Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pictorial Passwords

Posted by michael on from the no-pr0n-allowed dept.

Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.

9 of 331 comments (clear)

  1. Re:login required by yatest5 · · Score: 2, Informative

    Here is a link that works

    The Link

    er, and if that doesn't, simply take the linked url in the sotry and replace www.nytimes.com with archive.nytimes.com

    --
    • Mod parent up! [a] by Anonymous Coward (Score:5) Thurs, June 31, @13:37
  2. A film that shows drawing passwords instead typing by DrD8m · · Score: 2, Informative

    Have you seen Safe House film? http://us.imdb.com/Title?0120051
    There's a intesting way to draw passwords.

  3. If it can't KNOW who I am, it's still spoof-able by crovira · · Score: 5, Informative

    Passwords have never been more than a low level rung on the ladder of trust. If you want security, equip the ATM with a fingerprint pad and/or a camera and eye piece capable of taking retinal prints.

    The rest, as we can read, is just a bunch of jokes.

    --
    MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
  4. Re:Jeebus! by Bonker · · Score: 5, Informative

    This is a fairly standard practice. It's been used in at least two IT offices I've worked in. It even makes handing out passwords during 'change day' easier, because all the networking and development staff have come to expect a neumonic rather than the password itself:

    "All Your Base Are Belong To Us!"

    becomes

    "aybab2u!"

    Another useful password naming procedure is the use of 'l33t speak' inside passwords... especially long ones. On systems that support passphrases or long passwords instead of 8 char strings, this makes creating and remembering passwords quite a bit easier.

    "My Password Rocks" is probably not so good, but

    "MyP455w0rdR0X0r5" is a 16 character password with 7 numbers, upper and lower case characters, and no long strings of plain english text to get chewed up in a dictionary attack.

    --
    The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  5. DoD guidelines by Roast+Beef · · Score: 2, Informative

    The second article mentions the Department of Defense guidelines for passwords. They're an interesting read.

  6. neat, but... by kevin+lyda · · Score: 5, Informative

    it's not new. i remember using an apple newton that had a picture based password option.

    --
    US Citizen living abroad? Register to vote!
  7. And here is the interesting URL by bodin · · Score: 5, Informative

    for the project itself

    http://www.sims.berkeley.edu/~rachna/dejavu/

    Which always seems to be missing.

  8. Implementation details by lee1 · · Score: 2, Informative

    can be found in one of the researchers' papers, where it can be seen that the poster, editor, and many of the commentators here make incorrect assumptions. The user of the system must simply recognize which subset of images from a presented set belong to a previously chosen portfolio. The number of images in the portfolio is larger than the number of portfolio images in the presented set; this makes shoulder surfing ineffective unless it is done repeatedly. Also, identification of the portfolio images can be done by pressing keys, and can be hidden just as are conventional passwords. Each image is equivalent to an eight-byte number, but from this large set they have hand-selected 10,000 images for the current implementation, still leading to a very large number of possible passwords.

    The weakest part of the system is what I would have thought was the obvious one: quoting from the paper,

    In general, a weakness of this system is that the server needs to store the seeds of the portfolio images of each user in cleartext. Tricks similar to the hashed passwords in the /etc/passwd file do not work in this case, because the server needs to present the portfolio to the user, hidden within the decoy images. For this reason, we assume the server to be secure and trusted
  9. Re:ATMs by ryanr · · Score: 3, Informative

    Typical ATM card theft scenario gives the thief both the physical card and the PIN.

    One way involves thieves putting up their own ATM machine in a mall or some such, and simply waiting for people to use it. After they enter their PIN, it eats their card. In another method, the thieves place tape in the atm card slot ("looping") and videotape anyone using the ATM. When the victim leaves, they retreive the card, which the tape prevented from coming out of the ATM machine.

    A variation of the fake ATM machine method returns the card, but records the card info, and the thieves program another card with that info, which is equivalent to having the physical card in their possesion.

    The point being that switching from a PIN to any kind of longer password entered by the customer doesn't hinder these attacks in the slightest.