Slashdot Mirror
Using Images as Passwords
TekkenLaw writes "According to this news on Reuters, MS is looking at images rather than plain old text for enhancing security. The key - images, which tend to make more of an impression on people than strings of text characters. This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back."
So when you call support to get your lost password, will they ask you what
your mothers maiden hair color was?
a friend of mine has a cool USB device that reads his thumb print, and he uses that to unlock his Windoze box.
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
AfterDark for Mac OS used to have a feature like this; you could select an image, and you would have to click on a certain part of it, optionally holding down a control-key combo, to unlock the screen saver, rather than type a password.
Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth.
People don't select lousy passwords ONLY because they are lazy. They also select them because they don't think there is a credible threat to their accounts. They don't BELIEVE in hackers who would target them.
Without an increase in paranoia among average people, I don't see how a user-selected secret will ever provide security.
Welcome to Microsoft Windows .NET 2005
In order to log in, please choose the One who you will truly worship, for He is the Supreme leader.
[ LINUS TORVALDS ] [ BILL GATES ] [ ROB MALDA ] [ LARRY WALL ]
Note: According to the EULA you agreed to unknowingly, choosing the wrong password could result in death and/or excommunication.
qslack.com
"Thank you for participating in the required MS Passport sign-up verification to get your latest reinstall of XP2005 to work. We're sorry, but the image of a closed fist lifting the middle finger has already been taken. Others you may want to consider: You lifting your middle finger while wearing gloves; you lifting your middle finger while wearing a Cracker Jack ring..."
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
From the news story: "Even with such a system, people would still be susceptible to "shoulder surfing," in which someone watches a computer user type in their password."
Users would have to be fools to "click" their password unless they are positively alone in the room. The current standard at least has masked text on screen, and the order of keys on the keyboard is VERY difficult to track even when the user is moderately good at typing.
Let's not forget that in the case of the new photo passwords, with 50% of users you would only have to know the "Lenny Bruce sequence" in their Playboy passphotos: T'n'A
~zecg.
yeah, here is the link http://slashdot.org/article.pl?sid=01/12/28/134821 7
Next up will be the "Tapping System" where folks will rap out "Haircut & A Shave" on their desk to log in.
What other quirks of human nature will next be put to use trying to identify folks? The "Mictation Flex Rate"? The "Eyebrow Lift/Tongue Roll"? How about the "Tell the Same Stupid Joke" one; I've had co-workers who've been able to do those hundreds of times over & over without a single variation.
Or just teach folks how to use good paswords, put in some really good acceptance tests, and make it clear that if security is compromised by their poor password choice they'll be held responsable, same as leaving the door to the safe open.
Nahhh, there's gotta be a technolgy fix...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
This is kindof interesting. A couple of things spring immediately to mind.
First, presentation of the image will (may) vary in different situations. The visual presentation of a password is pretty irrelevant: as long as you can understand and input the right symbols the font, colour size etc. in which they are presented isn't relevant. On the other hand an image must look substantially like the crib image. Sounds obvious, but consider differences in resolution, colour depth etc. You can divide the image into regions (a grid, perhaps) but ultimately there will be a limit to the resolution of the grid that you can rely on (not to mention input errors limiting the viable grid resolution.) To get more possible regions, you'd need a plain bigger image to get around the input resolution issue. All of which complicates the implementation (of course, you could break each image down semantically somehow, but that sounds like a further adventure altogether.)
And, after all that, prople may turn out to have pattern preferences that are "as crappy" as poorly chosen passwords? Always use a photo of your daughter and click on both eyes and outline her cute smile? Ooops. Use your country flag and click where regions of colour meet?
a keyboard. It would be easy to remember where to click, because I could remember it as a string of alphanumeric characters. I think this technology has promise.
Evil is the money of root.
And how are blind people going to log in?
This must be president Bush's idea.
-- Another senseless waste of fine bytes.
If an image is 1280x1024 and is sensative to a 10x10 pixel area, that gives the user a grid of 128x102 to click in. A total of 13,056 clickable squares. If the user's password was 5 clicks long, that would give them 379,359,275,350,832,971,776 possible passwords. Is my math correct?
I'll use that guy from goat.cx... That'll keep people out of my computer
Yea, and the funny part is that in that article, the majority of the posts were praising the technology. Now that it's about Microsoft, eveyone is quick to critisize it. Gotta love the bias here.
Well, I've got this idea quite a few years ago, but honestly, did you ever try to login with someone watching? And its much easier to watch the monitor than your keyboard. And at least I can type my twenty something passwords reallllly fast and have some intentional typos in them, but - man - how can you click on pictures without someone seeing the pointer moving over the right pictures....
If programs would be read like poetry, most programmers would be Vogons.
Blind people continue to use the keyboard. You can have alternatives in life, you know.
Lotus Note on the Mac (I've never seen or used the Windows version) has a little something kinda like this in their password dialog.
As you type in your password, small images in a 2 x 2 layout change according to what you've typed. Even though the password text is bulleted out, you eventually come to recognize the 'correct' four images and know when you've misyped your password before hitting Enter. IMHO, this is the best feature of Notes, which otherwise sucks-- Lotus might not have been the first to use this idea, but it's the first place I've seen it.
And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device? Why must we create an authentication system geared to the stupid so they can easily exist among us? Maybe they'd smarten up if they chose "password" as their password and had their checking account cleaned out for the third time as a result.
Of course, I should have seen this coming when McDonald's started using cash registers that had photos of the food on the keys and spit out the customers' change automatically, without the operator having to overtax his/her brain thinking about how a quarter, a dime, a nickel and three pennies have to combine forces to make 43 cents.
~Philly
Not surprising that MS would come up with this knowing their track record with security...
Consider anyone standing behing you while you select the appropriate login. They are bound to see the images you are selecting as your login much more clearly then the key combination you would have typed.
-- bartman
You said, and I quote: "There's a damn good reasons why you're told not to reuse passwords." Show me why? 15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.
/. that long) someone cracked /.'s backup server where they got full access to the database including Rob's password. So they got everyone's password.
/. then they got your password for everything. They didn't crack or guess your password instead they cracked something completely different and your password happened to be stored there.
I'm going to actually give you a real life example to help you understand why this is important.
Some time last year (you may remember if you've been around
Now if you use that same password for
So imagine if you use that password for your online banking, e-mail, work account etc. It's pretty serious.
The point is that it doesn't matter how secure or insecure your password is. You just don't use the same password for everything plain and simple.
The same could happen with hotmail. Your work's network etc.
--
Garett
15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.
:)
I have a tradition. I play russian roulette every year on my birthday. 15 years and I've never lost. I'd say that's a pretty damn good track record for a game. I don't see a damn good reason to change it. Until I lose, I probably won't.
hehe, this post was fun to write up
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Reading through this thread, there are lots of valid issues brought up. I would agree that this concept alone would either be just as difficult as passwords (assuming the resolution of where you clicked was tight) or just as insecure as a bad password (assuming fairly forgiving resolution).
BUT, a simple pictorial password combined with a simple alphanumberic password could be very secure as well as easy to use. Far greater than the sum of either used individually.
I used to work at a large bank which employed this kind of multi-level security. A mag card got you into offices, a mag card plus a numeric keypad got you into medium security areas (teller lines, etc.). The higher security the area, the more techniques were added (retina scan, knowing your mother's maiden name, manager's name or department name, etc.). Basically, each aspect is individually attackable (stealing the mag-card, dictionary attacks, shoulder-surfing, password sniffing, etc.), but you have to know all of them to get access. Each obstacle in the way added a large measure of unpredictability and hence security.
I could even see this being used in a "telnet" (ehem, ssh) like scenario where a traditional userid and password are the first level, then some quiz (arranging shapes or colors in a specific sequence for example) is the second level. Each would be easy to remember, combined it would be very difficult to guess both (or several).
Basically, I think there is a great amount of promise in this kind of research. Yeah, you can shoot down each method as flawed, but combine a few of the methods and you can get some very powerful and easy to use security.
The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
Detecting acceleration of the mouse is not an issue when the amount of movement is encoded in the sequence. Also, the initial position of the mouse is fixed upon boot.
Its easy to scan and parse where the user is going to be. After all, this is done in software anyway! It makes no difference if it is done on the host computer or a remote spying box.
byte: contents:
0 1 L R Y7 Y6 X7 X6
1 0 X5 X4 X3 X2 X1 X0
2 0 Y5 Y4 Y3 Y2 Y1 Y0
If I've used it for 15 years without it every being compromised
How do you know it has not been compromised? They could be holding on to it waiting for a good time to use it. They could be logging in, copying files, but not destroying anything that you would notice.
Why is it that everyone assumes they KNOW when they have been hacked. I happen to know my boss's server password and he has no idea that I know it and he does not change it. If I so desired I can read his mail at will, read my co-workers reviews, etc. I don't, but I can. what makes you so sure that you have not been compromised and someone isn't surreptitiously using it?
A while back I discovered one of our server's had been hacked (we discovered a root kit had been installed). We never figured out exactly how long it had been there. Could have been as long as a year, and who knows how much vital data could have been taken over that period while we were blissfully ignorant. Bottom line, don't be so ignorant, a good cracker is not likely to be noticed! You may very well have been watched for years.
The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
In keeping with Microsoft's tradition of rarely doing its own innovation...
l #DEJAVU
Many years ago somebody was selling Automatic Teller Machines that used this approach instead of numeric PINs. I wish I had a reference but this was way pre-Web (1970s).
Also, this was discussed at Usenix 2000 and CrypTec 99 - see:
http://paris.cs.berkeley.edu/~perrig/projects.htm
and on Slashdot on Dec 28, 2001
The only good weather is bad weather.
skuzzywhores.com now has downloadable pass-pictures of your favorite screen sluts, from Anal Ashley to Luscious Lydia! Why not have some fun with your security? Download 'em now!
Read the EFF's Fair Use FAQ
First of all, that one was different (this requires you to click in very particular places in the pictures, not just on the right pictures), and secondly most of the comments on that were "This is stupid" and all the downsides. This idea has even more downsides than that.
Visit me on #weirdness on the Galaxynet.
And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device?
I assume you're referring to my secretary, who seems to believe that the little light at the top of the keyboard (the one with the words "CAPS LOCK" next to it) is the power light for the keyboard. The one who didn't understand why I wouldn't give her an Administrator account, since her job includes administering some of our (expense) accounts. (She pouted for two days over that one.) The one who refuses to log out of her machine at night, because she likes coming in to work and having her computer ready for her? (Note, that point applies to many of my co-workers.) The one who made me turn off the 30-day password cycling, because she didn't want to remember "all those passwords."
The real problem here is that these people don't see the need for security. They think of computers as fancy toys, and maybe something to write letters. "Big deal--you don't need security for that. I don't care if somebody reads my letter to my brother, or plays my games." While that may be fine at home, I'd really rather people not get into our financial accounts, or our grade records (I work at a university). "Well, who would want to?" Well, for starters, any student who has a grade on that system. Anybody who'd like a little extra cash, from our pockets.
The real problem isn't that they can't use a decent password, it's that they don't want to, because they don't see the threat. Until this changes, nothing will change.
"Make it ten--I am only a poor corrupt official."
--Captain Louis Renault (Claude Rains), Casablanca
This sounds like yet another attempt to make things "easier", with no understanding or attention to the security ramifications.
Paralogix has a similar password scheme. You click on a number of objects to create a password.
Sounds good, but it turns out to be very bad.
It turns out that the number of objects used on the screen made for less combinations than you would have if it represented a letter of the alphabet. (About 28 combinations per "drag".)
It gets worse. Due to the way the interface works, it becomes prohibitive to make large passwords. (A keyboard is much faster.) The interface passlogix used was drop and drag. Icons are not going to be much better. (You only have so much screen area to work with.)
Passlogix did one even better though... They made the order of the password not matter. (So "AAB" and "ABA" and "BAA" were equivelent.) For small passwords, it removes a fair chunk of the combinations. For large passwords, it removes almost all of it. (95% at 5 characters and it gets worse from there.) I expect similar things from Microsoft if they actually do this.
I have suspected that Microsoft considers most of their users to be illiterate. It frightens me when I see evidence that my worst fears are confirmed.
"Trademarks are the heraldry of the new feudalism."