Re^2: Need a wait to generate a 4 digit "PIN" number

But really it would not take a genius to guess the "join + MD5 or CRC hash" method. So don't rely on such amateurish security.

That's why one of the joined fields should be some secret value. The key/password, so to speak. It should never be an issue whether the algorithm is public or not. Only the key needs to be private.

But you do have a point. If the user already has a key/password, why would he need a PIN too? It's just another password. Two passwords are not more secure than one.

Comment on Re^2: Need a wait to generate a 4 digit "PIN" number

Replies are listed 'Best First'.
Re^3: Need a wait to generate a 4 digit "PIN" number by Limbic~Region (Chancellor) on Dec 16, 2007 at 22:18 UTC
ikegami, Two passwords are not more secure than one. Well, when two pieces of information comprise a single password it can be more secure. For instance, certain facilities require: Something you know (PIN) Something you have (electronic badge) Something you are (fingerprint or retina scan) I know this doesn't have a lot to do with the thread but when I read your reply I wanted to comment. A closer example would be one of those security token key chains which is constantly generating new passwords. When logging in, you must be looking at the currently generated password and add your pin to it to be authenticated. Having just the token isn't enough. Cheers - L~R	[reply]
Re^4: Need a wait to generate a 4 digit "PIN" number by ikegami (Patriarch) on Dec 16, 2007 at 22:54 UTC
I was referring to passwords specifically. My statement about two passwords was not meant to be extrapolated to other pairings of credentials and shouldn't be extrapolated to other pairings of credentials. As you say, it doesn't necessarily hold up if you do. A closer example would be one of those security token key chains which is constantly generating new passwords. It's not having two passwords that makes it more secure, it's having the key chain and knowing password that makes it more secure.	[reply]
Re^4: Need a wait to generate a 4 digit "PIN" number by CountZero (Bishop) on Dec 16, 2007 at 22:26 UTC
Yes, but that are three different things: "knowing, having, being" and not three "bits of data plus a PIN" which are just the same type of things (all "knowing"). CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James	[reply]
Re^5: Need a wait to generate a 4 digit "PIN" number by Limbic~Region (Chancellor) on Dec 16, 2007 at 22:28 UTC
CountZero, I will quote myself: "I know this doesn't have a lot to do with the thread but when I read your reply I wanted to comment." I wasn't defending the position that two passwords was secure in this case, but that the statement in general wasn't necessarily true. Cheers - L~R	[reply]