Slashdot Mirror
Pictorial Passwords
Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.
Looks like they are planning on using it for ATM Machine's which only have 4 digit numbers... seems like a better idea to me.
Sure, why not? At least one penguin would be in any Linux user ;)
> than the passwords most people choose (usually
> their significant other's name)
So does this mean that the harder a person's password is to crack, the less likely they are to have a sex life?
Customer's have enough trouble understanding "click the button with the X in the upper right corner".
I wouldn't know where to begin trying to describe what pictures to use for their password... "Ok, now choose the picture that looks like a moose being sucked into a vortex".
First Link: http://college.nytimes.com/2001/12/27/technology/c ircuits/27PBOX.html
c ircuits/27PASS.html
Second Link: http://college.nytimes.com/2001/12/27/technology/
Then all the better reason to be interested in an article about easy-to-remeber passwords. :)
Adversive
My cat's breath smells like cat food.
"Galadriel is one icy babe but Jackson got it right"
Password: gi1ibbJgir
And I'm sure this approach is nothing new to most /.'ers. And the cool thing is that just a couple of words from the password, say Galadriel and babe, is enough to bring the bloody password back long after one's finished with it.
Feh!
:wq
A year or so ago, I found this little beauty: PassFace Technology -- Give it a try. You click on people's faces to get in.
What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.
There's definitely something to this technology!
rOD.
Rod Begbie done this, and he's not
"Even high-ranking executives may act on naïve impulses when it comes to choosing a password"
Even high-ranking executives? Make that especially.
RealUser has done almost exactly the same thing, except using faces, not abstract designs. It's worth checking out their site, since they seem to have thought it through reasonably well. (Read the whitepapers; they have the real meat...) One of the interesting things about these systems is that since you can't describe your password, the correct choices have to be displayed on screen along with some invalid choices, which opens up the system to some attacks unless you construct it very carefully.
I've found that most of the people I know tend to use the same password or pin for everything they have - their e-mail password is the same as their AOL password is the same as their bank PIN and so on.
Using pictures would make this all but impossible, since every provider would (or at least, SHOULD) be using their own set of pictures.
While that's all good for security, I can't believe that it would make remembering your password any easier. Since the story is touting that as the chief benefit, I think they're going to have a really hard sell.
What's your damage, Heather?
Can you imagine having an emergency in our future-tech age?
"No Bill, it's Black Guy, Asian Guy, Samoan Woman, Black Guy with the scar, White Guy with glasses! Hurry up before the Holodeck explodes!"
------
Today's Top Deals
Passwords have never been more than a low level rung on the ladder of trust. If you want security, equip the ATM with a fingerprint pad and/or a camera and eye piece capable of taking retinal prints.
The rest, as we can read, is just a bunch of jokes.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Not so sure at all.
Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.
Visit me on #weirdness on the Galaxynet.
This document contains a rough reckoner for calculating whether a passphrase is strong or weak. It makes the point that for a passphrase to be as strong as the encryption in PGP, it needs to be 30+ characters long. ! Remembering one or two paintings might not quite cut it.
For most systems, you can safely use shorter passphrases if you are only permitted a limited number of attempts or have no access to the machine (like at a bank) or the passphrase is changed frequently, or if the phrase is truly random.
Regardless, the strength of the passphrase is almost always the weakest link in any security system.
"Well, put a stake in my heart and drag me into sunlight."
It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.
Do not taunt Happy Fun Ball(TM)
one of the problems that many people have with "strong passwords" is *NOT* their lack of a strong kinesthetic memory- I can ``remember'' any password simply by typing it: sound familiar?
:)
:D)
Problem is that this has NOTHING AT ALL to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you ALWAYS use the same password... more on this later)
What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.
This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?
Some "realistic solutions" to these problems include: BIOMETRICS - which don't require ANY memory, SINGLE LOGIN - which limit the number of cues needed, ASSYMETRIC-KEY - which relies on math, etc, etc.
I say "realistic" because people have used them and they DO work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person
Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.
Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes WAY too much emphesis on only one cue.
With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)
I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies
My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of WHAT we remember is less important than changing the cues by which we DO remember.
(There, I think that makes more sense now)
it's not new. i remember using an apple newton that had a picture based password option.
US Citizen living abroad? Register to vote!
Interestingly enough, this is something that I tried hacking out a few years ago (though not under the pleasure of being funded by an academic institution).
I found that people like to click on distinct places, and not the whitespace between shapes/objects. Otherwise, they won't be able to remember exactly which spot they clicked on. This can be analogous to people using dictionary words for their alphanumeric passwords.
Another annoyance that I found was that hitting the exact pixel that you wanted was nearly impossible. You're more likely to hit one adjacent, or 2 away... so increasing the area of error reduces the number of possibilities.
Finally, when I want to get work done, I don't want to play a video game. Making someone hit their exact spot in a sequence of 5, or 10 images, whatever requires skill and accuracy. If you hit the first 9 right, and mess up by one pixel on the last, you have to start all over again. Imagine if you had to achieve a difficult feat - like slaying 20 characters in Quake on nightmare mode before you can log in... damn.
In summary, I think this is a really cool idea (otherwise, I wouldn't have gone to the trouble of implementing it myself) - but the downsides outweigh the benefits.
- passion
This just won't work for most applications.
Oh, maybe for an ATM, where it's more secure than a four-digit PIN, it'd be secure enough, but it's still unworkable.
Most ATMs use very low-res displays; in fact, many are text-only displays. (I believe a large number of them are actual Hercules monochrome cards, with the ATM running OS/2, for instance.)
If you use a touch-screen, it'll become impossible to hide what you're typing, so you pretty much have to stick numbers up there and have people type the number of the correct picture. You'll have to swap the pictures around if you want to prevent people from just writing the numbers down, so you'll end up with it being harder to remember because the pictures are all on screen at once and in a different place every time.
In the end, you'll have to keep the number of pictures low, and the length of the password low, or people won't be able to remember. Hell, people forget their 4-digit PINs now.
At least with a PIN you can disguise it when writing it down; put it in your address book as Uncle Luigi, with the last four digits of his bullshit phone number being your PIN. What are you gonna do if you need a reminder for this, take a Polaroid of the screen and put it in your wallet?
I'm sure there are applications where this technology will work, but I don't think ATMs are it, and I'm REALLY skeptical about using it for locking PCs.
Biometrics are the future of easy-to-remember identification.
Then you could use the whole phrase. No dictionary attack's going to be useful against that, especially if you fiddle with case and it'd take rather a long time to brute force it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
for the project itself
http://www.sims.berkeley.edu/~rachna/dejavu/
Which always seems to be missing.