
Show HN: Combo Password: A (hopefully) new type of password - usernam33
http://92.60.36.247/combo-password/
======
friendzis
Interesting. Just typing "password" yields "pa,s,s,w,or,d", so it seems you
register groups by keypress delay. It actually opens up multiple possibilities
to factor typing style in to the password. The same keys one fingered grandma-
style would not necessarily register as the same password when "properly"
typed in.

Idea itself is interesting, though password validation brings its own can of
worms. Where do you do key groupings - client or server side? How do you
capture keypress timing data? What amount of timing variation is allowed? How
do you factor in changing typing swiftness? How do you handle keyboard
layouts?

Essentially, the idea is different keys pressed at tightly controlled
intervals, which sounds awful lot like music tune played on a keyboard (pun
intended). Are tunes more or less secure than strictly textual passwords we
use now?

~~~
usernam33
Actually I register groups when a key is lifted. You probably typed fast and
had P still pressed when A was pressed. I do not yet have a solution to
compensate for varying swiftness. These typos could be prevented with a some
effort I guess. The groupings need to happen client side, timing data is not
involved at all, only keyDown and keyUp events are used.

Keyboard Layouts should be no problem (except I missed something) since I use
key codes rather than values.

Maybe the source also helps answering some questions:
[https://gitlab.com/FalkF/combopassword/blob/master/app/compo...](https://gitlab.com/FalkF/combopassword/blob/master/app/components/combo-
pw-input/component.js)

A Combo Password should offer more security but I still got to wrap my head
around the math. I got a formula from someone helpful with a master degree in
math in the stackexchange post:
[https://math.stackexchange.com/questions/3133516/number-
of-p...](https://math.stackexchange.com/questions/3133516/number-of-possible-
combo-passwords)

------
usernam33
Hi, I was wondering about use cases for n key rollover (apart from gaming)
when I thought of using key combinations as a password. This is a small demo
login to demonstrate my idea. There should be more combinations in a combo
password than in a normal password of the same length.

~~~
mtmail
So for every character I type a comma gets added. Can you give an example of a
normal password and combo password and the math why the combo password has
more combinations?

~~~
usernam33
The comma is just there to visually separate the key combinations, I did not
implement a better solution for visualizing a combination yet.

A normal alphanumeric (36 characters) password with 5 chars has 36^5 possible
combinations: "12345"

A combo password also has this 36^5 combinations since you can enter a normal
password (it is just 5 single key combinations): "1,2,3,4,5"

But there are even more combinations since you can press keys simultaneously:
"12,3,4,5" or "1,23,45," etc.

The checkSequence flag toggles the password checks strictness. When false you
can set the password "12,3,4,5" and entering "21,3,4,5" will still be valid
since "21" is the same two keys pressed as "12". When set to true only
"12,3,4,5" would be accepted.

~~~
mtmail
I see. I missed how you can press/type two character simultaniously. Not sure
if that work with mobile onscree keyboards and password manager softare.

~~~
usernam33
It wont work with password managers or devices without keyboards. Unless a
comma (or other char) separated string form is accepted by the implementation.
I could also think of solutions for screen keyboards, but my goal is not to
replace normal passwords but rather to offer an alternative where high
security is needed and compatibility granted.

