Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pictorial Passwords

Posted by michael on from the no-pr0n-allowed dept.

Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.

8 of 331 comments (clear)

  1. ATMs by davidesh · · Score: 5, Insightful

    Looks like they are planning on using it for ATM Machine's which only have 4 digit numbers... seems like a better idea to me.

    1. Re:ATMs by webword · · Score: 5, Insightful

      ATM security is based on more than your PIN number. It has two foundations: PIN number and the card. Therefore, you need to have the card (physical media) and the PIN number.

      If you consider that a person would first need to steal your card and then figure out your PIN number, it becomes apparent that increasing the difficulty of the password is foolish. If your card is lost or stolen, you report it and you save yourself some pain. If your card is lost or stolen, you have a pretty reasonable barrier because the card is physical and needs to be taken to an ATM. Then, even if the card is used immediately, the thief needs to sift through 9999 combinations.

      Security is not meant to lock you in. It is meant to keep other people out. When you think about that, you'll see that you often just want very good security with excellent convenience. That is, you want optimum security, not maximum security. You do not really want maximum security because that would drammatically decrease convenience. For example, if you really wanted maximum security of your funds, you would put them in the bank physically and you would pull them out physically. You would not even use an ATM because the security is not maximum.

      ATMs are convenient and the security is reasonable. Most people can remember their cards and their 4-digit codes. If you start trying to increase the security, you are in for trouble in my opinion. If you really wanted to increase ATM security, forget about pictures. Instead, look into biometrics, which are much more reasonable.

      --
      How to Download YouTube Videos
  2. Jeebus! by mrfiddlehead · · Score: 5, Insightful
    Why is this still an issue? Pick a phrase, stick a couple of numbers in it, perhaps a 'special character' or two and go.

    "Galadriel is one icy babe but Jackson got it right"

    Password: gi1ibbJgir

    And I'm sure this approach is nothing new to most /.'ers. And the cool thing is that just a couple of words from the password, say Galadriel and babe, is enough to bring the bloody password back long after one's finished with it.

    Feh!

    --
    :wq
  3. Color blind by Eimi+Metamorphoumai · · Score: 5, Insightful

    Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.

    --

    Visit me on #weirdness on the Galaxynet.

  4. Re:implications.. by arkanes · · Score: 4, Insightful

    It's thea great paradox of network security. You can force users to change them every 2 weeks, disallow "easy" passwords by forcing certain characters, mixture of numbers/characters/symbols, not allowing words in dictionary, etc, but the more you do that, the more likely your users are to just stick the password on the monitor with a post-it.

  5. Shoulder surfing by Anixamander · · Score: 4, Insightful

    It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.

    --
    Do not taunt Happy Fun Ball(TM)
  6. Re:Alright by RFC959 · · Score: 4, Insightful
    how about we just stick to the good old "3 tries and you're locked out" system...
    Because systems with built-in self-DOS capabilities aren't such a good idea, goofball. Got somebody you don't like? Try to log in as him, fail, and his account gets locked. Delay systems are better than lockouts. I admit to not being entirely sure how all this would or should apply to something like an ATM that can't be accessed remotely, though.
  7. Limited application by Syberghost · · Score: 4, Insightful

    This just won't work for most applications.

    Oh, maybe for an ATM, where it's more secure than a four-digit PIN, it'd be secure enough, but it's still unworkable.

    Most ATMs use very low-res displays; in fact, many are text-only displays. (I believe a large number of them are actual Hercules monochrome cards, with the ATM running OS/2, for instance.)

    If you use a touch-screen, it'll become impossible to hide what you're typing, so you pretty much have to stick numbers up there and have people type the number of the correct picture. You'll have to swap the pictures around if you want to prevent people from just writing the numbers down, so you'll end up with it being harder to remember because the pictures are all on screen at once and in a different place every time.

    In the end, you'll have to keep the number of pictures low, and the length of the password low, or people won't be able to remember. Hell, people forget their 4-digit PINs now.

    At least with a PIN you can disguise it when writing it down; put it in your address book as Uncle Luigi, with the last four digits of his bullshit phone number being your PIN. What are you gonna do if you need a reminder for this, take a Polaroid of the screen and put it in your wallet?

    I'm sure there are applications where this technology will work, but I don't think ATMs are it, and I'm REALLY skeptical about using it for locking PCs.

    Biometrics are the future of easy-to-remember identification.