Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pictorial Passwords

Posted by michael on from the no-pr0n-allowed dept.

Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.

16 of 331 comments (clear)

  1. ATMs by davidesh · · Score: 5, Insightful

    Looks like they are planning on using it for ATM Machine's which only have 4 digit numbers... seems like a better idea to me.

    1. Re:ATMs by webword · · Score: 5, Insightful

      ATM security is based on more than your PIN number. It has two foundations: PIN number and the card. Therefore, you need to have the card (physical media) and the PIN number.

      If you consider that a person would first need to steal your card and then figure out your PIN number, it becomes apparent that increasing the difficulty of the password is foolish. If your card is lost or stolen, you report it and you save yourself some pain. If your card is lost or stolen, you have a pretty reasonable barrier because the card is physical and needs to be taken to an ATM. Then, even if the card is used immediately, the thief needs to sift through 9999 combinations.

      Security is not meant to lock you in. It is meant to keep other people out. When you think about that, you'll see that you often just want very good security with excellent convenience. That is, you want optimum security, not maximum security. You do not really want maximum security because that would drammatically decrease convenience. For example, if you really wanted maximum security of your funds, you would put them in the bank physically and you would pull them out physically. You would not even use an ATM because the security is not maximum.

      ATMs are convenient and the security is reasonable. Most people can remember their cards and their 4-digit codes. If you start trying to increase the security, you are in for trouble in my opinion. If you really wanted to increase ATM security, forget about pictures. Instead, look into biometrics, which are much more reasonable.

      --
      How to Download YouTube Videos
  2. implications.. by Xzzy · · Score: 5, Funny

    > than the passwords most people choose (usually
    > their significant other's name)

    So does this mean that the harder a person's password is to crack, the less likely they are to have a sex life?

  3. From a Tech Support view by scott1853 · · Score: 5, Funny

    Customer's have enough trouble understanding "click the button with the X in the upper right corner".

    I wouldn't know where to begin trying to describe what pictures to use for their password... "Ok, now choose the picture that looks like a moose being sucked into a vortex".

  4. Reg. Bypassed URLs for those articles: by thesolo · · Score: 5, Funny

    First Link: http://college.nytimes.com/2001/12/27/technology/c ircuits/27PBOX.html

    Second Link: http://college.nytimes.com/2001/12/27/technology/c ircuits/27PASS.html

  5. Jeebus! by mrfiddlehead · · Score: 5, Insightful
    Why is this still an issue? Pick a phrase, stick a couple of numbers in it, perhaps a 'special character' or two and go.

    "Galadriel is one icy babe but Jackson got it right"

    Password: gi1ibbJgir

    And I'm sure this approach is nothing new to most /.'ers. And the cool thing is that just a couple of words from the password, say Galadriel and babe, is enough to bring the bloody password back long after one's finished with it.

    Feh!

    --
    :wq
    1. Re:Jeebus! by Bonker · · Score: 5, Informative

      This is a fairly standard practice. It's been used in at least two IT offices I've worked in. It even makes handing out passwords during 'change day' easier, because all the networking and development staff have come to expect a neumonic rather than the password itself:

      "All Your Base Are Belong To Us!"

      becomes

      "aybab2u!"

      Another useful password naming procedure is the use of 'l33t speak' inside passwords... especially long ones. On systems that support passphrases or long passwords instead of 8 char strings, this makes creating and remembering passwords quite a bit easier.

      "My Password Rocks" is probably not so good, but

      "MyP455w0rdR0X0r5" is a 16 character password with 7 numbers, upper and lower case characters, and no long strings of plain english text to get chewed up in a dictionary attack.

      --
      The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  6. Similar to Passface by rodbegbie · · Score: 5, Interesting

    A year or so ago, I found this little beauty: PassFace Technology -- Give it a try. You click on people's faces to get in.

    What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

    There's definitely something to this technology!

    rOD.

    --
    Rod Begbie done this, and he's not
    1. Re:Similar to Passface by tswinzig · · Score: 5, Interesting

      A year or so ago, I found this little beauty: PassFace Technology [realuser.com] -- Give it a try. You click on people's faces to get in.

      What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

      There's definitely something to this technology!

      Unless you're face blind.

      --

      "And like that ... he's gone."
  7. My Favorite Quote On The Second NYT Article: by awrc · · Score: 5, Funny

    "Even high-ranking executives may act on naïve impulses when it comes to choosing a password"

    Even high-ranking executives? Make that especially.

  8. Try telling this one to a friend by NiftyNews · · Score: 5, Funny

    Can you imagine having an emergency in our future-tech age?

    "No Bill, it's Black Guy, Asian Guy, Samoan Woman, Black Guy with the scar, White Guy with glasses! Hurry up before the Holodeck explodes!"

    --
    ------
    Today's Top Deals
    1. Re:Try telling this one to a friend by Skirwan · · Score: 5, Funny
      ...they have scanners that can scan your DNA... why to they need the cheesy passwords to activate the self destruct mechanism on the ship, the ship could scan the captain, first officer etc. to verify their identity...
      Because then all the people from the alternate universe could just waltz on in and blow up the ship - it would be chaos, man, chaos!

      --
      Mod me down, I'm way off-topic.
  9. If it can't KNOW who I am, it's still spoof-able by crovira · · Score: 5, Informative

    Passwords have never been more than a low level rung on the ladder of trust. If you want security, equip the ATM with a fingerprint pad and/or a camera and eye piece capable of taking retinal prints.

    The rest, as we can read, is just a bunch of jokes.

    --
    MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
  10. Color blind by Eimi+Metamorphoumai · · Score: 5, Insightful

    Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.

    --

    Visit me on #weirdness on the Galaxynet.

  11. neat, but... by kevin+lyda · · Score: 5, Informative

    it's not new. i remember using an apple newton that had a picture based password option.

    --
    US Citizen living abroad? Register to vote!
  12. And here is the interesting URL by bodin · · Score: 5, Informative

    for the project itself

    http://www.sims.berkeley.edu/~rachna/dejavu/

    Which always seems to be missing.