Are algorithms for constantly changing passwords an inherently bad idea?

Question

I've always wondered why websites don't offer a "variable password" option, in which a user's password is constantly changing based on the day of the week or time of the day. e.g. "my password is 'foo' followed by the current hour of the day, always expressed as two digits".

I understand basic security 101, the need for trapdoor functions, and the prudence of never storing the user's actual password.

That said, is there some inherent security reason why variable passwords won't work? I imagine you could simply trapdoor the non-variable parts of the user's given password, then prepend/append the variable parts. (Yes, I really haven't given this more than 2 minutes of thought).

Answer 1

It might make passwords easier to guess.

If there were a couple of standard rules such as you describe, I might guess that you would pick a simple word and then apply one of those rules. So then I can use a dictionary based attack (starting with the simple words!) and apply each of the rules available.

Answer 2

It adds an unnecessary burden to the user, and it may not be worth the extra trouble.

Variable passwords are out there though, and one example is RSA SecurID, which is commonly used for VPN-ing into corporate networks.

Answer 3

I think the security gains that could be made in preventing a brute force attack would be more than countered by weaknesses inherent in the implementation.

If you are using hashed passwords then comparing against the variable password would be impossible. I suppose you could do it with reversible encryption but I really don't see it being worth it.