Using Images as Passwords

TekkenLaw writes "According to this news on Reuters, MS is looking at images rather than plain old text for enhancing security. The key - images, which tend to make more of an impression on people than strings of text characters. This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back." So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?

um

[mar1no]

did they not run this same story a couple weeks ago?

Re:um

[asavage]

did they not run this same story a couple weeks ago?

yeah, here is the link http://slashdot.org/article.pl?sid=01/12/28/134821 7

Re:um

[dj28]

Yea, and the funny part is that in that article, the majority of the posts were praising the technology. Now that it's about Microsoft, eveyone is quick to critisize it. Gotta love the bias here.

Re:um

>Yea, and the funny part is that in that article, the majority of the
>posts were praising the technology. Now that it's about Microsoft,
>eveyone is quick to critisize it. Gotta love the bias here.
>
>
Praising the technology or laughing at it? Only a moron would think this crap would actually be an improvement. Yeah I can see people with poor/low vision,colorblind or just plain in hurry just loving this bullshit.

Re:um

[harlows_monkeys]

No. The article a while back was about using sequences of images as a password. This one is about using a sequence of points within an image as a password.

Re:um

[Shardis]

Argh, who modded this guy up?

If you actually *read* the articles, dig into things a bit more, what they're talking about using images in quite different ways. Different benefits, different drawbacks. There *is* some bias on some issues here, just like anywhere, but just by checking his history, it seems that the bias is mostly his. If you're gonna mod things people, can we please at least make relatively informed decisions?

Score for this post: Offtopic -2, Flamebait, -3

Re:um

Well, learn to live with it. Microshit is known as a company who just doesn't know how to get something done properly. We, who are true professionals know this fact. You can disagree, but that would make you a lamer.

Re:um

Remember, if it's not open source, it's CRAP.

thumb

[zephc]

a friend of mine has a cool USB device that reads his thumb print, and he uses that to unlock his Windoze box.

Re:thumb

by unlock, of course, i meant log in to. From what I saw, he can use it with other applications too.

Re:thumb

[Phosphor3k]

It will be pretty cool when I cut off his thumb to get into his box. Or cheese grate his thumbs so he cant get in.

Re:thumb

Please tell me about living off of Easy Bake(TM)® Oven tasty treats!

Re:thumb

That's great for console access...similar to the smart card readers on many Sun boxes. The real security issue, however, is not protecting a personal computer in your home...but protecting it from remote access. How is this supposed to help prevet remote access attacks?

Re:thumb

[rtaylor]

Yeah.. or someone simply records the data sequence the device sends the computer and replays it.

Phones send tones which represent coins. For some reason it took a long time for designers to turn off the mic until the phone had dialed and the call paid for :)

15 locks on the door doesn't close an open window.

Re:thumb

please see this thread

Re:thumb

Almost as funny as cutting off someone's hands so they can't use a keyboard, or taking out their tongue with a cigar cutter so they can't use voice recognition software. Hell, why not just gouge their eyes out with hot needles, too, in case someone rigs up some retinal gear to follow the path of his eyesight. That would be even more knee-slapping hilarious! Wow, the opportunities for big laughs are nearly endless.

Thanks, moderators! This is some funny, funny shit!

Re:thumb

[Slashamatic]

Doesn't work - the thumb needs to be attached. The thumb is read capacitively, so a dead thumb wouldn't work, neither would an impression of a thumb print.

It is easier to record the signal sent back from the reader. There are some really neat gadgets around but they don't do much to protect the signal from being replayed.

As for DOS, a good long bath can do that. The puckering caused by the water passing through the skin tends to mess things up.

Re:thumb

Phones send tones which represent coins.

Not any more they don't. Haven't for decades now.

Re:thumb

[rtaylor]

Yes, but the USB wire still sends the representation of the thumb print in digital form. Probably with predictable encryption (if any).

Re:thumb

[Craigj0]

Most fingerprint scanners timestamp the data as well as encrypting. So replay attacks are made much more difficult.

Re:thumb

[TheMeld]

(Yes, the parent to this was probably a troll, but I thought I'd post this for people who are interested in some reasonably accurate information)

Actually ... yes they do. Stick some coins in a pay phone and listen. A real pay phone, not a COCOT. As another poster said, they have learned in recent days to turn off the mic until the call is made, or apply a band pass filter to not let coin tones in through the mic. However, there are a LOT of payphones out there that can still be operated with a red box.

Another trick with red boxes is that the 10-10-XXX numbers don't have access to all the info from the phone company, and once you get to their version of insert money, the band pass filters tend to be turned off, and your red box will happily work on most pay phones. Of course, line quality using this for local calls sucks. It costs more, but if you're using a red box, that obviously doesn't matter, now does it.

Oh, and don't defraud the phone company. They may be greedy assholes, but it's still illegal and immoral.

Three Words

[great+throwdini]

Johnny Mnemonic

Whoa!

Re:Three Words

[bleckywelcky]

Yes, Johnny Mnemonic.

You stole my post as I was trying to remember the name of the movie, lol. This was really cool though. For anyone who doesn't know, Johnny (played by Keanu Reeves) is an information courier. He had information uploaded into his mind (needed some sort of implant, I can't completely recall) and then they randomly grabbed 3 screen shots off of the TV from random channels. One copy was kept for the initiators of the carry, another was faxed (tried to be faxed) to the recipient. The screen shots were used to retrieve the information as a password. Very cool.

Re:Three Words

randomly grabbed 3 screen shots off of the TV from random channels. One copy was kept for the initiators of the carry, another was faxed (tried to be faxed) to the recipient. The screen shots were used to retrieve the information as a password

Like a fax would have the necessary resolution to do this.

Not to mention a speck of dust on the scanning plate, or a clogged inkjet nozzle on the printing end would totally fuck it all up.

If I can't remember...

[Papyrus]

a string of characters as a password how am I going to remember exactly which points and which sequence of points/graphics to click???

I don't get it - call me flummoxed.

simple?

[Account+10]

Users simply remember exactly where on the images they clicked and in what order.

If this really down to the pixel level as the story says, then this is not simple it is impossible.

Even having it sensitive to with 10 pixels say is going to be difficult with the pictures they used. Most country flags consist of large blocks of colour. To have a chance of reproducing a password, people are going to have to pick points near edges and corners - similar to not using uppercase and punctuation in passwords.

Re:simple?

[pmatthews]

Exactly...Simple??

The random number generation from the clicks would have to use a combination of both position and the colour of the pixel that the user clicked and then don't forget order.
If they used only the colour of the pixel that could potentially be more insecure that characters as in their example they use countries flags which generally have 3 or less colours. If people are going to have images they're going to use familiar images (favourite cartoon characters, g/f's etc) which will be in digital form and probably on that persons web site anyways. (then again I suppose there are some bragging rights from being able to say my is the image at the of my page ...good luck)

Thats doesn't even get into trying to remember the data e.g. with 8 images

[1] First click image 3 at position 238x34.
[2] then click image 7 at position 12x67.
[3] then click image 1 at position 134x164.
[4] then click image 6 at position 34x241.

I think most people would have trouble remembering one clicks data. Let alone that fact that when they go to enter their 'password' they have to get the mouse on the exact position, meaning they are going to have to coordinates on the screen so they can line up (unless their position is an obvious point (bright spot?) on the image (more vunerability)), which takes time and someone could look over your shoulder trying to hone in on your point. I mean if you had a few piccies of bikini clad chicks, would you consider these images les secure?(think about it)
Personally I prefer characters. I don't think it is such a stretch to remember one 8 character random string, but thats me....

my 2.5 cents...

This works

[Kizzle]

I remember this freeware app awile ago that would remember your passwords for you (it was'nt gator). Instead of you putting in a password it would show you a picture of a bedroom or somthing. Then to access your passwords you would click on series of objects in the room. It worked quite nicely.

Re:This works

[great+throwdini]

I remember this freeware app [...] Instead of you putting in a password it would show you a picture of a bedroom or somthing.

V-GO Universal Password, crafted by Passlogix? I don't see it offered by the company anymore, but it looks like it was a $30 shareware app for Windows (likely mirrored out there, somewhere).

Re:This works

[bero-rh]

And if someone is looking at your screen, he'll know your password...

Transforming mouse events to *s while "typing" doesn't work.

Interesting password scheme

[s4ltyd0g]

for pr0n site access ;-)

Yes they did

[torqer]

It can be seen here

AfterDark

[mlknowle]

AfterDark for Mac OS used to have a feature like this; you could select an image, and you would have to click on a certain part of it, optionally holding down a control-key combo, to unlock the screen saver, rather than type a password.

This is absolutely crappy....

[Numair]

You have to click on a number of pictures in the right area in the right order. This is easier to remember than a bunch of keys in order (which is what happens after you've typed your password enough times)?

I'll stick to my text-based pass *phrases* while the Wal-Mart XP crowd sits and clicks on images like a 3 year old, thank you very much...

Eyes, nose, mouth

Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth.

People don't select lousy passwords ONLY because they are lazy. They also select them because they don't think there is a credible threat to their accounts. They don't BELIEVE in hackers who would target them.

Without an increase in paranoia among average people, I don't see how a user-selected secret will ever provide security.

Re:Eyes, nose, mouth

[andyh1978]

Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth.

user@server:~$ passwd
Changing password for user
Old password: click click click
New password: click click click
Bad password, too simple. Try again.
Password must be at least 5 pictures long, and include one body part, one mammal and one reptile.
New password:

Re:Eyes, nose, mouth

"Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth."

Heh, millions of porn sites and thousands of hentai games seem to think differently.

Interesting, but..

[zapfie]

Novel idea, but I can see a lot of practical problems arising. For example, how do you determine how much room for error there is in clicking on certain parts of an image? Someone might choose to click on the sky, then a boat for their password. Will positions be based on something like +-5 pixels from where you originally clicked, or something smarter like using a magic-wand kind of algorithm? Also, what about people who are blind, or visually impaired? How will people sitting down at a computer figure this system out when they are presented with a picture? If you wish to share your password with someone remotely, how do you do it? (e.g. your mom forgets the password to the family computer and calls you up). Don't get me wrong, it's a novel idea, but I can see a lot of issues coming out of this.

Re:Interesting, but..

Thank you for adding ideas I hadn't thought of while contemplating what problems might arise. As stupid as it might seem, I never even considered visually impaired people, because I was so caught up in how hard memorizing precise pixel locations in arbitrary images would be for my not-so-visually impaired family members.

Re:Interesting, but..

[a bunch of problems...]

And what happens when your account is locked out because little Billy started clicking the mousie on the picture on the screen-thingy?

Re:Interesting, but..

or my cat swatting the mouse

Something like this:

[qslack]

Welcome to Microsoft Windows .NET 2005

In order to log in, please choose the One who you will truly worship, for He is the Supreme leader.

[ LINUS TORVALDS ] [ BILL GATES ] [ ROB MALDA ] [ LARRY WALL ]

Note: According to the EULA you agreed to unknowingly, choosing the wrong password could result in death and/or excommunication.

Re:Something like this:

[56ker]

P.S. Here's a clue - their initials are B.G. and their first name is William.

Re:Something like this:

Where's the cowboyneal option?

Re:Something like this:

[garcia]

so that's how the fucker is going to force us to subscribe.

Re:Something like this:

[TedCheshireAcad]

Make it more complex:

Add Case and Ellison.

~my $.02.

Re:Something like this:

I think that the idea that Bill = William would confuse far too many people.

Not exactly cutting edge

Check out this Slashdot story from last December, and the Real User site with "passfaces", which have been around for a long time.

The future

[wrinkledshirt]

"Thank you for participating in the required MS Passport sign-up verification to get your latest reinstall of XP2005 to work. We're sorry, but the image of a closed fist lifting the middle finger has already been taken. Others you may want to consider: You lifting your middle finger while wearing gloves; you lifting your middle finger while wearing a Cracker Jack ring..."

Dumbed-down

[zecg]

From the news story: "Even with such a system, people would still be susceptible to "shoulder surfing," in which someone watches a computer user type in their password."

Users would have to be fools to "click" their password unless they are positively alone in the room. The current standard at least has masked text on screen, and the order of keys on the keyboard is VERY difficult to track even when the user is moderately good at typing.

Let's not forget that in the case of the new photo passwords, with 50% of users you would only have to know the "Lenny Bruce sequence" in their Playboy passphotos: T'n'A

~zecg.

Re:Dumbed-down

[Moonshadow]

A "keylogger" type app would be easy enough to write, as well. Just capture the X-Ys of mouse clicks. Feed that file back through the password protected program/site/etc, and viola, instant access.

Why this will be more secure, I'm at a loss for. More convenient for the intellectually-challanged, perhaps, but as Microsoft so aptly demonstrates, higher convenience means lower security.

Re:Dumbed-down

[SoupIsGoodFood_42]

what if the image was randomly offset or rotated etc. after each click? The X,Y info would be useless.

Re:Dumbed-down

[tswinzig]

Users would have to be fools to "click" their password unless they are positively alone in the room. The current standard at least has masked text on screen, and the order of keys on the keyboard is VERY difficult to track even when the user is moderately good at typing.

On the flip side of things, it's very hard to use a sniffer on a visual password, especially if the password screen is smart enough to move the location of the images around on the screen.

With regular passwords, install a keyboard sniffer, and you're in.

Re:Dumbed-down

What if you had a program which grabbed a snapshot of the screen and "saw" what you clicked?

Re:Dumbed-down

[Graspee_Leemoor]

"Users would have to be fools to "click" their password unless they are positively alone in the room. The current standard at least has masked text on screen"

So we just make the mouse pointer temporarily invisible. Problem solved. ;)

graspee

Yes, they did

[torqer]

The first article can be seen here

The Hard Way

[maggard]

Great, legions of office workers poking the their boss's eyes out to log in every morning, doubtlessly from left to right.

Next up will be the "Tapping System" where folks will rap out "Haircut & A Shave" on their desk to log in.

What other quirks of human nature will next be put to use trying to identify folks? The "Mictation Flex Rate"? The "Eyebrow Lift/Tongue Roll"? How about the "Tell the Same Stupid Joke" one; I've had co-workers who've been able to do those hundreds of times over & over without a single variation.

Or just teach folks how to use good paswords, put in some really good acceptance tests, and make it clear that if security is compromised by their poor password choice they'll be held responsable, same as leaving the door to the safe open.

Nahhh, there's gotta be a technolgy fix...

Re:The Hard Way

[56ker]

Oh there's more - the retina scan, the facial recognition scan, the palm print, handwriting recognition - the list just goes on and on! As to the people who use their favourite football team or a popular name as a password well they deserve to have their account compromised and their network privileges revoked for being so stupid!

Re:The Hard Way

[lowy]

maggard wrote:
The "Mictation Flex Rate"? The "Eyebrow Lift/Tongue Roll"?

wtf is "Mictation"?

Re:The Hard Way

[maggard]

maggard wrote:
The "Mictation Flex Rate"? The "Eyebrow Lift/Tongue Roll"?

lowry wrote:
wtf is "Mictation"?

Typo. Micturition.

Re:The Hard Way

That's "Shave and a Haircut."

Re:The Hard Way

that's actually "shave and a haircut".

Re:The Hard Way

[ptbrown]

So long as there is money to be made in selling technology, people will continue to sell technological solutions to social problems.

... of course, there is no technological solution to a social problem. This is the fallacy in anti-piracy, censorship, political correctness, etc.

Presentation dependent

[1984]

This is kindof interesting. A couple of things spring immediately to mind.

First, presentation of the image will (may) vary in different situations. The visual presentation of a password is pretty irrelevant: as long as you can understand and input the right symbols the font, colour size etc. in which they are presented isn't relevant. On the other hand an image must look substantially like the crib image. Sounds obvious, but consider differences in resolution, colour depth etc. You can divide the image into regions (a grid, perhaps) but ultimately there will be a limit to the resolution of the grid that you can rely on (not to mention input errors limiting the viable grid resolution.) To get more possible regions, you'd need a plain bigger image to get around the input resolution issue. All of which complicates the implementation (of course, you could break each image down semantically somehow, but that sounds like a further adventure altogether.)

And, after all that, prople may turn out to have pattern preferences that are "as crappy" as poorly chosen passwords? Always use a photo of your daughter and click on both eyes and outline her cute smile? Ooops. Use your country flag and click where regions of colour meet?

Default image :

[doru]

the BSD !

Re:Default image :

[great+throwdini]

Default image: the BSD !

In case you haven't heard, *BSD is dying. I think you meant the BSOD.

fin

It reminds me of a film

[56ker]

with Patrick Stewart in where each day he had to put these strange Chinese characters into a picture otherwise the government secrets he knew would be e-mailed to hundreds of newspapers. Can anyone remember what it was called? As for thumbprint technology the hardware is still very expensive. :o\

Re:It reminds me of a film

[great+throwdini]

It reminds me of a film [...] with Patrick Stewart [...] where each day he had to put these strange Chinese characters into a picture[.]

Safe House?

Re:It reminds me of a film

[ari_j]

It's called Safe House, if it's the one I'm thinking of. 1998 film, his character is Mace Sowell. I've only seen the first bit of it, but it sounds like a match.

Re:It reminds me of a film

[56ker]

Yes that was it. When that's the most thrilling part of the film - watching somebody move Chinese characters into a picture - that purports to be a thriller it says a lot about the film!

Re:It reminds me of a film

[56ker]

The great throwdini beat you by 7 minutes in naming it though - can't remember whether I watched the whole film now or not. As to remembering the characters name - well it was so long ago I saw it I really have no idea.

Faces

[Economist]

"The basic idea is that the brain can remember faces better than it can remember letters and numbers."

Unless you're like me, i seem to forget faces constantly. When i'm at the store to buy meat, and the lady who serves me is away 2 seconds, i already forgot what she looked like.

And i think that i'm not the only one, i'm not THAT much of a freak :-)

Then the govnernment

[tcd004]

Then the government can check to see where you like clicking pictures.

Did you use the Iraqi flag as your password?

Are you clicking on suggestive areas of that picutre of Natalie Portman?

I much prefer just having a city-wide network of surveillance cameras to verify my identity at all times.(/sarcasm)

Read Lostbrain's Oscar Predicitions!

tcd004

Re:Then the govnernment

[Boone^]

Eventually people have to chill out about the gov't conspiracies. If they wanted to spy on you, they'd need a lot more compute resources and a lot more analysts. They don't have either.

Re:Then the govnernment

[aardvarkjoe]

More importantly, the government would also have to care. I haven't seen any evidence that they do. It's marketing corporations that want personal info.

Re:Then the govnernment

[Da+Web+Guru]

Yeah, but then the government would just "borrow" the information from the marketing corporations...

Re:Then the govnernment

If you're innocent you have nothing to hide. Only the guilty desire privacy, Comrade.

Hmmm

[EricKrout.com]

Did everyone forget about this already?

Peace, Love, Linux

Re:Hmmm

[cygnusx]

I wrote this in my weblog today...

This'll never work with the "techie" crowd because they remember letters/numbers much better than they remember pictures. (ever wondered how unix fans can remember all of tar's options? :-)) On the other hand, for people who "think graphically" (designers, artists, etc), this may help. But I wouldn't bet on it, passwords are too deeply entrenched in our lives already -- ATM PINs, Phonebanking PINs, the whole nine yards.

And yes, I too don't see how this is different from Passface's Realuser, which uses faces in lieu of passphrases. I've tried Realuser, and I found it was far more difficult to remember their faces than it was to remember my passwords. And I could choose only 5 faces -- not too good, it's too easy for over-the-shoulder attacks, and it's a pain to change "faces" like I change passwords. I imagine a face-changing session would go this way: "Let's see, I chose a caucasian male last time, this time, I'll pick an asian female...". Uh huh, too much work.

Re:Hmmm

[_Dhamon_]

Exactly what I was thinking, I posted a comment about it in June of '01. Thought this was old news.

Pictures as passwords

[NetGyver]

Sounds interesting, though I'm not sure i see how much a difference this would make. What's the difference between remembering certian details in the image you selected as your password vs remembering a text password?? You *Still* have to remember something. I've been very fond of the fingerprint scanning system and other simular devices that allow you to access your data without having to *remember* anything.

But in any case, where there's picture passwords there's bound to be some strange tech support calls. I'd use one of those "magic eye" pictures where you have to make your eyes blurry, and cross them funky so you can see the hidden image. That way if he's a real *STUPID* tech, he'll look like it too. :)

...anyway...

A penny for my thoughts? Here's my two cents. I got ripped off.

Neo Already Did This

[Shuh]

Back in the day, before The Matrix, Keanu made another sci-fi show predicated on just this idea. It was called Johnny Mnemonic!

Re:Neo Already Did This

[DigitalSorceress]

Yeah, I was going to post that one myself, but you beat me to it.

In the movie, the lead character downloads a large (for the time William Gibson wrote the original story anyway) amount of data into a chip implanted in his brain. As the process of downloading nears completion, someone in the room is supposed to press a button that does a screen-grab of the current frame on the TV - this is apparently used to encrypt the data, and only those three images can decrypt the data and get it out of his head.

On the surface, this seems like a good idea, but think about this... Every frame of television programming is recorded - even live shows are taped for rebroadcast and other archival purposes. Therefore, if given the date, time, location, and cable system of the download, one could rule out the vast majority of possible images. Given that the technology represented in the short story and movie are supposedly a bit beyond what we currently have today (Where is my AI personal assistant? Where are my eye implants like Molly Millions?) it seems that knowing the above information would be enough for just about anyone to crack.

- Just Musing -

Re:Neo Already Did This

[Dynedain]

No, the security is still much tighter than a current password system:

Lets say you can narrow down the event to a 5 minute window (they took about a minute total to pick all 3 images randomly from different channels) and your local cable provides about 60 channels. Thats 60 channels x 30 frames per second x 60 seconds x 5 = 540000
So the odds of the "password" being right on any given guess is 540000^3 = 1.57464 x 10^17
By comparison, an alphanumeric 8 character password (allowing caps) is 63^8 = 2.48156 x 10^14

So, the 3 images is much more secure. Adding just a fourth image makes for 8.50306 x 10^22 possibilities.

Factor in the fact that most television stations don't tape their broadcasts (except for live events) they most just log the tapes they play, and to it outages and "technical difficulties", and static/picture noise on the recieving end and you have a pretty secure system that shoots down the 8 character alphanumeric one.

The biggest weak point in this system is the transmittal of the images to your intended recipient. Best place for the feds to watch to get into the data. And if you can securely send images that unlock the data, why can't you send the data?

I would choose a picture of

[Scratch-O-Matic]

a keyboard. It would be easy to remember where to click, because I could remember it as a string of alphanumeric characters. I think this technology has promise.

Re:I would choose a picture of

[Alsee]

a keyboard

Actually that would be pretty cool, and I'd be particularly secure. I'd probably click in between the keys just because I can :)

-

What if the image is stolen?

[Drakker]

Say, I need to log in from different stations, do I have to carry my password on a floppy/cd/whatever? What if someone steals my storing device? How do you log using an image via telnet? =)

Re:What if the image is stolen?

[blang]

And how are blind people going to log in?

This must be president Bush's idea.

Re:What if the image is stolen?

[Account+10]

Blind people continue to use the keyboard. You can have alternatives in life, you know.

Re:What if the image is stolen?

[blang]

Right. As long as the user has control ofer those options.

However, most authentication are outside the user's control. Online banking, Web sites, you name it.

It's like saying blind people can use ascii to get around on the web. Except that most sites do not have text-only versions anymore. Add Flash to the mix, and I think I've made my point.

Aeasy answers make for easy rebuttals.

Re:What if the image is stolen?

[BlueUnderwear]

Blind people continue to use the keyboard.

But what if Micro$oft removes the possibility of logging in via the keyboard?

And what if this spreads to web sites as well, and it becomes very hip to log in to your favorite weblog via clicks on an image, rather than HTTP passwords?

You can have alternatives in life, you know

Correct. But certain companies are striving very hard to remove the privilege of choice, at least as far as computers are concerned ;-)

Re:What if the image is stolen?

How is this funny?

Fine job at showing off as a jerk. Must be a Democrat. Lay off Bush. I'm a Republican (moderate, not conservative) and I don't piss on every Democrat president. Grow up. You sound just like Taco.

Re:What if the image is stolen?

[mgrochmal]

I work with adaptive equipment where I work. It becomes increasingly frustrating over the last few years. 1) Several prominent habits when designing web pages (lack of ALT tags for images, a lack of non-Flash options on popular web sites, and visual enhancements that are lost on people who can't see them) keep many people with visual disabilities from finding what they need or want on the Internet. 2) Many in the school I work in are taught to not use the mouse and use keyboard shortcuts. Technically, there are mouse emulation procedures by using the numpad, but they are not loaded until after Windows loads completely. This is especially true for a terminal that is shared by sighted and non-sighted users. 3) I have found that most of the users that I teach and support are not willing to relearn to use their computer every few years. Many of them are still on Windows 98 because many pieces of their adaptive equipment/software are not available for WIndows XP yet. Even trying to run them in emulation mode doesn't guarantee much success. With these in mind, the picture might be viable, but only as an alternative to people who cannot grasp the importance of good passwords. Yes, many of the visual passwords will be fairly simple to solve. Yes, it will be harder to administer visual passwords. Yes, many people will find the idea too complicated when it is supposed to simplify logins and make them more visually appealing. Personally, I would want to keep to using long alphanumeric passwords. But then there are people like where I work that want things as simple as possible.

Re:What if the image is stolen?

Damn partison democrat. Shut the fuck up, you ignoramous asshole.

Re:What if the image is stolen?

[SoupIsGoodFood_42]

But what if Micro$oft removes the possibility of logging in via the keyboard?

Then they would probaly have a very big lawsuit coming their way. And they would probably loose quite badly.

Re:What if the image is stolen?

Damn partison democrat. Shut the fuck up, you ignoramous asshole.
Damn right. It's not like this is a representative democracy anymore. People act like free speech is a right or something.

Re:What if the image is stolen?

[BlueUnderwear]

Then they would probaly have a very big lawsuit coming their way.

Indeed, but...

And they would probably loose quite badly.

Yes, but only after dragging out the suit for 10 years. After which time, the object of the suit will be deemed obsolete, and the affair will be quietly shelved before any penalties are decided.

Re:What if the image is stolen?

[SoupIsGoodFood_42]

Yes, but only after dragging out the suit for 10 years. After which time, the object of the suit will be deemed obsolete, and the affair will be quietly shelved before any penalties are decided.

I doubt that. Not for this kind case... MS would deffinitly not want the kinda of publicity that would come with discriminading against the blind/dissabled people. It would just be much easier for them to make it comapatable in the first place.

There are alot of issues that MS could be in the wrong for. But something like disscrimation against the blind is something that even joe never-used-a-computer-before can see clearly is wrong.

Re:What if the image is stolen?

[BlueUnderwear]

I doubt that. Not for this kind case... MS would deffinitly not want the kinda of publicity that would come with discriminading against the blind/dissabled people.

They will just count on the fact that most people won't care. Have you seen any public relations backlash due to the numerous corporate (or worse: governmental) IE-only or javascript mandatory pages? I sure haven't... although those cases effectively discriminate against the blind, makeing it impossible (or difficult) to access said content using a lynx browser and a braille line. For an especially funny example, point your IE browser to the "Tommy rumor" page. Then, try the same thing again with konqueror, netscape or lynx, or just with java script switched off. Yes, Tommy Hilfiger doesn't care whether you have the right color of skin when you wear his clothes, but he sure doesn't want you to browse his site if you're blind! And have you noticed any publicity backlash against this? I sure haven't...disabled people just don't have the same kind of clout that the blacks have.

It would just be much easier for them to make it comapatable in the first place.

Yes, it would be much easyer for them, but they like so much more to behave like pricks. Have you ever tried calling up a web design firm because of their IE-only page? Most claim it would be very difficult to make it compatible with other browsers, where in reality a simple browse-source reveals that they are intentionnally shutting out other browsers. Certain web design companies even have the gall to attempt to pressure their customers to not make their pages compatible, even after delivery (needless to say, we just ignored their feeble attempts of intimidation...eventually, they mirrored our site under their own URL, with the anti-disability provisions put back into place...)

Re:What if the image is stolen?

It's like saying blind people can use ascii to get around on the web.

Or that they can use voice control to read their fucking speedometer.

They're fucking blind. They can't do all the things seeing people can. That's how it fucking works.

Re:What if the image is stolen?

Have you seen any public relations backlash due to the numerous corporate (or worse: governmental) IE-only or javascript mandatory pages?

The Tommy Hilfiger site is about infinitely less important than using a computer.

Hey Wait!!!

[Dutchmaan]

MS figured out that it can gather more than just boring ol' text information... It can gather images or sounds, or almost anything.

How about DNA security, where you sign your contract in blood!!!???

Why does that sound familiar?

Check me

[blixel]

If an image is 1280x1024 and is sensative to a 10x10 pixel area, that gives the user a grid of 128x102 to click in. A total of 13,056 clickable squares. If the user's password was 5 clicks long, that would give them 379,359,275,350,832,971,776 possible passwords. Is my math correct?

Re:Check me

Could this mean that if you change resolutions then you can not match your password without returning to the resolution used when setting the pass?

Re:Check me

good point

Re:Check me

[blixel]

Could this mean that if you change resolutions then you can not match your password without returning to the resolution used when setting the pass?

I think it would just mean that you would have to use images of a "standard" size like 640x480 or 800x600 or even 1024x768. There aren't many modern day desktops that are running resolutions smaller than that and I doubt this type of technology is likely to find it's way onto legacy systems anyway.

Re:Check me

my resolution is 80 by 40 (not pixels, but selectable units).

Re:Check me

[DrSkwid]

three little letters :

P D A

Re:Check me

I like the way this math works. If you have joe blow sit down at a computer and look at an image, he could probably get it down to say ... 5,000 guesses by guessing eyes, mouth, nose, etc. But if a machine were to do it, it would be a lot harder to parse out the fact that there is a picture of a face. So for a machine to brute force it, it would be insainely higher than a human saying "Well, he's not going to click this whitespace in the corner, click here."

Re:Check me

I like the way this math works. If you have joe blow sit down at a computer and look at an image, he could probably get it down to say ... 5,000 guesses by guessing eyes, mouth, nose, etc. But if a machine were to do it, it would be a lot harder to parse out the fact that there is a picture of a face. So for a machine to brute force it, it would be insainely higher than a human saying "Well, he's not going to click this whitespace in the corner, click here."

Let me guess. You use passwords like dog, cow, or when you're feeling really crazy you might get funky with a password like cat1.

I'll use

[segfault7375]

I'll use that guy from goat.cx... That'll keep people out of my computer :)

Re:I'll use

So, who else saw this "joke" coming a fucking mile off?

Re:I'll use

[GrBear]

I'll use that guy from goat.cx... That'll keep people out of my computer :)
Well, it would a suitable replacement for "OpenSesame". :o)

Stupid idea

[Pedrito]

So now you have to remember the order in which you click on an image? Maybe that's easier for some people, but certainly not for me. I have one password that I've used for the past 15 years or so. It's 8 characters (9 if I need to mix numbers with it), and it appears completely random.

I've been using it for 15 years an nobody has ever hacked it. All you have to do is have one of these and remember it. Almost anyone can remember a single 8-10 digit password, if that's all they use. Just make one and stick with it. Maybe you'll need to change it every couple of years, but even so, once you have it down, it's pretty easy to remember.

Is it hack-proof? Of course not. Not even close, but for most applications where a password is needed, it's more than sufficient. I doubt anyone will take the time to try to hack my hotmail account when there are so many that can easily be dictionary attacked. I'll always be the last one someone tries to hack because it will take too long to hack mine, compared to most.

Just my personal opinion. Obviously for some things, you simply need real encryption, but for most online stuff, a single 8 character/digit password is fine.

Re:Stupid idea

[kapella]

... the problem with using one password is that it provides a single point of failure for everything you use.

All it takes is one password-capturing trojan website, or one hacked login(1), or even someone setting up a small, useful website requiring registration with a password explicitly to capture just these kind of reused passwords.

Re:Stupid idea

i just hacked your gibson while reading this post

Re:Stupid idea

I use different usernames and the same password.

Re:Stupid idea

[Reziac]

For some odd reason, the only "random" alphanumeric character strings I can remember are things like the serial number of a bicycle that went to the dump some 30 years ago. So it's become a password. I guess if someone wants to go to the trouble of locating and digging up the bicycle, they can crack it. :)

Re:Stupid idea

[Perdo]

So, because you have used the same password for everything, Microsoft has the passwords for every one of your computers, and hotmail/passport has been compromised several times, even assuming Microsoft is trustworthy themselves, which based on their business practices, they are not. I am telling you as a friend, use a better password scheme.

Where have I heard about this before?

[image]

"This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back."

And it is even more interesting in context of the the the using images as passwords story that ran on Slashdot that ran [sic] a few days back. :)

you can still have crappy passwords with this..

[EMR]

how about some modern art..
I visualize a blue circle on a which background.
Or a white line on a black background..

Images?

[JohnyDog]

With images instead of passwords, the new Windows(TM)(R)(C) will now be fully average-monkey compatible.

Similar to this slashdot story.

[tswinzig]

Pictoral Passwords (using abstract art)

(It isn't karma whoring when you're already at 50.)

Login with someone behind you?

[aralin]

Well, I've got this idea quite a few years ago, but honestly, did you ever try to login with someone watching? And its much easier to watch the monitor than your keyboard. And at least I can type my twenty something passwords reallllly fast and have some intentional typos in them, but - man - how can you click on pictures without someone seeing the pointer moving over the right pictures....

Re:Login with someone behind you?

[tswinzig]

And at least I can type my twenty something passwords reallllly fast

I bet you can't type faster than my keyboard logger can sniff.

Re:Login with someone behind you?

[dencarl]

Maybe by the time this style of password authentication is widespread, the popular use of a mouse and cursor will be outdated.
Really, the mouse/cursor paradigm is just a mechanical crutch for telling the computer where you are *looking at*, on the screen.
So, I think eyetracking could be used very well with this technology.

pixel password attack?

[Gord888]

Well, isn't it possible to still try and hack someones password simply by brute force? Someone could just emulate all combinations of the mouse click on all pixels of the picture. Also... how the heck is someone going to memorize pixel locations better than strings????

Re:pixel password attack?

[tftp]

You could use brute force, but it is not even necessary. Image has "key points" where the user is likely to click. People already mentioned key points on faces, for example. On other photos the user will find something else to use as a guide. People are very unlikely just to click in the middle of nowhere - they will never be able to repeat the trick!

This means that an automated procedure can be developed to locate image's regions that are sufficiently visually different from the surrounding areas, and then the "clicking attack" can be mounted only against those areas. It will significantly reduce the crypto strength. For example, if you have two people on the photo, each with 5 key points, you have an alphabet of 10 "digits" (each corresponding to a key area), and if you do 6 clicks on this photo you are producing 6-digit number, so you have 10 million combinations. This is a very low count, and it can be cracked quickly. If the user clicks on 2 or 3 key points of the image then the number of combinations drops very fast.

But even without an automated cracker, it would be trivially easy to break in. A human that walks up to a secured computer can see the image, and he locates those key points himself. Then he can click on various points in hope to recover the pattern.

Another very bad side effect is that if the legitimate logon is observed without looking at the screen - which is common in office space - then the attacker can hear the number of mouse clicks, and can see the user's hand moving the mouse. Then the attacker can guess the pattern; the number of clicks tells him how complex the attack will be.

Personally, I believe that the best local authentication device is a USB dongle with a small chip inside. You are issued one, or buy one for $10. Plug it in, get authenticated. Unplug and take with you - nobody will log in as you. This can be used remotely too, combined with the crypto glue (the USB dongle can have your secret key, and it can be used to sign the login cookie, for example).

Re:pixel password attack?

[Reziac]

Speaking of chips and dongles, while we're talking about passwords that can be physically stolen :) ...How about a floppy containing a user-generated graphic file? Presumably this could be compared to a hash stored on the machine as easily as could a string of characters, and no one sees it other than whoever created it. Seems to me this would be a lot cheaper than a chip and a dongle, could be used much more widely, would be the equivalent of a VERY long alphanumeric password, and would be no more subject to physical theft than a dongle. (Perhaps less, since the floppy could be hidden in plain sight, perhaps in a drawerful of similar floppies.)

I've had two mildly insane ideas from a single article, clearly it's time to put myself away now :)

Re:pixel password attack?

[tftp]

How about a floppy containing a user-generated graphic file?

Better to use a user-generated random file.

Presumably this could be compared to a hash stored on the machine as easily as could a string of characters

This would be bad because you'd be leaking the secret key (your graphic/random file) to possibly compromised computer.

The better solution would be to send challenges to the dongle, and it would respond appropriately (signing them with its secret key, for example). The floppy can't do it.

Seems to me this would be a lot cheaper than a chip and a dongle

A floppy costs $1. A dongle costs $10. They are in the same price range. However floppy wears out, can be easily demagnetized, bent and otherwise damaged. It can also be duplicated without stealing it, so you'd never know that someone is using your access rights for months... The floppy is also BIG and unwieldly to carry around, but a USB dongle on a keychain is no problem (I have HASP4 dongle in front of me right now.)

[a floppy is] no more subject to physical theft than a dongle

As I just said, you can't duplicate the dongle, so someone has to physically steal it. But if you are really concerned about theft of the dongle then you can attach a passphrase to it, and enter it securely by, for example, pressing one of three little buttons on the dongle itself, in response to LED flashes. This is very safe because this passphrase input method bypasses the possibly insecure computer that the dongle is plugged into.

Re:pixel password attack?

[Reziac]

All likely good arguments, tho I was aiming my make-it-up-as-I-go-along at the same market as might be interested in "click on the pictures" passwords (which personally I think is nuts :)

What I had in mind might be something that could be installed over a network and used to generate login passwords for each person using a given workstation -- save the password to a floppy, and then there's no need to remember a complex password, and no need to issue dongles to everyone. If the password is also passed back to the sysadmin's own machine, the workstation can still be got into (and the password changed) if the employee hits the streets or loses their floppy.

Mind you, I'm just throwing out whatever ideas come into my head; some may need to be thrown a bit further, say into the bit bucket :) Remember this is aimed at a password solution that could readily deploy on a massive corporate scale, and would reduce the "I can't remember my password" problem. (Beings how I'm less than impressed with the "click the pictures" notion.)

Of course, for real fun, everyone could switch floppies and pretend to be someone else :)

Re:I would choose a picture of [a keyboard]

[mortenf]

Actually, this might not be as stupid as it sounds.

If the keyboard picture had the keys swapped to new positions every time, it would be impossible for anything but a camera to deduct the password (as opposed to the vulnerability that makes snooping passwords possible because of the timing between keytrokes).

Of course, it would still be vulnerable to attacks from the person standing behind you...

Passwords and Pictures

[NWT]

I've seen something like that. You could coose an image (the more complicate, the better) and define some points, which you have to remember. To login, you have to click the points you selected before, with more or less accuracy in a predefined order.

Shhhhh! The password is

[BadThoughts]

Monkey, Sheep, Sheep, Monkey, HORSE. you HAVE to remember horse! Because if you don't.... You'll have to click on all the images! or... or could just click clippy for help. . .

Better Idea

Instead of just clicking an image, how bout a setup where choosing an image is only the first step. Once the image is displayed, a user then has to click or move the mouse around the image in a certain manner. Much, much more secure then just choosing an image.

Re:Better Idea

[Account+10]

That's exactly what the article is about. Try moving your mouse over the story and clicking in a certain manner ... ie. on the link.

Jonny numonic

Did n't the password in that movie was images?

Worse idea.

Okay, so lemme guess: you picked a mental pattern on your keyboard to repeat as your password, and you use that password anywhere?
Getting your password would be trivial by shoulder surfing, and once it's obtained, every account you have is wide open. Yipee skipee!
That, and if you used your magic password on a system with an unscrupulous operator, that operator now has the key to every other account you own.

There's damn good reasons why you're told not to reuse passwords.

Re:Worse idea.

[Pedrito]

If I've used it for 15 years without it every being compromised, why is it that nobody has ever hacked it, despite the fact that I use it in a number of places?

Like I said, for important things, I use a variation that's more difficult. As for shoulder surfing, again, 15 years (including 2 years using it daily in a wide-open internet cafe where anybody could have seen it), and nobody has ever hacked it.

And no, I didn't pick a mental pattern on the keyboard. I was assigned a random password by CompuServe 15 years ago and I've used it ever since.

You said, and I quote: "There's a damn good reasons why you're told not to reuse passwords." Show me why? 15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.

Re:Worse idea.

[garett_spencley]

You said, and I quote: "There's a damn good reasons why you're told not to reuse passwords." Show me why? 15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.

I'm going to actually give you a real life example to help you understand why this is important.

Some time last year (you may remember if you've been around /. that long) someone cracked /.'s backup server where they got full access to the database including Rob's password. So they got everyone's password.

Now if you use that same password for /. then they got your password for everything. They didn't crack or guess your password instead they cracked something completely different and your password happened to be stored there.

So imagine if you use that password for your online banking, e-mail, work account etc. It's pretty serious.

The point is that it doesn't matter how secure or insecure your password is. You just don't use the same password for everything plain and simple.

The same could happen with hotmail. Your work's network etc.

--
Garett

Re:Worse idea.

[Alsee]

15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.

I have a tradition. I play russian roulette every year on my birthday. 15 years and I've never lost. I'd say that's a pretty damn good track record for a game. I don't see a damn good reason to change it. Until I lose, I probably won't.

hehe, this post was fun to write up :)

-

Re:Worse idea.

[tshak]

And is there a particular reason as to why our passwords aren't MD5'd or SHA-1'd???

Re:Worse idea.

[garett_spencley]

It's the "lost password" feature. /. may have changed it since the "incident" but when that happened they were just plain text.

The solution that most places use is to change your password to some radomly generated string and e-mail it to you rather than to e-mail you your old password. As I said /. may do that now I don't know because I haven't needed to use it.

--
Garett

Re:Worse idea.

[Skavookie]

Would you neccesarily know if you'd been compromised? There's plenty of uses someone could have for a compromised account that you might never discover.

Re:Worse idea.

[Latent+IT]

If I've used it for 15 years without it every being compromised, why is it that nobody has ever hacked it, despite the fact that I use it in a number of places?

Well, since you asked:

Luck.

That's the only reason. Think of everything you'll lose when your luck runs out.

Re:Worse idea.

[Xerithane]

MD5 is not an encryption scheme, and besides, if someone rooted slashdot it would be exceptionally easy to find anyones passwords out anyway. Expire logins, put a mailto: on the login, wait and have the passwords mailed to a disposable email address.

And SHA-1, that works great as long as your keyset isn't compromised. We're using SHA-1 at the company I work with, and using a rather obscure private/public keyset - it can't be random because it must be synched amongst a set of boxes, so it has to be calculated and predictable. However, someone would have to look at the code, and have root access to the box in order to crack the keyset. I think that's pretty secure, but it can be broken.

Everything is a risk assessment, you just have to see how your risks weigh in with the benefit. If you have an ultra secure login system, but it takes 20 minutes to authorize, that isn't very useful.

Re:Worse idea.

[jrp2]

If I've used it for 15 years without it every being compromised

How do you know it has not been compromised? They could be holding on to it waiting for a good time to use it. They could be logging in, copying files, but not destroying anything that you would notice.

Why is it that everyone assumes they KNOW when they have been hacked. I happen to know my boss's server password and he has no idea that I know it and he does not change it. If I so desired I can read his mail at will, read my co-workers reviews, etc. I don't, but I can. what makes you so sure that you have not been compromised and someone isn't surreptitiously using it?

A while back I discovered one of our server's had been hacked (we discovered a root kit had been installed). We never figured out exactly how long it had been there. Could have been as long as a year, and who knows how much vital data could have been taken over that period while we were blissfully ignorant. Bottom line, don't be so ignorant, a good cracker is not likely to be noticed! You may very well have been watched for years.

Re:Worse idea.

[LadyLucky]

So they got everyone's password

The database shouldnt be storing our password. It should be storing the hash of the password, from which you can verfiy it, but not recover the actual password string.

Re:Worse idea.

[synergist-x]

Using MD5 would work. Store the MD5 hash of the password in the database. When a user logs in and gives their username and password, take the MD5 hash of the password that they submitted and compare it to the stored value. And since only the MD5 hash is in the database, someone who gains access to the database still won't be able to figure out the passwords unless they feel like brute-forcing it. Storing MD5'd passwords makes things a smidgen less convenient in that there's no password recovery feature. One solution is to offer a password reset feature. Dyndns.org uses this, and I think slashdot does as well. When someone asks for their password to be reset the server creates a new password and emails it to the email address with which the account was registered. The original password continues to work, so that someone can't lock someone else out of their account by requesting a password reset. The old password only stops working when someone successfully logs in with the new password.

Re:Worse idea.

[JimE+Griff]

This is totally valid. However, if your password is stolen because /. or Hotmail is cracked, then wouldn't the site which the password was stolen from (following Maggard's logic in "The Hard Way") be responsible? I mean, it would be terrible to lose all your personal or business files, but unless you were specifically told to pick a different password, you could just pass the buck to the people who allowed your password to be stolen. They then can pass the buck on to the site-cracker, if they can find them. If every individual is responsible for personal passwords, then I believe that websites, unless they have big disclaimers, are compelled to take atleast the same responsibility.

Re:Worse idea.

[garett_spencley]

Sure. I completely agree but it still doesn't really matter who's liable. The fact is that it happened in the first place.

I mean let's say my house were broken into. I would definitely want the sob who did it to be thrown in jail, but even after he were it would still suck that it happened in the first place.

And to solidify your point let's say the house wasn't mine but it was a friend of mine and I was house sitting. I should have some sort of obligation to my friend to keep the house locked. I mean that is why I'm house sitting isn't it? To make sure it's locked up and safe and that the cats are fed.

So play it safe. Don't use the same password for everything.

--
Garett

Re:Worse idea.

[Anne+Thwacks]

Even if /. actually do use MD5s, why do you think other sites get this right?

Lets face it, anything that was a SMB server before Win98 was invented probably stores the passwords in plain text, and leaks like a sieve. Many of the owners of this clapped out cr*p are still in business, but cant afford to pay a sysadmin who even knows what MD5 is.

Lets face it, you don't use the same password on different systems. but you are excused from using truely lame passwords on lame systems if you don't use them elsewhere.

Re:Worse idea.

[karlm]

MD5 is not an encryption scheme, and besides, if someone rooted slashdot it would be exceptionally easy to find anyones passwords out anyway. Expire logins, put a mailto: on the login, wait and have the passwords mailed to a disposable email address.

And SHA-1, that works great as long as your keyset isn't compromised. We're using SHA-1 at the company I work with, and using a rather obscure private/public keyset - it can't be random because it must be synched amongst a set of boxes, so it has to be calculated and predictable. However, someone would have to look at the code, and have root access to the box in order to crack the keyset. I think that's pretty secure, but it can be broken.

Off topic, but I'm intrigued. Are you saying that your company uses a single, fixed key for salting and hashing passwords for authentication, and the system relies on the key being kept secret? This sounds worse than windows networking authentication! For the love of Athena, use Kerberos or a mutually authenticated SSL system. Usually home-brew == brain-dead. There are ways to use hashes for zero-knowledge proofs, but this doesn't sound like one of them. It sounds like you're wide open to a blackhat replaying authenticators.

Has anyone analysed your system? You seem to imply that you think SHA-1 is an encryption method. SHA-1 and MD5 are both hash algorithms, which can be used as primites in a vast array of applications, including the basis for block or stream ciphers. However, your statements seem troubling. There are libraries for doing almost anything securely. The simplest to use would probably be SLL, and if you're really starved for CPU power, you can use authenticated but unencrypted SSL traffic.

Re:Worse idea.

[LadyLucky]

I imagine you are correct, it doesnt matter whether or not the technology exists, only if people use it :-)

Re:Worse idea.

[Xerithane]

Actually no, it is not fixed key. The major reason why we went with SHA-1 with mutating keypairs that are based off a predictable dataset (I'm assuming you have seen these types of setups before, they are actually quite common.. this is the same setup) to generate the result hash. And yes, SHA stands for Secure Hash Algorithm, I am quite aware it is a hash. The system does not rely on the key being kept secret, it relies upon the entire system being kept secure. I can say this with absolute certainty, outside of someone sniffing the passwords coming in (even though it is coming via an encrypted connection), unless someone compromised the server there is no way they could retrieve a password. And even then, it would take them a while to setup the predictable decryption routine. Unfortunately, it also has to maintain the ability to be decrypted as well, which adds more irritating variables into the picture. The current implementation is just there to get by for a temporary solution, it's going to be replaced by a single signon method, which will probably be kerberos based but it's still in the brain storming stages.

Rest assured, ample thought has gone into the encryption scheme. We're dealing with high school students, I know if anyone can break it it's probably them :)

Re:Worse idea.

[linzeal]

Doesn't everyone just use their username backwards for passwords like me?

Re:Worse idea.

It is all very well advocating that you should use a different password for everything, however it can become very difficult to remember all the different passwords for every different site (I have more than 20 sites/applications for which I need to use passwords on a semi-regular basis).

As it is very hard to remember so many passwords (and more importantly which password applies in which case) it means that people who use different passwords usually write them down in some single location (my palm pilot stores mine) which gets us back to the initial problem: crack one password (eg the one to my palm pilot) and you suddenly have access to all the rest.

I have therefore adopted the approach of having a small set of passwords that get used depending on the importance/type of the system they are protecting. For basic things (like passwords to forums) I generally always use the same (and a very basic one); for email I generally use another password (which is the same for all accounts); for computer logins I generally keep to a theme (different themes for work, home and uni) which at least allows me to guess within the subset; for banks a different one; and so on.

This means that although I have > 20 sites needing passwords, at any one time I really only need to remember 5 or 6.

Re:Worse idea.

MD5 is not an encryption scheme, and besides, if someone rooted slashdot it would be exceptionally easy to find anyones passwords out anyway. Expire logins, put a mailto: on the login, wait and have the passwords mailed to a disposable email address.

Right... That'll only get people who log in during the attack.

Re:Worse idea.

[karlm]

Oh, okay. That makes much more sense. Thanks.

To me, it sounded like you were using a fixed slat to gnerate your authenicators from passwords, and you somehow needed the salt kept secret.

The only issue with Kerberos is that you MUST have secure passwords. I know plenty of MIT students with bad passwords who think their kerberized telnet sessions are secure.

Too bad they don't have well analyzed systems of DH group exchange encrypted with the user's str_to_key(passwd) and the kerberos ticket encrypted with the DH negotiated key. That would hel prevnt problems with sniffing encrypted tickets and performing offline attacks against bad passwords. (You could still perform attacks against bad passwords, but you would force them to be active attacks.)

Re:Worse idea.

[Xerithane]

To me, it sounded like you were using a fixed slat to gnerate your authenicators from passwords, and you somehow needed the salt kept secret.

When I posted the original post, I had a 103 degree temperature. Wouldn't surprise me if that's what I'd think too :)

Unfortunately, we deal with a lot of passwords that are just plain retarded.

Re:Worse idea.

[tshak]

MD5 is not an encryption scheme,

Well, it is a hash, which is a "One Way Encryption" scheme. I never said the PW's needed to be recoverable.

if someone rooted slashdot it would be exceptionally easy to find anyones passwords out anyway

I'm not following. Are you saying that a brute force would be easy? This has to to with the individuals PW strength. If I have a strong password, I don't think someone cares to to use 3 months of CPU to try to get it.

Re:Worse idea.

[Xerithane]

Did you read the rest of what I wrote? Reset all accounts cookies, dump login info. Very simple, and if you do it covertly enough would probably go on for months without anyone knowing.

Re:Worse idea.

[tshak]

Did you read the rest of what I wrote?

Yes, I just didn't quite understand how it was directly related to my question relating hashing. I never said using MD5 would make it impossible for someone to steal PW's. You made it sound like there was no point in hashing the passwords in the first place.

Lotus Notes, and social commentary

[phillymjs]

Lotus Note on the Mac (I've never seen or used the Windows version) has a little something kinda like this in their password dialog.

As you type in your password, small images in a 2 x 2 layout change according to what you've typed. Even though the password text is bulleted out, you eventually come to recognize the 'correct' four images and know when you've misyped your password before hitting Enter. IMHO, this is the best feature of Notes, which otherwise sucks-- Lotus might not have been the first to use this idea, but it's the first place I've seen it.

And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device? Why must we create an authentication system geared to the stupid so they can easily exist among us? Maybe they'd smarten up if they chose "password" as their password and had their checking account cleaned out for the third time as a result.

Of course, I should have seen this coming when McDonald's started using cash registers that had photos of the food on the keys and spit out the customers' change automatically, without the operator having to overtax his/her brain thinking about how a quarter, a dime, a nickel and three pennies have to combine forces to make 43 cents.

~Philly

Re:Lotus Notes, and social commentary

[rbeattie]

IMHO, this is the best feature of Notes

Yep, and they're getting rid of it... I'm too lazy to look for the link right now, but it's true.

-Russ

Re:Lotus Notes, and social commentary

[zr]

this feature serves another good purpose. if someone was to fake Notes login dialog to snatch your password, it would be nearly impossible to correctly imitate those images, beacuse the sequence they appear is generated using a crypto-strength algorythm.

Re:Lotus Notes, and social commentary

[distributed.karma]

And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device? Why must we create an authentication system geared to the stupid so they can easily exist among us? Maybe they'd smarten up if they chose "password" as their password and had their checking account cleaned out for the third time as a result.

You could make a much more general point out of this. There used to be a mechanism called natural selection, to ensure that only the most able would survive. By luser-friendly technologies we are in fact driving the mankind into a de-evolution.

By the way, the reason there are so many geeks around is an interesting case of natural selection. When the more athletic of cavemen went for a hunt, they ordered the more skinny ones to guard the cave and the women and children inside. Well, while the thugs were out there killing innocent animals, us geeks made it sure that we'd become Homo Sapiens, not Homo Athleticus.

Re:Lotus Notes, and social commentary

As you type in your password, small images in a 2 x 2 layout change according to what you've typed. Even though the password text is bulleted out, you eventually come to recognize the 'correct' four images and know when you've misyped your password before hitting Enter.

Gee, that's interesting. How do you prevent shoulder surfers -- and TEMPEST, and whatever -- from grabbing your password?

In case you missed it: all I need to do is record your monitor as you type your password, sit down at the password prompt, watch the first image change on the recording, and press a key (followed by backspace) until I see the same image change. Then continue for each key until I have your whole password. Heck, the password field even shows bullets, so I can use that to make sure I stay in sync.

What a cruddy idea.

Re:Lotus Notes, and social commentary

[donutello]

And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device? Why must we create an authentication system geared to the stupid so they can easily exist among us? Maybe they'd smarten up if they chose "password" as their password and had their checking account cleaned out for the third time as a result.

You sound just like my father when he heard they allowed us to use calculators in school. In his day there were no calculators allowed. You did everything in your head. In engineering school he used log tables.

I think he was wrong and so are you. We used scientific calculators in engineering school instead of log tables. I was learning structural mechanics and complex differential equations instead of the most efficient way to add or multiply numbers on paper. I don't consider myself any stupider for that. Whether or not I knew how to multiply two 7 digit numbers was immaterial to whether or not I knew how to compute the stress on a truss. (Yes, I do know how to use a log table efficiently but that hasn't helped me once in the last 10 years)

Machines serve a purpose - they perform the mundane and boring tasks freeing humans to achieve higher goals.

There is nothing wrong with making it easier for someone to work the cash registers. There's nothing wrong with shortening the learning curve by putting pictures of the items on the buttons. There's nothing wrong with speeding up the job by not making the clerks have to calculate the change. There's nothing wrong with reducing the risk of errors by spitting the change out automatically.

Just because you can do something without a machine doesn't mean it's stupid to use a machine to do it. I imagine our ancestors who spent days chopping down a single tree probably thought we were lazy for using a chainsaw instead. I imagine their ancestors before them thought they were lazy because they used bicycles to get to work instead of walking uphill in the snow.

Re:Lotus Notes, and social commentary

[Slashamatic]

On Lotus Notes 5, the images don't start changing until you have typed a few characters.

I agree with you and still consider it a poor idea.

Re:Lotus Notes, and social commentary

[jhanson]

Even if the dialog is hard to duplicate, couldn't they just use a keylogger?

Re:Lotus Notes, and social commentary

You may think you are not stupider but there are alot of people who are and because they rely on something(else) to do something.

Example: What is 11 X 12?

I can do that math in my head, and really quick. I know with some people they reach immediately for the calculator if they punch the number in wrong they don't know and accept 143 as the answer.

An Example: the proliferation of Front Page. While it can be a good tool for beginners, lets face it is not really a good application for attempting to develop a full scale interactive web site and it does not teach the principials of good HTML or good web design. It was an easy answer and too often people look for an easy answer instead of knowing what the hell they are actually doing.

And may I quote "When the only tool you know how to use is a hammer, every problem looks like a nail!"

Re:Lotus Notes, and social commentary

[MrResistor]

There is nothing wrong with making it easier for someone to work the cash registers. There's nothing wrong with shortening the learning curve by putting pictures of the items on the buttons. There's nothing wrong with speeding up the job by not making the clerks have to calculate the change. There's nothing wrong with reducing the risk of errors by spitting the change out automatically.

But there is something wrong with becoming dependent on machines to do simple tasks like making change, which is all to often the case. That's why your father is right and you are wrong.

Now, using a calculator in engineering school is fine. If you've made it to engineering school you know the math already and you're just learning applications. You don't have time to mess around with log tables. Hell, I failed a statics test because my calculator died and I simply didn't have time to work out the problems without it. Talk about a crappy way to fail a test!

On the other hand, the fact that my 12 year old brother is allowed (encouraged, even) to use a calculator in class makes me sick. He's supposed to be learning math, but instead he's just learning to punch a sequence of buttons that will hopefully give him the correct answer (assuming, of course, that he's using the same brand of calculator that he was taught in school). There is absolutely no reason that kids learning how to reduce fractions should be allowed to use calculators. He's fortunate that our dad is as much of a hardass as yours probably is and doesn't let him use one on his homework. (My brother disagrees on this point of course, but he'll also be a step ahead of his classmates who aren't so lucky.)

Remember the term Garbage In, Garbage Out? How do you know you're getting garbage if you don't know the math well enough to know what to expect? Why would you even think to question the results when you've been taught to trust the calculator since the 3rd grade? Is that really how we want to teach our future engineers?

Re:Lotus Notes, and social commentary

[jeffy210]

Sadly, this is what i have always said was the best and worst thing that happened to the "computer revolution": Introduction to the masses.

It helped us by giving us the much needed funding for R&D and to get a strong base going. But in the process, it also required us to "dumb it down for the masses" (read: AOL).

It's both a blessing and a bane that we will never be, sadly, able to get rid of.

no keyboard

[BoRoG]

Sweet, now I can log in and enter my password without even touching the keyboard!

Less security, not better security.

[bartman]

Not surprising that MS would come up with this knowing their track record with security...

Consider anyone standing behing you while you select the appropriate login. They are bound to see the images you are selecting as your login much more clearly then the key combination you would have typed.

Try telling this one to a friend

Can you imagine having an emergency in our future-tech age?

"No Bill, it's Black Guy, Asian Guy, Samoan Woman, Black Guy with the scar, White Guy with glasses! Hurry up before the Holodeck explodes!"

Let's hope they have a way of opt-ing out

[merlyn]

As I said in a previous thread two months back:

People are visually oriented, so remembering pictures is easy, especially compared to a mess of uppercase, lowercase and symbols.

Uh, some people. I'd have to name each picture to remember it, and then remember the names. I'm a part of the 5% of the population that doesn't deal well with picture recall, and a particularly bad case of that. Let's hope this system is never mandatory for any system I have to use. It's bad enough for icons without tooltips.

pamela anderson

the most widely used passpic

Color blind

Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.

Re:Color blind

[Graspee_Leemoor]

"Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories."

And the dead- don't forget the dead.

Just because someone is no longer living doesn't mean they no longer have the right to log in to their computer.

There are important issues here. Let's examine recent ideas of identity verification and how they affect the long dead, recently-deceased and undead:

1) Fingerprint recognition: Bad- the flesh on your fingers may have all decomposed by now.

2) Retinal scan- As above- eyeballs may be decayed or too badly damaged to scan, depending on your method of death.

3) Voice recognition: Again, bad.

Computer: "Please speak your name for identification."

You: "Urrrrreeeeeuuuurgggghhhhhhh"

Computer: "Not recognized"

4) Clicking on parts of pictures. Hmm, may run into same problems as the blind due to loss of eyeballs, and let's face it, if you're a zombie, do you really want to sit there pissing about with a mouse?

5) Traditional keyboard entry of password. Excellent. Undead have 'leet typing skillz, as immortalized in the game "THE TYPING OF THE DEAD"

graspee

Shoulder surfing

It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.

How much more sophisticated?

Picture this:
The Mona Lisa by Leonardo Di Vinci
The Scream by Edvard Munch
A picture of David by Michelangelo
A picture of a not quite so cute dog with a caption underneith it that says, "Fluffy".

I wonder which one of those would be the password. Hmmmmm.

wrong example ?

[mirko]

So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?

Today's is now 25 years after the Punk explosion in England (1977) so I believe it would be a bad idea to ask today's 25'ers about which color their mother could have painted her hairs :-D

apparent problems...

one of the problems that many people have with "strong passwords" is not their lack of a strong kinesthetic memory - I can "remember" any password simply by typing it: sound familiar?

Problem is that this has nothing at all to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you always use the same password... more on this later)

What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.

This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?

Some "realistic solutions" to these problems include: biometrics - which don't require any memory, single login - which limit the number of cues needed, asymmetric key - which relies on math, etc, etc.

I say "realistic" because people have used them and they do work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person :) )

Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.

Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes way too much emphesis on only one cue.

With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)

I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies :D)

My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of what we remember is less important than changing the cues by which we do remember.

Embarrassment from lost password..

[sewagemaster]

So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?

... or the size of my "structrual beam", which of course i can't exaggerate because the wood just isnt big enough :)

ok. it's... the password is ONE - as in ONE foot...

Re:I would choose a picture of [a keyboard]

[dattaway]

Just because it is a mouse, doesn't mean it can't be snooped. Mice and keyboards both use serial communications and can be captured by many means.

The Microsoft Mouse(tm) protocol sends out a three byte sequence to signal a mouse movement. The current from the wires of a serial mouse can be picked up remotely with a good antenna that can sense the large RS232 voltage transitions at a slow 1200 baud. From another room, you could track mouse activity just as with a keyboard.

another crippled website...

[h4x0r-3l337]

Reuters: "We're sorry, but your browser is not compatible with our site."

Oh well, it's not like we haven't seen this before

Re:another crippled website...

That's funny I am using Netscape 6.2 in solaris I have no problem seeing this site.

is it better?

[torrey]

people are just clicking on key points in a picture.
To me it seems that is not much different from anything else, you have a picture of a face, there are probably 5 or 6 key points, the eyes, mouth, ears, and possible the top and bottom of the head. People would key in to the same features of the picture, after that, it just become an order of what is clicked, and people would tend to be predictable about that, forming geometric patterns, like going in a clockwize or counter clockwise pattern.

In the end, things might be safer in the short term, but it jsut means that the hackers jsut need to read up on a new set of psychology books, Once they got that down, you are back to where you started

Mothers color hair?

"So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?"

Har, har, har, I know what color hair YOUR mom has!!!

AC (1) CmdrTaco (0)

A possible drop-in solution for *nix

[hydra-monkey]

Ok guys, here's how you can use the power of visual identification and still have a cryptographically secure system. All of this and it's implementable RIGHT NOW with current tools on a standard linux distro.

1. Take a directory full of images, it doesn't matter if they are .pngs, .jpgs, a mix of verious types or whatnot. All that matters is there's quite a few of them on the machine. I'm going to use the /usr/kde/2/share/icons/hicolor/48x48/ directory. This directory contains 5 subdirectories with a total of :
find . -name '*.png' | wc -l
297

pictures. Given this, we can do som basic combinatorics (permutations of these standard pictures) for any value of 297 choose n. Using the permutation of (297 3) gives us 25,934,040 possiblilties (remember the order of choosing pictures is unique). It gets even nicer at 4 (7,624,607,760). Why am I bothering with this? Let me show you a snippet of python code:

# requires python 2.x
import sha,sys
print sha.new(sys.stdin.read()).hexdigest()

This little beauty will compute the hex-digest of the Secure hashing algorithm (http://csrc.nist.gov/publications/fips/fips180-1/ fip180-1.txt)
.

All you have to do to use this program is the following:

$ cat apps/kedit.png filesystems/zip.png mimetypes/widget_doc.png | hex_sha.py
066686143327A8A582E5F5333A98D6C3F14263 24

or, if you prefer:

$ cat apps/kedit.png mimetypes/widget_doc.png filesystems/zip.png | hex_sha.py
2C35BA8998BAAEA70008AE41E31F923142A48D 7F

Obviously, order matters. Starting from this simple building block I'm sure it woulndn't be too hard to have kdm/gdm/xdm use this alternate method. There are c libraries available (openssl) which accomplish the same feat.

In short, this can be implimented in a weekend by a skilled hacker. One could even see crative ways of assigning short characters to each picture so that clicking isn't necessary. Something along of the lines of:

Actions == A
aPps == P
Devices == D
Filesystems == F
Mimetypes == M

And each subdirectory use the same method as well. So instead of catting those three files via the CLI, I could opt to type :

PE == aPps/kEdit.png
MW == Mimetypes/Widget_doc.png
FZ == Filesystems/Zip.png

So I could type PEMWFZ (case shouldn't matter as we're indexing through a series of directories/files) and get my first catted line above. The second line would be PEFZMW.

The weaknesses in the algorithm described above lie in the strengths of SHA and the number of choices (I'm using 3). Since SHA's collision space is larger than (297 3) The weakness lies in the permutation. As I showed above, it's pretty damn big. Make it 4 (and all pw's become 8 characters).

Hardest part is the passwords are still gibberishlike. Or are they? Each grouping is paired in twos naturally. The password in ones's mind isn't PEMWFZ, it's PE, MW, FZ. If one can visualize the picture with the grouping then there is a direct visual association. This would appleal to most hacker-types. And the non-techies can even just opt to scroll through the pictures clicking on the 3 (or 4) that comprise the password. There could even be an option displaying the shortcut keys as the pictures are being clicked in case the person can't remember one of the mnemonic groupings. This must be done in absolute secrecry should the should-surfers wander by.

You guys get the idea. I'm just spewing ideas about this topic.:)

(And to others about this "dumbing-down" passwords; I think my hacker/non-hacker solution above compliments both types nicely. It also gives rise to REAL passwords without having to memorize `a09GD3hz'. A compliment of pictures and shortcut blocks works well within the human mind -- try it if you don't believe me. On top of this, it eliminates the possiblity of people choosing 'god', 'stud' 'master' and other such obvious passwords.)

Feel free to flame my constructive brainstorming. This is ./ after all. :)

Re:A possible drop-in solution for *nix

Did you just write that crap for Karma? Lame. Go read up on security, your English is fine, but your grasp of security is abysmal.

Also, next time you post something like this, please read the article link on /. and understand what the article is about.

I remember this...

[ruiner13]

Wasn't that in that horrible Keanu Reeves movie Johnny Neumonic? I remeber the pain and suffering of watching him get Ice-T to find the missing picture password piece using the military surplus dolphin living in a bridge.

Hope we won't all have to go through that to unlock our computers.

Re:I remember this...

That was the best one I've heard for a while :-) Thanks! You saved my day man.

Dangers of universal password

[Gorimek]

I think most people use one or a set of very few passwords, as well as usernames. It's inevitable, but has it's problems.

I'm sure If the Slashdot crew wanted to, they could use the usernames and passwords from here to log in to thousands of peoples Ebay, Amazon and Paypal accounts. Anyone that puts up a site that requires a username and a password could do the same.

Password security and safekeeping data

I'm not trolling, but what good would this do if the MS users are still forced to "sign up" to some Microsoft "controlled" thing like MS Passport? We should have enough proof by now that MS are totally unable to keep something (except possibly the source-code to NT, but the computers holding it aren't connected to the 'net) safe.

It would be like installing a keycard + keypad controlled locking mechanism on a shed made out of plywood - with a swing-door in the back.

What about gesturing?

[TrevorB]

I wonder if mouse gesturing (ala Black and White) would make a good password protection system?

I guess you could enforce a certain complexity to the password (no mouse up, mouse down).

This would have the great advantage that it would be tremendously difficult to teach to someone else...

Just a flawed thought. Find the flaws... :)

Re:I would choose a picture of [a keyboard]

[Account+10]

It signals movement, not position. So you have to guess the sensitivity and acceleration (although there aren't many combinations).

To counteract this, the mouse driver can put the pointer at a random spot when it starts, or apply a little randomness to the movement, especially when the mouse is moving quickly and the user won't notice a few pixels deviation

stupid assumptions

[unsinged+int]

This technique will never replace typed passwords because it makes the following assumptions:

1. The user has a functional, properly configured pointing device and is physically capable of using it.
2. A graphical display must be loaded prior to logging on, which sucks if that's what you're trying to login to fix.
3. Any other computer you are using to login remotely to such a password protected computer must also be capable of displaying the same pictures.

Besides, the click locations would have to be stored in terms of percentages to allow for scaling the image for display on different devices with different resolutions and still accepting the user's "password." Add in a tolerance factor since the user probably won't click the exact same spot, and look...if I display all your images so they're really tiny I can click wherever I want and login!

Using this in combination with a password

[jrp2]

Reading through this thread, there are lots of valid issues brought up. I would agree that this concept alone would either be just as difficult as passwords (assuming the resolution of where you clicked was tight) or just as insecure as a bad password (assuming fairly forgiving resolution).

BUT, a simple pictorial password combined with a simple alphanumberic password could be very secure as well as easy to use. Far greater than the sum of either used individually.

I used to work at a large bank which employed this kind of multi-level security. A mag card got you into offices, a mag card plus a numeric keypad got you into medium security areas (teller lines, etc.). The higher security the area, the more techniques were added (retina scan, knowing your mother's maiden name, manager's name or department name, etc.). Basically, each aspect is individually attackable (stealing the mag-card, dictionary attacks, shoulder-surfing, password sniffing, etc.), but you have to know all of them to get access. Each obstacle in the way added a large measure of unpredictability and hence security.

I could even see this being used in a "telnet" (ehem, ssh) like scenario where a traditional userid and password are the first level, then some quiz (arranging shapes or colors in a specific sequence for example) is the second level. Each would be easy to remember, combined it would be very difficult to guess both (or several).

Basically, I think there is a great amount of promise in this kind of research. Yeah, you can shoot down each method as flawed, but combine a few of the methods and you can get some very powerful and easy to use security.

Re:Using this in combination with a password

I could even see this being used in a "telnet" (ehem, ssh) like scenario where a traditional userid and password are the first level, then some quiz (arranging shapes or colors in a specific sequence for example) is the second level.

You want to make me play a game before I can log in and use the system?

Son, I'm not sure where you work, but around here, we have work to do.

Re:picture of [a keyboard] - SRK technology

> If the keyboard picture had the
> keys swapped to newpositions every time

http://use.e-gold.com

click the SRK button to see such a keyboard.

SRK = Secure Randomized Keypad

Asterisks rendered useless?

[Drake58]

I suppose this defeats the purpose of using asterisks to conceal your password in a place where people could be watching...

Imagine a Beowulf cluster of these!

Re:Asterisks rendered useless?

[praedor]

If it makes you feel better you can always use an image of asterisks as you password.

Re:I would choose a picture of [a keyboard]

[dattaway]

Detecting acceleration of the mouse is not an issue when the amount of movement is encoded in the sequence. Also, the initial position of the mouse is fixed upon boot.

Its easy to scan and parse where the user is going to be. After all, this is done in software anyway! It makes no difference if it is done on the host computer or a remote spying box.

byte: contents:
0 1 L R Y7 Y6 X7 X6
1 0 X5 X4 X3 X2 X1 X0
2 0 Y5 Y4 Y3 Y2 Y1 Y0

Busy not stupid ?

[akintayo]

OK, most people have quite a few accounts and some of these accounts are used infrequently. And in a large number of these cases it is considered more important to be able to access the account than to protect it. Quite frankly, I could care less if some one accesses my voice mail ... it would be inconvenient if I have to call verizon to reset my password.

The registers make the servers more efficient. Also why doesn't anyone complain about grocery stores and barcodes. Why don't we give them a sheet of paper and a pen, so what if it takes them 15-30 minutes to ring up a customer ?

Remote Login ?

[BESTouff]

How would this system work for remote login ? The terminal has to download the whole image series from the server ? The image series has to be standardized ? Both seem flawed IMHO.

Better Security?

[Helmholtz]

"Users simply remember exactly where on the images they clicked and in what order."

How is that better simpler and more secure? 99% of the people will simply click on the middle of the picture, and boom you're through. Of course then there might be instances where you have to click a minimum of 5 places, so suddenly everyone is clicking on each corner and then once in the middle.

Personally, I'd just as soon stick to my text passwords. I don't find my passwords hard to remember, as I utilize a seqeuence of rules to generate the password. That way I can choose a word (I usually like titles of Books/Movies/Albums/Songs) and run it through my little set of rules to product a string of characters that bear little resemblance to the original word, but is still easy for me to remember, because I don't have to remember the actual password, just the methodology to get to it.

If by pictures for passwords, they had meant that you supplied (uploaded) a special image of your own personal creation, and then that image is authenticated using an algorithm that generates a key by the values of the pixels in the picture, and then matches it via a public/private ssh key authorization manner; that, I think would be pretty slick.

Well, I'll quit rambling now. I just don't see how clicking on parts of a picture is easier to remember or more secure than typing in a string of text.

pass phrases

[DRue]

"I don't think you can create a password that is easily memorizable that is 20 characters long," Kirovski said.

It is not difficult to create an easy to remember, 20 char password. Emphasizing pass phrases instead of the traditional 6ish char passwords would be a much better solution than this bizarre click on the image thing. besides, how would it work with SSH :)

Somebody tried to login to my car

[Tablizer]

I was driving to work in heavy traffic, and this guy drove up next to me and kept gesturing at my car. I think those gestures were to try to login to my car via visual passwords.

He did not try very hard, for he used the same gesture over and over with very little variation. You Americans are not very creative at image password hacking it seems.

Images? As passwords?!

[NowIveSeenItAllGuy]

Now I've seen it all!

Old, Old Idea

[mesocyclone]

In keeping with Microsoft's tradition of rarely doing its own innovation...

Many years ago somebody was selling Automatic Teller Machines that used this approach instead of numeric PINs. I wish I had a reference but this was way pre-Web (1970s).

Also, this was discussed at Usenix 2000 and CrypTec 99 - see:
http://paris.cs.berkeley.edu/~perrig/projects.html #DEJAVU

and on Slashdot on Dec 28, 2001

Tech support conversation . . .

[div_2n]

"That's right Mr. Johnson, you password is boob, nipple, tongue and lips."

Additional revenue for porn sites

[Infonaut]

Just imagine the banner ads on Yahoo!:

skuzzywhores.com now has downloadable pass-pictures of your favorite screen sluts, from Anal Ashley to Luscious Lydia! Why not have some fun with your security? Download 'em now!

This sounds awfuly familiar...

[Bones3D_mac]

Be careful of those super-intellegent dolphin hackers, man! ;-)

Common Passwords

[burnboy]

So who else but me thinks that the photos used in Johnny Mnemonic as a password will somehow become common in the world of image passwords?

I guess if we used images as passwords, there'd be a smaller possibility of having the same password as someone else.
If we're talking about taking pictures yourself of something you cherish to use as a password, no two people are going to have the same picture.
If we're talking about capturing an image from a TV show or movie, again, not too many people will have the same exact image. Since there are normally 30 frames a second, the pixel arrangement in the picture can change up to 30 times each second. Therefore, images can sometimes be similar to the naked eye, but when it comes to it, their pixels will be arranged in just a slightly different way, depending on the action of the movie/show being captured.

Anyways, that's my 2 cents.

That's poor security

Do you think it would be hard to guess where someone was clicking?

No

[Eimi+Metamorphoumai]

First of all, that one was different (this requires you to click in very particular places in the pictures, not just on the right pictures), and secondly most of the comments on that were "This is stupid" and all the downsides. This idea has even more downsides than that.

cmdrtaco if you have nothing...

...intelligent to contribute, then just post the damn story!

"So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?"

if pictures are easier to remember, won't it make it easier for someone looking over your shoulder to see, and remember, your passwd??

How do they come up with these ideas?

[s4ltyd0g]

Market droid: Our research indicates that our users aren't being humiliated nearly enough.

Pointy haired boss: Why don't we make them play pin the tail on the donkey before they can use the system?

Engineer: I suppose I could work it into the login sequence.

Social commentary, part deux

[BarefootClown]

And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device?

I assume you're referring to my secretary, who seems to believe that the little light at the top of the keyboard (the one with the words "CAPS LOCK" next to it) is the power light for the keyboard. The one who didn't understand why I wouldn't give her an Administrator account, since her job includes administering some of our (expense) accounts. (She pouted for two days over that one.) The one who refuses to log out of her machine at night, because she likes coming in to work and having her computer ready for her? (Note, that point applies to many of my co-workers.) The one who made me turn off the 30-day password cycling, because she didn't want to remember "all those passwords."

The real problem here is that these people don't see the need for security. They think of computers as fancy toys, and maybe something to write letters. "Big deal--you don't need security for that. I don't care if somebody reads my letter to my brother, or plays my games." While that may be fine at home, I'd really rather people not get into our financial accounts, or our grade records (I work at a university). "Well, who would want to?" Well, for starters, any student who has a grade on that system. Anybody who'd like a little extra cash, from our pockets.

The real problem isn't that they can't use a decent password, it's that they don't want to, because they don't see the threat. Until this changes, nothing will change.

They allready did that

[216pi]

http://www.realuser.com/ has allready implemented this technology. You can use their service to store web-logins etc. on their servers.

I tried it once and it was incredible how fast you can remember three or four faces in the right sequence.

This is kinda like 'Johnny Mnemonic'

[fennell]

good book, bad movie. can you imagine a beowulf cluster of those dolphins? >;)

re: Using Images as Password

[ebusinessmedia1]

At the MSFT presentation, Darko Kirovski - who seems to have carefully thought a lot of this stuff through - of Microsoft Research (MSR)talked about some of the simple ways that pure dictionary searches could weed out roughly 25-33% of all passwords.

He also dealt with the possible objections that people might have to trying to remember where they clicked on an image.

As an example, he hypothesized that a physiologist, or a surgeon using this system night very well choose anatomical images as their source material.

He also pointed out that the keyboard layout itself is an 'image'.

Kirovski was sensitive to the behavior change - going from text passwords to image-based sources -
that consumers would have to engage.

He also admitted that there still isn't a password system that is 100% fullproof.However, by the time he finished his presentation, I was convinced that the image-based password system is a huge improvement of the current text-based model.

This isn't to say better means for password protection won't cone along - they will. But right now this is an interesting alternative.

btw, Kirovski is an impressive individual. At the same conference, he spoke of research done on something called 'content screening' as a way to protect piracy. The rigor with which he approached both topics - from several perspectives - was impressive.

man, that's one big ass add!

[Petronius]

I guess we couldn't use image passwords on /. : people would confuse them with those new adds

Better things we can do as sysadmins...

[infernalC]

There are better things we can do as sysadmins to help fix this problem.

• Enforce good password practices. Force users to choose passwords not susceptible to dictionary attack. Most modern *NIX variants' passwd utils do this.
• Use one authentication system for every computer on your network. This is a biggie. I have accounts on some seven machines at the university, each with their own peculiarities (VMS doesn't allow '.' in passwords, system A is on a manditory 2-week password change cycle, system B passwords are only changeable by web form, etc.) This is one reason why our users hate us so much. They have 80 different passwords to remember. Use Kerberos or NDS or something, and users will be much happier to abide by good password practices. Have your desktop passwords be the same as net passwords, too. NT supports this, and for heavens' sake , UNIX does too. If you don't do this, users will try to work around the system with password managers, etc., building insecurities into the system that you will never even know about.
• Make it a terminal offense to share passwords.

I really don't get the difference between this image stuff and character passwords. All I see on the keys on my keyboard are pictures... they just happen to be of letters. What do they put on yours?

New Password Manual

Great, we are so stupid that we cannot remember a basic password combination. Now have to treat people like 3-year olds we cannot remember a word, so they have to use a "Picture Book" to log in.

Remember the Cow for goes Moooo!

This will make passwords LESS unique, not more.

[jfisherwa]

Just think of all the people that will use goatse.cx or a picture of CowboyNeal as their password. :P

Whahhahahaha!

Too bad there is not a +10, funny. I vote this for the Oscar or funniest posts. Great job!

And stupid is the idea of having picture for passwords. Am I the only one to see the sent key has actually fewer bits than text ones?

Boy, everytime MS innovates, script kiddies rejoice everywhere!

PassfacesTM

They are probably looking at something like Passfaces. See http://www.passfaces.com/

You go through multiple screens of multiple faces, and have to get the right combination.

Used it before, hated the idea at first, got quite used to it soon.

Wow...

[NanoGator]

I never thought I'd finally be able to use my ass as a password.

Gesture Based Passwords

[Alien54]

MS passed on the Idea of Gesture Based Passwords.

Even they realized that most people would likely have some variatin on one favorite gesture to use with MS software.

And complex gestures would begin to resemble an arcane and ancient magic ritual. (which is an idea for a sf story someplace)

Re:Gesture Based Passwords

And complex gestures would begin to resemble an arcane and ancient magic ritual. (which is an idea for a sf story someplace)


"Senkon, Senkon duhiu rhee."

STR THAT!

Good idea, bad idea?

[let+the+storm]

Note: I know hardly any of you will read to the bottom of this post, so here's a copy of my sig:
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
email me (click my user info for addy) if you're interested.

Now then. Let the games begin.
........
First of all, here's a bit of a rant. Let me disagree strongly with Darko Kirovski, the "cryptography [...] researcher at Microsoft" (article) who created the prototype, when he says:

"I don't think you can create a password that is easily memorizable that is 20 characters long," Kirovski said.

Now, I'm just an average slashdot user. I've never worked with anything that is worth so much as protecting my keyboard from being TEMPEST-ed as I type my password. I'm certainly no cryptography expert.
But even *I* know that you can create easily memorizable passwords 20 characters long, and, in fact, far longer.

First of all, let me introduce you all to diceware. Diceware, slashdot. Slashdot, diceware. (How do you do, how do you do).

Now diceware here is run by a guy who knows about security. He's paranoid. He doesn't just "come up" with passwords while trying to avoid using any obvious components -- oh, no, he generates them completely randomly, and accepts whatever he comes up with as his password. So randomly does he generate his passwords, in fact, that he uses casino dice rather than trusting any kind of hardware.

But wait, it gets better.

How does diceware work? Basically, you use dice to choose a group of short English words that, since they're words (or can be treated as words by a human, such as the "word" ijk), are easy to remember.

More specifically, you roll a die five times, and put the five numbers together and find the corresponding word. (For example, if you roll 2, 6, 3, 1, 5, you search the list for 26315 and find that your word is "Frank").

The only caveat is that before using this list, you should manually (or with a program of your own design) check to make sure 1) that no numerical combination is missing and 2) that no word is associated with more than one combination.

In other words, you shouldn't trust the guy who made diceware, and you don't need to. It's just the principal of the thing -- a list of unique items on a one-to-one ratio with a range of numbers, each of the items of which is easier to remember than a mere number. (But, because there are equally many of them, will be equally "random".)

Now let's do a bit of analysis together of how secure this is.

1. Since five die rolls can have 7776 possible combinations (6^5), each "word" has an entropy of just over 12.924 bits. (2^12.924 ~ 7776, so that many bits are necessary to represent each combination five die rolls can create).
   
2. Now, one "character", if we take it to mean an integer with values 0 through 255 inclusive, has entropy of 8 bits.
   
3. Therefore, every two diceware words correspond to three completely random bytes.
   

Now let's rip apart Kirovski's statement that you can't remember 20 characters.
Before we do, let's point out that no one needs 20 characters, since even if you take a "character" to mean just any of the 94 ASCII values that a user can easily type, we'll even exclude the tab and space, this comes to (6.5545888 bits of entropy per one-of-94-characters * 20 characters=) 131.0917 bits of entropy. That's more than 128 bit encryption needs for a secure key! And this includes only the following characters:

! blah " this # lameness $ filter % really & sucks ' don't ( you ) agree * of + course , you - do . / 0 1 2 3 4 5 6 7 8 9 : ; ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~


Obviously, if you include more in the definition of "character", then the amount of entropy in 20 characters becomes ridiculous.

But for now, let's assume that Kirovski really did mean 20 characters, as I have defined them, or 128 bits of entropy. Is this "easily memorizable"? Sure is, if you use diceware.
For each word, we'll roll a die five times and get 12.92 bits of entropy. This means we need 10 words to get 128 bits.
Here are my results:[4]
65566 35115 24266 14326 54314 63345 41616 12265 44346 56243
I look these up in the word list, and get:
"56 junk elba bleat lard wacky sermon annex one swept"
as my pass-phrase. Is this "easily memorizable"?
Sure is:

1. "56k modems are worse junk than what Napoleon had at Elba -- a bleating piece of lard is faster down an incline if you've given it a push, for chrissakes!!" together with the picture of a goat bleating in terror as it rides a chunk of lard down a hill. Also picture the goat in a Napoleon posture (one hoof inside vest) so you remember elba.[5]
   
2. "Wacko tries being a minister: comes up with wacky sermon about how we need to annex canada. I for one think it should be swept under the rug. (the idea advanced by the sermon or canada? :) )"
   Picture: arm stretching borders of alaska over canda.
   

It took me less than thirty seconds to come up with vivid pictures for this, then another minute to associate these sentences and pictures with the actual words (bleat for bleating, swept for sweep or sweeping) and if I remind myself of it in a few minutes, then in a few days, then in a week or two, I'll have it known forever. Compare that with memorizing:[6]
JLEwx;+?o9bH`"|6r%Bo
And you see why diceware is a good idea.
The fact that someone who is a supposed expert in this doesn't know about it is in my opinion inexcusable. (Of course, he might know that twenty characters' worth of entropy can easily be made to be memorizable, but his statement does not reflect this.)

Incidentally, it takes me between six and seven seconds to type "56 junk elba bleat lard wacky sermon annex one swept" carefully enough that it's accurate without my checking it as it appears on the screen (I just closed my eyes and did this five times in thirty-one seconds.) And more than twice as long to type the random 20-character word, if I look at the characters as they appear, even though I use every one of those non-alphabetic characters frequently enough to be able to "semi-touchtype it" (might not hit it on the first try, but I know where it is and I don't look at the keyboard -- in fact, I couldn't now because I use a weird international one. [shrug] But semi-touchtyping doesn't help you when you see *'s instead of the characters...)

As for how much security the average person needs (we're not talking 128 bits here):
well, if you consider an 8 character random combinations of A-Z, a-z, and 0-9 that's 5.954196 bits of entropy per letter * 8 letters = 47.6335 bits of entropy, or less than four diceware words' worth. For example,
56 junk elba bleat.
You don't even need spaces (although I find it easier to type with them) since no diceware word includes a space.
Can you believe it, a simple thing like "56 junk elba bleat" being more secure than a completely random 8-letter mixed-case, alphanumeric word? Wow.
Okay, I've run out of steam. That ends my diceware rant, and I'll address this whole nifty picture thing now.
First let me offer these final notes, which didn't fit into my discussion above.

• Note that the 7776 words diceware uses are all short. There are far more than that many common English words, but by including obscure shorter words and semi-words (like numbers), which are less common but equally memorable once you've thought about it / looked it up, the total typing is reduced. However, this leads to:
  
• Be very sure to accept any words you're given. If you need to look up a word to know what it means, do so. By avoiding words you don't know (rolling again), you reduce entropy.
  
• Don't change words. If I change "56" to "56k" above, and make that the word in my passphrase, it's not enough that I make sure 56k isn't already one on the list: I need to make sure that none of the other 7776 words are ones I might change to 56k if I roll them. In other words, just don't change words.
  

Okay. Rant ends here.
........
Back on topic:
From the article: "The key -- images, which tend to make more of an impression on people than strings of text characters."
This is true, but it is equally true that it is more difficult to uniquely identify member of a given set of pictures than it is to identify a member of a given set of words.
Picture the face of the last high school English teacher that taught you. Now, this is a fine part of a password, because you can choose it randomly from a large list of objects (people you know), and you will remember that it's your password. (Or rather, it and a few more like it).
That is, if I told you that of the 2000 people you know, the following eight faces, in that order, are now your password, you will have very little difficulty remembering them and their order.
However, how will you make a selection 8 times from one of 2000 people? Supposing you know their names also, you can alphabetically list four at a time, doing a double-binary search (for example, A-M at the top, M-Z at the bottom, and the right side is the upper half of each of these ranges and the left side is the lower half).
You now need to make 5.482892 selections to select each of your 8 faces. That's 43 mouse clicks, each one followed by scanning four faces.
Of course, this is based on knowing the names associated with each face, and it would be easier just to type those in. In which case we're back to diceware.
If you don't know their names, however, just how will you select from 2000 faces? Well, maybe you can mimic the binary search with a selection from characteristic skin color, eye shape, etc. If you spend a few hours learning "human facial classification", I bet you can select just about any face you recall in eight or nine mouse clicks.
However, I doubt most people would be too keen on learning to input a bunch of characteristic features. (Even if the 2000 people aren't really people, but people from "Guess who?", who have either a large or small nose, either are wearing a hat or aren't, etc.[7])
The more specific method the article mentions, selecting a particular pixel range within a person's face, isn't something that people do on a daily basis (so much as memorizing and recognizing faces is), so I doubt most people could remember whether it's Mary's lower-right lip followed by where a dimple would be on her right cheek, then the middle of her left eyebrow, or the other way around. It's just not doable.

Okay, I need to go now. Enjoy the weekend, all.
~lts.

You can skip step (1) if you make a contract with yourself that if you ever roll a combination that for some reason isn't on the list, you will take the time to make word that is not on the list, and use that instead.

We'll note that hardly anyone uses the full ascii set, including control characters, in their passwords, but I suppose it's possible to use every character besides carriage return (and maybe even that), depending on the implementation.

There are only 96 keyable characters in the ASCII standard before all the international extentions and so forth, which include the tab and the space.

[4] If you want, you can follow along (and see that I didn't artificially select a particularly easy combination):

#include "iostream.h"
#include "stdlib.h"
int main(int argc, char* argv[])
{
cout << "Unseeded demo. NON-SECURE!"
(You can add indentation, I remove it because of the lameness filter.)

[5] Napolean's last battleground, I guess. Famous palindrome: "able was I ere I saw elba".

[6] this example from unseeded:
for(int i = 0; i < 20; i++) cout << char(rand() % 94 + '!');
cout << endl;

[7]On an aside, I figured out binary searching all on my own in playing Guess Who as a child. I figured out that the most efficient way of ending up with the opponent's person is, at each question, to pick a characteristic that only exactly half of my remaining choices had -- sometimes this involved making up questions like: "Okay, does your person EITHER have a hat OR a moustache (or both?). Yes or no?"
(Actually, I soon realized that I could get an answer faster by saying "does your person have any of the following:", for that particular form of the question, but that doesn't apply to all boolean expressions I asked).
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.

graphical passwords

[mr.newt]

I don't know if any of you remember (or knew), but there were several programs for "hacking" AOL which used graphical passwords. ( One the comes to mind had a picture of a girl, a dog, a bird and an arrow and you had to click them in a specific order to unlock the program. )

Another "innovation" by Microsoft.

Transparent proxying is a PITA

[Denium]

If the user wants to use proxying, so be it.

If the user, despite ISP encouragement, chooses not to use a proxy, that should be his choice. He is paying for the bandwidth, and is assumed to be aware of the possible performance hit.

This was discussed in the vuln-dev mailing list after Comcast implemented transparent proxying.

This raised quite a stink when Comcast's logging habits were revealed. Oops.

There is obviously a performance degradation involved with re-resolving the address given to the cache server. Furthermore, requests now appear to be coming from the server, not the actual user -- potentially breaking host-based authentication systems.

I've also seen these cache systems horribly implemented. An IRC network that I administer recently starting checking for HTTP proxies on connection. This was performed by connecting to the remote user's host on certain ports (80, 3128, 8000, and 8080) and then issuing a CONNECT request. In more than one case, a blatantly stupid ISP redirected _incoming_ port 80 traffic to their server -- WITHOUT any sort of access restrictions on their proxy. Sort of ironic that they were probably using untold amounts of bandwidth for 1337 bounce kiddiots.

Proxying without consent is an Evil Thing.

Re:Transparent proxying is a PITA

[Denium]

Wow -- posted to the wrong article, too.

D'oh.

MS Bob Passwords Part II

[Black+Art]

This sounds like yet another attempt to make things "easier", with no understanding or attention to the security ramifications.

Paralogix has a similar password scheme. You click on a number of objects to create a password.

Sounds good, but it turns out to be very bad.

It turns out that the number of objects used on the screen made for less combinations than you would have if it represented a letter of the alphabet. (About 28 combinations per "drag".)

It gets worse. Due to the way the interface works, it becomes prohibitive to make large passwords. (A keyboard is much faster.) The interface passlogix used was drop and drag. Icons are not going to be much better. (You only have so much screen area to work with.)

Passlogix did one even better though... They made the order of the password not matter. (So "AAB" and "ABA" and "BAA" were equivelent.) For small passwords, it removes a fair chunk of the combinations. For large passwords, it removes almost all of it. (95% at 5 characters and it gets worse from there.) I expect similar things from Microsoft if they actually do this.

I have suspected that Microsoft considers most of their users to be illiterate. It frightens me when I see evidence that my worst fears are confirmed.

image map

[sniggly]

If you use an image map in a form input type=image the reply you get is action.x=a and action.y=b - depending on the complexity of the image you might get a pretty good "password" out of an a & b range. Helping people remember where they clicked will be more time consuming than reminding them of their password. But a sequence of images.. not a bad thing to try :)

Re:I would choose a picture of [a keyboard]

It wouldn't matter if the images move to a different position everytime you try to login.

Wow, this is complicated!

[crevette]

The images would have to be doctored to work with software that could convert pixels to numbers and encrypt them.

That would certainly require a couple hundred programmer to doctor those image. Add another 100 for the pixel to number algo. At least! While you are there, while not add 50-60 assistants to make the coffee?

Solution

[djw]

When the user selects his password, he also selects a cursor style or color. When logging in, nine or ten fake cursors in different styles and colors also appear over the image in random locations. All the fake cursors move with the mouse, but their planes of motion are each reflected or rotated some amount from the origin.

All the user has to do is watch the preselected "real" cursor while clicking and ignore the others. No one else will know which one is valid.

Re:Solution

hmm..thats actually doable providing there are more than nine or ten cursors...maybe 20 ?

It seems to work

[kaotao]

A Berkeley grad student did a class project on hash visualization a few semester back that included some tests on users. She reported that while it took longer to login using images, people remembered images for a surprisingly longer time.

Here's the final paper.

Re:Hmmm (Did everyone forget about realuser?)

[Potrzebie]

For what it's worth, I tried out RealUser when it was in the news, specifically because I group myself with the other people here who say "I never remember faces in real life, so this isn't for me."

A few times since then (and just now), each time after months of not giving a single thought to PassFaces, I've logged in to prove that it wouldn't work for me. I assumed that I was too much of a geek to remember a sequence of faces. The fact is, I've logged in successfully on the first try every time.

The point is not:
... that this is a brand new idea. It's not. It's been around, and there is more than one proof-of-concept implementation.
... that text-mode console users will love this. They won't. In fact, I'm pretty sure I'd never use it. But no one cares. I'm not in the target userbase anyway, because I'm already good at remembering passwords.
... that this is only for people who remember the names of the people they meet at the bar. I never remember names. Luckily, this is more like remembering that you're supposed to remember the name for a specific face. ("Click the faces that would embarass you most if they remembered your name.")
... that users will create stupid authentication keys no matter what. That seems like a problem with the MS technology as it's described, but it doesn't seem inevitable. RealUser, for instance, is arguably superior in this respect. The RealUser face-sequence is system-generated and (presumably) more random than any of my user-chosen alphanumeric passwords.

Offered as an option alongside alphanumeric passwords in technologies with a large population of less-than-tech-savvy users, image-based authentication seems likely to result in lowered use of "remember password" checkboxes and/or "forgot my password" tech support calls. Most technologies that have such a userbase require a graphical interface in the first place.

The weakness of this authentication method against shoulder-surfing is my biggest complaint. Again, RealUser seems better poised to address this problem. Both RealUser and the MS solution will require images to be displayed. However, since RealUser doesn't care where I click within an image, they could change the selection method to a keyboard-based one to make the shoulder-surfing threat more similar to the same threat against alphanumeric passwords.

In my opinion, the most interesting thing about this article is the fact that "Researchers at Microsoft Corp." are making news by "[working] on new types of passwords". I, and others here, already tried the technology they're working on over a year ago and in a form arguably superior to the one the article describes.

so...

goat sex anyone.

Baduh pun

Possible, but

[k2x]

don't you think such pic-passwd's would be easy to crack? Since the 'memorable' parts of the pic would be the breasts, "private parts", and other key parts(particular to an individual's festishes like belly button, legs, lips, etc).

Not too many permutations there. But hell, would it be *fun* to crack(not to mention _getting_off_).

:)

Johnny Mnemonic

[xmda]

For those who want to see something like this in action, go rent the movie Johhny Mnemonic.

some of us can't remember images either

[Reziac]

I could never remember which cheeses to click to get past the nag screen for Monty Python's Complete Waste of Time (or whatever it was called); why on earth would I remember any better which body parts, mammals, and reptiles to click in what order so I could log onto my computer??

Or as a friend once put it, "I don't need pictures. I can read and write." :)

More seriously, it occurs to me that unless the images came up in a random order each time, password sniffers would merely need record mouse click position. And once the password images were ID'd.. Hmm. ISTM such images should be user-defined to be more secure, because otherwise sooner or later some sniffer is going to know how to ID the OS-supplied images that were clicked, regardless of screen placement.

I just had this vision of people using their fave porn thumbnails as their password images, leading to this:

Invalid password: you must include at least two tits, one ass, and one other body part.

(thanks to whoever made the post that inspired this :)

Future HCI methods

[blanktek]

It seems logical to be researching alternative password methods for future HCI methods. With devices from Microsoft like PocketPC and TabletPC text passwords are not the ideal method. Keyboards won't die for some time, and text passwords won't go away either, but as Microsoft includes handwriting support in OfficeXP and on PocketPC they seem to be on the move toward "Pen Computing". They never pulled it of Windows 3.1 for Pen Computing but it probably will in the future. Biometrics aren't necessarily the only alternative; this is research after all.

Why is this so hard!

[mabhatter654]

I have a three year old. Rather than tell him to type some list of letters, I grab a picture from his favorite cartoon and he picks three favorite animals. You have more than enough data here and great ease of use for normal people are viaual creatures. You have data from the picture to use as the base of your encryption key. You have randomness of the orders of the points picked. Also remember, you don't have to pick a "point" you could pick a region or as things like MPEG 7 (moving sprites) catch on, an actual object in the picture (or representation thereof) rather than just the bits. You could make the behind scenes as elaborate as you want and the end user wouldn't be bothered with it.

passwords and stuff(an imatation)

[Bill+Ashley]

what about clicking in a certain part of the microsoft startup sound thingy or deleteing your regular boot files or if your really smart making your own boot files that only you have and always carying a disk with you... or voice recognition or sound playback .. or carrying your hardrive with you or hiding it in a concealed hiding spot under your desk and replacing it with a fake drive that looks real or backing up all your sensitive data and use a cd sequence like some video games and stuff or well thats all I can think of right now don't store anything sensitive online or connected to a sources of transmition phyiscally .. really privacy only slows society and causes division but I'm a poor ass bum with nothing to loose so I just don't care. I'm sure there are lots of people that feel they have things to "protect". Really it just casts a dark cloud when people turn society into what they fear. Just use unkown encryption of files or access. Or mask file types or have dual file type i.e. something that is a text file when in reality a jpeg or viceversa... or have reverse binary rendering or a million other posibilities.. anyone that actually wants to hide data can. Anyone that wants to crack it might be able to but probably wont. Just envent your own system. Lots of really simple rules for security and none of them are mainstream. But it doesn't really matter its all tools for domination and power mongering. What ever happened to blind trust. Ok I trusted people with my ftp and they deleted my boot files so they killed that opertunity for everyone else. Even though anyone that wants to hack my system could in a second making it a elite server.. oh well maybe one day everyone will live in harmony and not have the need for selfish need I just hope it is before I am the last one left. Honestly it doesn't matter anymore atleat not until I get a sense of non blah to life if ever. The picture thing seems like it might be good for kids who don't want to use a mac and might make it funner to use a computer. Also its something to keep intrest in windows and talk about for all you computer geeks(compliment):) Really just wanted to say in advance I know I'm not smarter than you and that makes me that much happier. It sucks not being really really stupid though I think actually its imposible to judge intellegence since anyone living has passed. anyway I still don't get this password and safety thing. Either I'm god or you are and either way either I win

New "crack" program.

[AMuse]

The perfect dictionary file for the new "crack" program: images.google.com

Re:I would choose a picture of [a keyboard]

well, the login scheme would automatically change the mouse position to a random point on the screen. it would not be snoopable unless a guy was sitting behind the user (or unless the guy says each letter out loud trying to remember. i have seen this more than once...)

Very EZ 'hard' passwords

[MystikPhish]

I don't know why people say it is so hard to remember passwords... I literally don't even know my password at work! I'm serious, here's why:

Think of a password thats easy to remember: your name then birthday, like JSmith032302. Easy right? but a bad password. So hash it on your keyboard. I type my passwords in using the key above and to the right. If it is a number or the key above and to the right is a number I 'shift key' it. I also use 'capitalization'. SO the EZ to remember password JSmith022302 becomes the password IEk(^u)@@#)#.

They don't get much harder than that. And as for using a different password for eash web site, use the website name as part of your 'unhashed' password instead of your name.

Not-so-stupid idea?

[psamuels]

I have one password that I've used for the past 15 years or so. It's 8 characters (9 if I need to mix numbers with it), and it appears completely random.

A coworker told me the exact same story when wondering why his password had expired. He was mildly pissed. I understood his frustration completely. In turn, he understood why I couldn't just make an exception for him.

At that point I thought of something, which I've never implemented but I think would be worthwhile. I think that when you change your password, the password strength checker should assign an expiration date based on entropy. If you want to use a password like "Cindy" - fine, but it will expire in 24 hours. If you use "a79xoibf", it will never expire. I'm assuming cracklib has a reasonable way to estimate password entropy.

Has this ever been implemented? I think, over time, such a system would encourage people to use good passwords. Having to remember a new password every week is a drag compared to keeping the same hard password for a year.

Easy...

[The+Creator]

Choose pictures with numbered points in them...

Drawing ascii art

Just for fun, I have been woking on an interface where the user
draws a simple ascii art picture to access certin
functions of the program. For example, if the
user wants to access email, he or she draws an
envelope using text chracters to read it. The
same thing can be done with passwords. The only
real draw back is that the user has to draw
the pictures exactly as they are stored in the file

My solution...

[wedg]

I don't have to remember a lot of passwords, because I don't use a lot of passwords. How is this a solution? Well, for any and every account that doesn't matter (e.g. hotmail spam account, anything I sign up for) I use the same, stupid password. I don't care if someone hacks those accounts, all they'll get is all the fake information I entered when I signed up. Then I remember 5 complex passwords (8 chars or more, mixed caps, multiple non alpha chars) for the 5 things that are important.

And those are easy to remember, because they're usually phrases, shortened: "There's no Sex in the Champagne Room!" gives me: "TnSitCR!" as a password. Easy to remember, hard to crack.