Slashdot Mirror
Using Images as Passwords
TekkenLaw writes "According to this news on Reuters, MS is looking at images rather than plain old text for enhancing security. The key - images, which tend to make more of an impression on people than strings of text characters. This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back."
So when you call support to get your lost password, will they ask you what
your mothers maiden hair color was?
a friend of mine has a cool USB device that reads his thumb print, and he uses that to unlock his Windoze box.
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth.
People don't select lousy passwords ONLY because they are lazy. They also select them because they don't think there is a credible threat to their accounts. They don't BELIEVE in hackers who would target them.
Without an increase in paranoia among average people, I don't see how a user-selected secret will ever provide security.
Welcome to Microsoft Windows .NET 2005
In order to log in, please choose the One who you will truly worship, for He is the Supreme leader.
[ LINUS TORVALDS ] [ BILL GATES ] [ ROB MALDA ] [ LARRY WALL ]
Note: According to the EULA you agreed to unknowingly, choosing the wrong password could result in death and/or excommunication.
qslack.com
From the news story: "Even with such a system, people would still be susceptible to "shoulder surfing," in which someone watches a computer user type in their password."
Users would have to be fools to "click" their password unless they are positively alone in the room. The current standard at least has masked text on screen, and the order of keys on the keyboard is VERY difficult to track even when the user is moderately good at typing.
Let's not forget that in the case of the new photo passwords, with 50% of users you would only have to know the "Lenny Bruce sequence" in their Playboy passphotos: T'n'A
~zecg.
yeah, here is the link http://slashdot.org/article.pl?sid=01/12/28/134821 7
Next up will be the "Tapping System" where folks will rap out "Haircut & A Shave" on their desk to log in.
What other quirks of human nature will next be put to use trying to identify folks? The "Mictation Flex Rate"? The "Eyebrow Lift/Tongue Roll"? How about the "Tell the Same Stupid Joke" one; I've had co-workers who've been able to do those hundreds of times over & over without a single variation.
Or just teach folks how to use good paswords, put in some really good acceptance tests, and make it clear that if security is compromised by their poor password choice they'll be held responsable, same as leaving the door to the safe open.
Nahhh, there's gotta be a technolgy fix...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
a keyboard. It would be easy to remember where to click, because I could remember it as a string of alphanumeric characters. I think this technology has promise.
Evil is the money of root.
And how are blind people going to log in?
This must be president Bush's idea.
-- Another senseless waste of fine bytes.
If an image is 1280x1024 and is sensative to a 10x10 pixel area, that gives the user a grid of 128x102 to click in. A total of 13,056 clickable squares. If the user's password was 5 clicks long, that would give them 379,359,275,350,832,971,776 possible passwords. Is my math correct?
I'll use that guy from goat.cx... That'll keep people out of my computer
Yea, and the funny part is that in that article, the majority of the posts were praising the technology. Now that it's about Microsoft, eveyone is quick to critisize it. Gotta love the bias here.
Well, I've got this idea quite a few years ago, but honestly, did you ever try to login with someone watching? And its much easier to watch the monitor than your keyboard. And at least I can type my twenty something passwords reallllly fast and have some intentional typos in them, but - man - how can you click on pictures without someone seeing the pointer moving over the right pictures....
If programs would be read like poetry, most programmers would be Vogons.
You said, and I quote: "There's a damn good reasons why you're told not to reuse passwords." Show me why? 15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.
/. that long) someone cracked /.'s backup server where they got full access to the database including Rob's password. So they got everyone's password.
/. then they got your password for everything. They didn't crack or guess your password instead they cracked something completely different and your password happened to be stored there.
I'm going to actually give you a real life example to help you understand why this is important.
Some time last year (you may remember if you've been around
Now if you use that same password for
So imagine if you use that password for your online banking, e-mail, work account etc. It's pretty serious.
The point is that it doesn't matter how secure or insecure your password is. You just don't use the same password for everything plain and simple.
The same could happen with hotmail. Your work's network etc.
--
Garett
In keeping with Microsoft's tradition of rarely doing its own innovation...
l #DEJAVU
Many years ago somebody was selling Automatic Teller Machines that used this approach instead of numeric PINs. I wish I had a reference but this was way pre-Web (1970s).
Also, this was discussed at Usenix 2000 and CrypTec 99 - see:
http://paris.cs.berkeley.edu/~perrig/projects.htm
and on Slashdot on Dec 28, 2001
The only good weather is bad weather.
skuzzywhores.com now has downloadable pass-pictures of your favorite screen sluts, from Anal Ashley to Luscious Lydia! Why not have some fun with your security? Download 'em now!
Read the EFF's Fair Use FAQ