Gebruiker:Timvans/Kladblok
The Opfes-principle
bewerken'Opfes' is the principle of using one password for every site and hashing the password given by the user together with the domain-name of that site, and some other parameters, before handing the resulting hash as the user's password to the web-page's request to the server.
One Password
bewerkenThe generated hash is based on more input-parameters than only the user's password. Consequently the resulting hash used as password, will be different for each site the user visits, meaning that the user can use the same password at each of those sites and, using the opfes-principle, still end up authenticating himself using a different password. This creates the opportunity to use only one password for every site.
Phishing
bewerkenThis principle prevents the user of becoming a victim of Phishing. Any phishing attack lures the victim to a look-a-like site and tempts to make the user give his username and password. When a user, unaware of the phishing-attack and not using the Opfes-principle, enters his credentials, and will thus allow the attacker to log on to his target-site using these credentials. If, however, a user, unaware of the phishing-attack but using the Opfes-principle, enters his credentials, the attacker will receive a password, that is hashed based on look-a-like site's domain-name, instead of the target-site's domain-name. This will make it impossible for the attacker to use the user's credentials for logging on to the target-site, since the password retrieved from the victim will not validate.
IDN-phising
bewerkenEven with IDN-phishing, the user is safe when the Opfes-principle is used. With IDN-phishing the attacker has registered a domain-name in UTF-8 code that will look very similar, possibly pixel-perfect, to the targeted site's domain-name in an email or a web-browser's url-bar or any other visual representation that transforms the UTF-8 code to ASCII. Since toe opfes-principle will take the non-transformed domain-name, and not the transformed domain-name, as input for the hash, the resulting hash will not give the attacker a password that validates on the targeted site.
Password Strength
bewerkenThe hash resulting from the user's password, domain-name and several other parameters, is designed to have the maximimum strength possible for the given domain, compying to the site's set password-restrictions.
Origin of the Opfes principle
bewerkenThis principle was first thought of in March 2017 by Sourcerers.nl.