our sincere hope that other Internet sites and services will adopt this, or a similar system, to help protect Internet users by employing secure authentication technologies such as this.

In addition to the information and podcast audio files above, the following pages provide a thorough description of the design and operation of GRC's Perfect Paper Passwords system:


Perfect Paper Password Pages:
 1 PPP Demonstration 
 2 Design & Operation 
 3 Crypto Algorithm
 4 Statistical Analysis
 5 PPP DLL Code
 6 PPP EXE Utility
 7 Usage Notes
 8 PPP Software
 9 URL Access


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2012 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page


You are viewing a mobilized version of this site...
View original page here

Mobilized by Mowser Mowser