Pitching/feedback/suggestions:
preface
There has always been a dilemma. Just before I started writing, I thought about how to summarize this dilemma. That is——
"Whether a real name trumpet is still a trumpet. jpg"
"Security issues" that are too safe
The Chinese translation of "security problem" may be more accurate. That's exactly what QQ used to call it. Later, it gradually replaced it with mobile phone verification. It produced its own TOTP verification tool, and visual inspection has been abandoned.
Then I bought a new router last year, and I didn't understand that it is also necessary to set a security question. You need to answer the question after pressing the reset key to reset. I can only say that I will not really forget the login password.. Right..
Then there is the Yandex mailbox, which is not bound to a mobile phone, but is bound to another mailbox. The security problem is " «Your favorite childhood book»
"What's the answer???
It is really very, very strange to use a text content that has both "semantic properties" but still focuses on "correctness" to protect another password that only needs correctness..
"Semantics" make it confusing that "I don't need to remember specially". "Correctness" is actually equivalent to lengthening the password. The browser has not been able to automatically help me remember
It's so safe that I can't pass the verification myself..
Recently, when setting up two-step verification for github, there was a file with a recovery code. In fact, there was a backup verification code generated by Google in 2017. The file has always been there. Although only one set of 10 sets of passwords was used, the probability of losing these files is still lower than forgetting the "answer to the security question"..
About the password itself
The password itself can be automatically memorized with the help of tools. On the other hand, most users can also be reset by "retrieving the password". However, I feel that many users, including me, cannot distinguish from the security problem on the "consequences of forgetting". The same mentality has been substituted into the steps of setting the security, which is also a reason why the security problem is not scientific enough.
Then there is the composition of password text. In fact, random generation is the safest without considering manual input, but the reality is not ideal
「 Flower Density FlowerPassword 」 ← 2011-2023
It turns out that this thing has been so long...
Flower density use "Memory password"+"Distinguishing code"
The reason why I didn't use it is that I should use Penguin's account Tencent
still QQ
As the distinguishing code???
This is a serious tangle... I just found that the generation code is case sensitive, which is even more tangled. --||
Finally, it is still inconvenient to copy after generation
My own password scheme
First tried to use it directly at the end of the password QQ
GG
FF
Later, I tried the five stroke code of the Chinese character for year and month. However, there were only eight first letters corresponding to one to ten. I thought of the time cycle generated like TOTP. The cycle is based on days, and the output length starts with three digits, then changes to four digits, which is appended to the fixed password as a suffix.
At the earliest, it was extracted from the official title of Win10 rather than using the automatically generated time cycle, Updated in XX, 202X
This; "- Now it is changed to 22H2
Format of - "
Although the result is that the password set or reset in the same cycle will become the same... --||
Back to the beginning of the puzzle, the numerical part of the fixed part of some passwords used by the trumpet will be composed of a string that is easier to enter, and the formal part will be composed of another string
So which password should I use for "real name trumpet"?? --||
So what about the code
Web version:
GenCode - a special TOTP generation tool - My website:
https://demo.wdssmq.com/tools/GenCode/
↑ It is rewritten with the code of small program, and then it does not use taro to directly generate the webpage version, so the style should be adjusted;
Applet, taro used:
Taro prime ts · old code collection of ice floe/water cloud open source China:
https://gitee.com/wdssmq/StaleCode/tree/master/taro-prime-ts
↑ It seems that this is the first project to use ts.jpg
↑ You need to add a README.md to paste a small program code, and whether to extract the core part from a lib again, and then use the native writing method for the WeChat applet actually launched --||
About Algorithm
There seems to be a "Don't invent your own encryption algorithm"
The old saying goes, but it is wasteful to use complex encryption when only 4 bits are output..
The code used for the above implementation is self pasted. I feel that the biggest problem is that I will want to modify it
Let's also use AI to generate the following. Here are the spells used and the results that may look good, although it doesn't feel good after the actual operation..
A time-based hash algorithm is implemented without complicated encryption. The key has only numbers and the time period is n days. The same results are output in the same period, only basic addition, subtraction, division, decimal conversion and charCodeAt. The output is 4 pure letters, and A-Z may appear
OK, I can provide you with a simple time-based hash algorithm. The following are the steps of the algorithm:
1. Get the current time and convert it to seconds since 1970-01-01.
2. Convert the key to a number and add them.
3. Divide the seconds obtained in the first step by the seconds of n days (that is, 24 hours, 60 minutes, 60 seconds * n) and take the integer part.
4. Add the number obtained in the second step to the integer obtained in the third step.
5. Convert the result to 26 base, and then add each number to 'A' to obtain the corresponding letter.
6. Connect the four letters to get the final result.
The following is the JavaScript code snippet to implement the algorithm:
function getTimeBasedHash(key, n) { const now = Math.round(Date.now() / 1000); const keyNum = parseInt(key); const daySeconds = 24 * 60 * 60 * n; let hashNum = Math.floor(now / daySeconds) + keyNum; let hashStr = ""; while (hashNum > 0) { const remainder = hashNum % 26; const charCode = remainder + 65; hashStr = String.fromCharCode(charCode) + hashStr; hashNum = Math.floor(hashNum / 26); } return hashStr.padStart(4, "A"); }
Note that this function requires two parameters: the key and the time period (in days). It will return a string consisting of four uppercase letters as the hash result. In the same time period, the same key will always generate the same hash value.
It is probably a summary of the above contents
1. Two groups of passwords are used in daily life. The number part in one group is relatively simple, and some trumpet is used. However, "real name trumpet is not a trumpet. jpg". Which group of passwords should be used?
2. I complained about the scheme of resetting the password by using the "secret protection problem". It's too safe for me to pass;
3. For the password itself, when manual input is not required, "random generation+password manager" is good;
4. The last one is not so ideal after all, so my choice is to add a few suffixes that change with the time cycle on the basis of the fixed password composition. You will always remember it after several more entries, and it can be regenerated before that;
5. So how to "select" a generation algorithm? Although I'm confused at present.. "Don't invent your own algorithm. jpg"
other
Is QQ Security Center, the mobile version of QQ, virtually offline?
All kinds of verification are basically only mobile phone number or code scanning, and the dynamic password has not been used for a long time
Then, the login history only goes to "2022-06-16", today is "2023-03-28"
"I have been watching you for 1035 consecutive days. jpg"... Do you want to uninstall...