Using Images as Passwords

TekkenLaw writes "According to this news on Reuters, MS is looking at images rather than plain old text for enhancing security. The key - images, which tend to make more of an impression on people than strings of text characters. This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back." So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?

thumb

[zephc]

a friend of mine has a cool USB device that reads his thumb print, and he uses that to unlock his Windoze box.

AfterDark

[mlknowle]

AfterDark for Mac OS used to have a feature like this; you could select an image, and you would have to click on a certain part of it, optionally holding down a control-key combo, to unlock the screen saver, rather than type a password.

Dumbed-down

[zecg]

From the news story: "Even with such a system, people would still be susceptible to "shoulder surfing," in which someone watches a computer user type in their password."

Users would have to be fools to "click" their password unless they are positively alone in the room. The current standard at least has masked text on screen, and the order of keys on the keyboard is VERY difficult to track even when the user is moderately good at typing.

Let's not forget that in the case of the new photo passwords, with 50% of users you would only have to know the "Lenny Bruce sequence" in their Playboy passphotos: T'n'A

~zecg.

Presentation dependent

[1984]

This is kindof interesting. A couple of things spring immediately to mind.

First, presentation of the image will (may) vary in different situations. The visual presentation of a password is pretty irrelevant: as long as you can understand and input the right symbols the font, colour size etc. in which they are presented isn't relevant. On the other hand an image must look substantially like the crib image. Sounds obvious, but consider differences in resolution, colour depth etc. You can divide the image into regions (a grid, perhaps) but ultimately there will be a limit to the resolution of the grid that you can rely on (not to mention input errors limiting the viable grid resolution.) To get more possible regions, you'd need a plain bigger image to get around the input resolution issue. All of which complicates the implementation (of course, you could break each image down semantically somehow, but that sounds like a further adventure altogether.)

And, after all that, prople may turn out to have pattern preferences that are "as crappy" as poorly chosen passwords? Always use a photo of your daughter and click on both eyes and outline her cute smile? Ooops. Use your country flag and click where regions of colour meet?

Check me

[blixel]

If an image is 1280x1024 and is sensative to a 10x10 pixel area, that gives the user a grid of 128x102 to click in. A total of 13,056 clickable squares. If the user's password was 5 clicks long, that would give them 379,359,275,350,832,971,776 possible passwords. Is my math correct?

Let's hope they have a way of opt-ing out

[merlyn]

As I said in a previous thread two months back:

People are visually oriented, so remembering pictures is easy, especially compared to a mess of uppercase, lowercase and symbols.

Uh, some people. I'd have to name each picture to remember it, and then remember the names. I'm a part of the 5% of the population that doesn't deal well with picture recall, and a particularly bad case of that. Let's hope this system is never mandatory for any system I have to use. It's bad enough for icons without tooltips.

Re:I would choose a picture of [a keyboard]

[dattaway]

Detecting acceleration of the mouse is not an issue when the amount of movement is encoded in the sequence. Also, the initial position of the mouse is fixed upon boot.

Its easy to scan and parse where the user is going to be. After all, this is done in software anyway! It makes no difference if it is done on the host computer or a remote spying box.

byte: contents:
0 1 L R Y7 Y6 X7 X6
1 0 X5 X4 X3 X2 X1 X0
2 0 Y5 Y4 Y3 Y2 Y1 Y0

Re:Worse idea.

[jrp2]

If I've used it for 15 years without it every being compromised

How do you know it has not been compromised? They could be holding on to it waiting for a good time to use it. They could be logging in, copying files, but not destroying anything that you would notice.

Why is it that everyone assumes they KNOW when they have been hacked. I happen to know my boss's server password and he has no idea that I know it and he does not change it. If I so desired I can read his mail at will, read my co-workers reviews, etc. I don't, but I can. what makes you so sure that you have not been compromised and someone isn't surreptitiously using it?

A while back I discovered one of our server's had been hacked (we discovered a root kit had been installed). We never figured out exactly how long it had been there. Could have been as long as a year, and who knows how much vital data could have been taken over that period while we were blissfully ignorant. Bottom line, don't be so ignorant, a good cracker is not likely to be noticed! You may very well have been watched for years.

Re:Lotus Notes, and social commentary

[zr]

this feature serves another good purpose. if someone was to fake Notes login dialog to snatch your password, it would be nearly impossible to correctly imitate those images, beacuse the sequence they appear is generated using a crypto-strength algorythm.