Slashdot Mirror
Using Images as Passwords
TekkenLaw writes "According to this news on Reuters, MS is looking at images rather than plain old text for enhancing security. The key - images, which tend to make more of an impression on people than strings of text characters. This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back."
So when you call support to get your lost password, will they ask you what
your mothers maiden hair color was?
did they not run this same story a couple weeks ago?
"you sonofabitch i didn't know!"
Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth.
People don't select lousy passwords ONLY because they are lazy. They also select them because they don't think there is a credible threat to their accounts. They don't BELIEVE in hackers who would target them.
Without an increase in paranoia among average people, I don't see how a user-selected secret will ever provide security.
The first article can be seen here
So now you have to remember the order in which you click on an image? Maybe that's easier for some people, but certainly not for me. I have one password that I've used for the past 15 years or so. It's 8 characters (9 if I need to mix numbers with it), and it appears completely random.
I've been using it for 15 years an nobody has ever hacked it. All you have to do is have one of these and remember it. Almost anyone can remember a single 8-10 digit password, if that's all they use. Just make one and stick with it. Maybe you'll need to change it every couple of years, but even so, once you have it down, it's pretty easy to remember.
Is it hack-proof? Of course not. Not even close, but for most applications where a password is needed, it's more than sufficient. I doubt anyone will take the time to try to hack my hotmail account when there are so many that can easily be dictionary attacked. I'll always be the last one someone tries to hack because it will take too long to hack mine, compared to most.
Just my personal opinion. Obviously for some things, you simply need real encryption, but for most online stuff, a single 8 character/digit password is fine.
Well, I've got this idea quite a few years ago, but honestly, did you ever try to login with someone watching? And its much easier to watch the monitor than your keyboard. And at least I can type my twenty something passwords reallllly fast and have some intentional typos in them, but - man - how can you click on pictures without someone seeing the pointer moving over the right pictures....
If programs would be read like poetry, most programmers would be Vogons.
Exactly...Simple??
...good luck)
The random number generation from the clicks would have to use a combination of both position and the colour of the pixel that the user clicked and then don't forget order.
If they used only the colour of the pixel that could potentially be more insecure that characters as in their example they use countries flags which generally have 3 or less colours. If people are going to have images they're going to use familiar images (favourite cartoon characters, g/f's etc) which will be in digital form and probably on that persons web site anyways. (then again I suppose there are some bragging rights from being able to say my is the image at the of my page
Thats doesn't even get into trying to remember the data e.g. with 8 images
[1] First click image 3 at position 238x34.
[2] then click image 7 at position 12x67.
[3] then click image 1 at position 134x164.
[4] then click image 6 at position 34x241.
I think most people would have trouble remembering one clicks data. Let alone that fact that when they go to enter their 'password' they have to get the mouse on the exact position, meaning they are going to have to coordinates on the screen so they can line up (unless their position is an obvious point (bright spot?) on the image (more vunerability)), which takes time and someone could look over your shoulder trying to hone in on your point. I mean if you had a few piccies of bikini clad chicks, would you consider these images les secure?(think about it)
Personally I prefer characters. I don't think it is such a stretch to remember one 8 character random string, but thats me....
my 2.5 cents...
Lotus Note on the Mac (I've never seen or used the Windows version) has a little something kinda like this in their password dialog.
As you type in your password, small images in a 2 x 2 layout change according to what you've typed. Even though the password text is bulleted out, you eventually come to recognize the 'correct' four images and know when you've misyped your password before hitting Enter. IMHO, this is the best feature of Notes, which otherwise sucks-- Lotus might not have been the first to use this idea, but it's the first place I've seen it.
And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device? Why must we create an authentication system geared to the stupid so they can easily exist among us? Maybe they'd smarten up if they chose "password" as their password and had their checking account cleaned out for the third time as a result.
Of course, I should have seen this coming when McDonald's started using cash registers that had photos of the food on the keys and spit out the customers' change automatically, without the operator having to overtax his/her brain thinking about how a quarter, a dime, a nickel and three pennies have to combine forces to make 43 cents.
~Philly
Not surprising that MS would come up with this knowing their track record with security...
Consider anyone standing behing you while you select the appropriate login. They are bound to see the images you are selecting as your login much more clearly then the key combination you would have typed.
-- bartman
Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.
You said, and I quote: "There's a damn good reasons why you're told not to reuse passwords." Show me why? 15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.
/. that long) someone cracked /.'s backup server where they got full access to the database including Rob's password. So they got everyone's password.
/. then they got your password for everything. They didn't crack or guess your password instead they cracked something completely different and your password happened to be stored there.
I'm going to actually give you a real life example to help you understand why this is important.
Some time last year (you may remember if you've been around
Now if you use that same password for
So imagine if you use that password for your online banking, e-mail, work account etc. It's pretty serious.
The point is that it doesn't matter how secure or insecure your password is. You just don't use the same password for everything plain and simple.
The same could happen with hotmail. Your work's network etc.
--
Garett
Reading through this thread, there are lots of valid issues brought up. I would agree that this concept alone would either be just as difficult as passwords (assuming the resolution of where you clicked was tight) or just as insecure as a bad password (assuming fairly forgiving resolution).
BUT, a simple pictorial password combined with a simple alphanumberic password could be very secure as well as easy to use. Far greater than the sum of either used individually.
I used to work at a large bank which employed this kind of multi-level security. A mag card got you into offices, a mag card plus a numeric keypad got you into medium security areas (teller lines, etc.). The higher security the area, the more techniques were added (retina scan, knowing your mother's maiden name, manager's name or department name, etc.). Basically, each aspect is individually attackable (stealing the mag-card, dictionary attacks, shoulder-surfing, password sniffing, etc.), but you have to know all of them to get access. Each obstacle in the way added a large measure of unpredictability and hence security.
I could even see this being used in a "telnet" (ehem, ssh) like scenario where a traditional userid and password are the first level, then some quiz (arranging shapes or colors in a specific sequence for example) is the second level. Each would be easy to remember, combined it would be very difficult to guess both (or several).
Basically, I think there is a great amount of promise in this kind of research. Yeah, you can shoot down each method as flawed, but combine a few of the methods and you can get some very powerful and easy to use security.
The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
First of all, that one was different (this requires you to click in very particular places in the pictures, not just on the right pictures), and secondly most of the comments on that were "This is stupid" and all the downsides. This idea has even more downsides than that.
Visit me on #weirdness on the Galaxynet.
I work with adaptive equipment where I work. It becomes increasingly frustrating over the last few years. 1) Several prominent habits when designing web pages (lack of ALT tags for images, a lack of non-Flash options on popular web sites, and visual enhancements that are lost on people who can't see them) keep many people with visual disabilities from finding what they need or want on the Internet. 2) Many in the school I work in are taught to not use the mouse and use keyboard shortcuts. Technically, there are mouse emulation procedures by using the numpad, but they are not loaded until after Windows loads completely. This is especially true for a terminal that is shared by sighted and non-sighted users. 3) I have found that most of the users that I teach and support are not willing to relearn to use their computer every few years. Many of them are still on Windows 98 because many pieces of their adaptive equipment/software are not available for WIndows XP yet. Even trying to run them in emulation mode doesn't guarantee much success. With these in mind, the picture might be viable, but only as an alternative to people who cannot grasp the importance of good passwords. Yes, many of the visual passwords will be fairly simple to solve. Yes, it will be harder to administer visual passwords. Yes, many people will find the idea too complicated when it is supposed to simplify logins and make them more visually appealing. Personally, I would want to keep to using long alphanumeric passwords. But then there are people like where I work that want things as simple as possible.
This
And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device?
I assume you're referring to my secretary, who seems to believe that the little light at the top of the keyboard (the one with the words "CAPS LOCK" next to it) is the power light for the keyboard. The one who didn't understand why I wouldn't give her an Administrator account, since her job includes administering some of our (expense) accounts. (She pouted for two days over that one.) The one who refuses to log out of her machine at night, because she likes coming in to work and having her computer ready for her? (Note, that point applies to many of my co-workers.) The one who made me turn off the 30-day password cycling, because she didn't want to remember "all those passwords."
The real problem here is that these people don't see the need for security. They think of computers as fancy toys, and maybe something to write letters. "Big deal--you don't need security for that. I don't care if somebody reads my letter to my brother, or plays my games." While that may be fine at home, I'd really rather people not get into our financial accounts, or our grade records (I work at a university). "Well, who would want to?" Well, for starters, any student who has a grade on that system. Anybody who'd like a little extra cash, from our pockets.
The real problem isn't that they can't use a decent password, it's that they don't want to, because they don't see the threat. Until this changes, nothing will change.
"Make it ten--I am only a poor corrupt official."
--Captain Louis Renault (Claude Rains), Casablanca
So long as there is money to be made in selling technology, people will continue to sell technological solutions to social problems.
... of course, there is no technological solution to a social problem. This is the fallacy in anti-piracy, censorship, political correctness, etc.
Any sufficiently advanced civilization is indistinguishable from Gods.
This sounds like yet another attempt to make things "easier", with no understanding or attention to the security ramifications.
Paralogix has a similar password scheme. You click on a number of objects to create a password.
Sounds good, but it turns out to be very bad.
It turns out that the number of objects used on the screen made for less combinations than you would have if it represented a letter of the alphabet. (About 28 combinations per "drag".)
It gets worse. Due to the way the interface works, it becomes prohibitive to make large passwords. (A keyboard is much faster.) The interface passlogix used was drop and drag. Icons are not going to be much better. (You only have so much screen area to work with.)
Passlogix did one even better though... They made the order of the password not matter. (So "AAB" and "ABA" and "BAA" were equivelent.) For small passwords, it removes a fair chunk of the combinations. For large passwords, it removes almost all of it. (95% at 5 characters and it gets worse from there.) I expect similar things from Microsoft if they actually do this.
I have suspected that Microsoft considers most of their users to be illiterate. It frightens me when I see evidence that my worst fears are confirmed.
"Trademarks are the heraldry of the new feudalism."