Slashdot Mirror
Inkblot Passwords
TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."
Anyone else see these shapes?
butterfly swimmer
recycle logo
WWE Smackdown Enterance
Helping Hands
Evil Eyes
Person Gasping
Turtle man
Boys Spitting
Batman fighting
Batman flying
with an end password of brrowehsespgtnbgbgbg
Hmm, maybe i shouldn't of shared that. This seems to be a really cool system. I look forward to MS adding it to passport!
They see SOMETHING in the ink blots, and that something is probably in the dictionary... not that many people make secure passwords anyway.
Slashdotter are stupid and biased.
Blot number 10 would be "Bn": Batman having sex with Catwoman.
From the movie Van Wilder:
Random man (being shown an ink blot picture): "DUDE! It's a guy... and he's giving a circumcision... to HIMSELF!"
How exactly would his password turn out?
If they showed this to the /. crowd:
. .
:)
User1: It's Natalie Portman, i mean look at those curves . .
User2: Beowulf cluster of Linux boxen!
User3: Its the dead body of Steven King.
User4: Hot Grits . . . definately .
User5: In Soviet Russia, the inkblots analyze you!
Think I covered them all
Your hair look like poop, Bob! - Wanker.
An innovative, potential useful idea coming from Microsoft?
I can't figure out which is more incredible - that, or the fact that the story got told here...
Stop by my site where I write about ERP systems & more
I would love this so much more, and find it much more useful, if Steve Jobs had thought of this.
Could it be that Microsoft has actually come up with something on their own?
--
Matt Keeler
ODP Editor - http://dmoz.org
http://elysium.org
actually they forgot to mention that microsoft have been using this for years. the ink blot results, no matter how different the images tend to be, always end up being "password".
cheers
-- ladies and gentlemen we are floating in space!
They'll make a total mess of
Trolling is a art,
Microsoft Research
Microsoft Security
Microsoft Innovations
Military Intelligence
McDonald's Restaurant
American Democracy
Land of the Free, Home of the Brave
everything just feels like rain
Stick Men
Just one more way MS wants to get inside your head.
Only 7 replis and it's already /.ed ...
:-)
Anyone want to donate them a linux system with Apache or Tux on it
Are you paranoid if you know that they just want to know everything you say and do?
Great. Now every password will have something to do with sex.
They cover this. Sorry, mod that parent post down now!
Slashdotter are stupid and biased.
Got /usr/lib/xscreensaver/rorschach?
NetInfo connection failed for server 127.0.0.1/local
I used this system, with 5 different inkblots to generate my 5 most important passwords. They are, in turn:
o ther
MyMother.
Mom.
MyMother.
Momagain.
and
MyM
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Here is some more of our favorite Slashdot composition style for your pleasure.
"Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots."
Makes one want to weep really.
"Microsoft Research ... a major breakthrough in security."
Whaa....?
no thanks
Here's the passwords I came up with:
Inky
Blotty
inkblotty
inkyblot
I bet there's not too many of these. Put 'em in a wordlist, and, bang!, you're a hacker!
Best Windows Freeware
It's nice, but the inkblots could use some work. If you look closely, they all look basically similar in construction, with the only differences being the color and size of the shapes. They also are all symetrical along a vertical axis. A little more randomization would be nice I would think.
Looks like they are stealing someone else's idea again, Wonder if IBM has a patent on this in there vault as Lotus already does this.
Microsoft Research [has come up with] a new way to get users to... Sounds like a major breakthrough in security.
Sounds like a major break-in in security to me!
How are you going to keep them down on the farm once they've seen Karl Hungus?
Well the idea sounds cool and all, but isn't this just a bit too involved to help people come up with and remember what will become basically random strings of characters? This seems like going through lots more of an effort then just using a random password generator of x-characters and handing the person something to memorize. When it comes to cracking, wouldn't you have just about the same odds of guessing what random password the person got through inkblots with what the person would have got with a random character generator? Sure neither would be really easy, but to hackers... it's still just a password.
SecondPageMedia - Wha
I think... Yes, I see... A Slashdotting!
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Its obvious number 7 is a frog getting blown by a kitten and fucked doggy style by something with wings. All the rest are my mother.
We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well.
/.er's computer would be P[]Y, T[]S, A[]S...
Sounds to me like this is tailor-made for dictionary attacks. The only letters you'll need to break into any
(Oh, crap, I'd better post AC or else I'll lose my squeaky-clean image!)
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
hmm...i wonder what system is running the web site.
Life is short; think quickly.
Could you imagine an implementation of something like that? There'd be this bizzare picture on your screen and before the computer would let you in you'd have to write an essay about what it looked like to you and then how you hate your father and it's all your mothers fault because she never hugged you.
That computer better come with a tissue dispenser. Call it the iQuack.
Sounds like a cool idea, but I'd usually associate an ink blots with a word or two, not with a random series of letters and numbers.
Doesn't this make the system vulnerable to a dictionary attack?
Too Many Users
There are too many connected users. Please try again later.
How strong are these passwords. For each blot, might you guess what somebody will see? Some seemed more obvious than others.
I like the face password system. With this system you remember some faces, something we are very good at doing. Then you are shown tablets of faces, around 16 of them. Your face is among them and you click on it -- 4 bits of data. You do this several times to generate a strong enough password.
The really interesting aspect of this system is, unless you are a skilled police sketch artist, you can't tell other people your password. Even if they torture you, you can't reveal it. Many people will find themselves unable to even describe the faces in their set, they just know them when they see them.
You might be able to go to the terminal and sketch or digitally photograph your faces to tell somebody else, but if this is used as an access control system, for example, with a guard watching you as you enter your code, it's hard to do. Thus the military is interested in such systems. But even if you don't care about the no-torture feature, you can generate memorable passwords that use an entirely different type of memory.
You forgot me, you insensitive clod!
- User6
Microsoft hires the best minds in the world. Little wonder that they came up with this. If only OSS had access to that sort of brainpower - can you imagine??
You have to have some imagination to see anything in the blobs in the article. I certainly didn't have enough, so my password would be ngngngngngngngngngng.
-- Cheers!
The other flaw (which is less serious) is that this strategy is only effective when the user has to remember a small, finite number of inkblots. If a user is forced to memorize a few hundred inkblots to cover the dozens of passwords he needs on a daily basis, this mnenomic technique loses its value.
Please someone, the place is already slashdotted!
Is It Just My Imagination?
by Suzanne Ross
Are inkblots meaningless smears of ink, or the secret key to your personality? Though most psychologists no longer use inkblots to determine the twists and turns of your psyche, sometimes they pay attention to the stories you tell yourself about the blobs.
Adam Stubblefield, an intern with Microsoft Research, thought that our ability to tell ourselves unique stories about inkblots might be a secret key to a strong digital lock - the online password.
Stubblefield, and his manager at MSR, Dan Simon, knew that people are the weakest link in secure computing environments. They knew that users generally pick weak passwords because they can remember them. They tend to use birthdays, pet's names, spouse's names or birthdays, or a favorite hobby. If a computer system forces us to pick a strong password, we often write it on a post-it note and stick it to the side of our computer, where it can be read and used by any passerby.
Give Me A Hint
"Good passwords are hard to remember. And easy to remember passwords are easy for other people to guess. What we wanted to do is give people a hint to help them remember a good password," said Simon.
They needed a hint that would mean something to the user, but not to anyone else. They wanted to use some type of image-based authentication. But there were problems. Most of the methods had what they considered to be a fatal flaw.
"All used a pointing device rather than a keyboard for input," explained Stubblefield. "This limited the rate at which the password could be entered, and exposed the password to anyone looking over the user's shoulder. We realized that a better scheme would provide some way for users to somehow construct a private textual entry from an image displayed on their monitor."
What Do You See?
Stubblefield used his imagination to come up with a solution. "I realized that a child accomplishes a very similar task when he points at an oddly shaped cloud and announces that there is a moose in the sky. There are not, unfortunately, huge amounts of published data on this cloud naming phenomenon." But there are volumes of information on the Rorschach Inkblot test. They decided to use inkblots to help users remember their passwords.
Sound too odd to be true? Even Simon was a bit skeptical at first. "I thought people wouldn't remember what they had seen in the blots. My first reaction was, 'oh, come on,' but it turned out well."
Stubblefield said the users had a similar initial reaction. "When we first explained the task to the users in the studies, the users were almost uniformly incredulous. Even after using the inkblot passwords, they were amazed that such an unconventional scheme actually works."
Computer Generated Inkblots
To make the system work, they developed a program that can generate an infinite amount of random inkblots.
"We show you a bunch of computer generated inkblots," said Simon. "We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well. We do that for a sequence of inkblots. At the end of all that we take you through it a few more times, but we scramble it in a random order first to make sure you haven't just typed in whatever you wanted to and ignored the inkblots altogether. We run it a few more times to make sure you have it in your memory, and thereafter whenever you try and log in we'll give you that second order of your inkblots. Eventually you'll just commit it to muscle memory and you'll learn it. And the inkblots will trigger the same memory."
Stubblefield and Simon found out that once we've identified the inkblot we see it the same way every time. And even though people sometimes see similar things in inkblots, they describe it in different ways. For instance, almost all the users in their study identified the inkblot below as some type of flying person. But the users described their flying person differently, such
Also, most people's passwords are a string that they easily remember + some numbers. It's much easier to remember blahblah123 than to look at the blobs every time you want to login and reconstruct "frherotspsmt..." from the images.
Perhaps this system could be used to help people remember forgotten passwords, like being able to select 5 of out 10 images in the correct order.
Have fun: Join D.N.A. (National Dyslexics Association)
I found out the more often I use a password the more obsecure and meaningless it can be. So I make some of my passwords total gibberish with numbers and letters and whatnot. After about 2 weeks, Their easy to remember. I dont know what happens if you take a vacation...
cscscscscs Too many guys are going to see a "chick with big hooters" in every blot.
This post is dedicated to all of those
So much for that common OSS argument that Microsoft doesn't inovate.
"Sounds like a major breakthrough in security."
Until they forget where they put their inkblot.
This stuff has already been worked on. Visual passwords are nothing new. Someone at the USENIX Security Symposium was working on the same stuff with landscapes in 2000 (not sure on the exact year) but around then. The difference was they would provide you with a series of landscape pictires. Good stuff in my opinion, much easier to remember a series of images than a series of passwords.
Hey... How come all these inkblots look like butterflys?
The race isn't always to the swift... but that's the way to bet!
...the average length of some of your "strong" passwords?
I personally have a 30 character one that is locked in my brain now... but only use it for things I would actually be worried about.
- what is the definition of simultanagnosia?! I've been meaning to look it up!
I looked at all the inkblots and still came up with "password" for my password. Maybe I should change it to something more obscure like "god" or "sex."
DecafJedi
my weblog: apropos of something
Take the first letter from the first word and the last letter from the last word in the first blot. That forms your first two password letters. If you described the first blob as a 'flying gardener,' your first two letters would be fr. Continue doing this with all of the inkblots. You'll end up with a strong twenty-letter password.
Not quite. You password will be long, but still only consist of letters. A truly strong password includes non-alpha and non-numbers to increase the search space to help against brute force attacks.
There are too many connected users. Please try again later.
sulli
RTFJ.
Wow, nice.... The only password I can come up
with while looking at those things is....'admin'.
this is clearly a plot by microsoft to be able to hack into the typical /. reader's account
TIT
TIT
TIT
TIT
TIT
TTTTTTTTTT
/etc/passwd would not change ONE iota. It is the login mechanisms that would change. They would use the same library interface to /etc/passwd without a single line of code changing, or a single change in /etc/passwd.
/etc/passwd if "myuser" and "mypass" are a valid user, same as always.
For example, the KDE login, instead of having just a login and password prompt, would have a login prompt, you enter your login and it enters "password gathering mode". KDE (or more appropriately the auth_inkblot library) generates inkblots based on the login (thus we get the same inkblot each time for the same login, very important, and it should probably be cached to save the CPU) and as you type in the password prompt, the inkblots cycle through (one each after 2 characters). Then KDE asks
MORTAR COMBAT!
Using 10 as the article suggests, they're going to need to be small or have a paging display. It's going to be a major pain to lock your system or restart because you either need to remember the 20 letter password or watch the inkblot slideshow to recall it. I really can't see this happening soon because the main thing for your typical user is the ease of use. If they want a harder password they just need to make one or to have it enforced by the admin. Also this don't include anything but letters, it would be better to include numbers and other symbols.
Wouldn't only insane people see something other than inkblots. This would mean that everyone's password will be "inkblot".
Oh wait, this is MS. Built from the ground up for insane security.
Too Many Users
There are too many connected users. Please try again later.
(I fail to see the content, but never mind. Perhaps if I look really closely...)
...isn't your favorite comic book character. 20%.... *shakes head*
Man. These things really do offer interesting insights into the psyche.
*honk*
Cappy "not anonymous, but cowardly enough not to write out what he sees" Red
This is my sig. It's prescription, I swear. I need it for reading things... on the other side of things
"Take your own inkblot test - what do you see in these blobs?"
1. nothing whatsoever
2. fat black sumo wrestler with purple arms doing the splits
3. goatse with chopsticks
4. CowboyNeal's legs in blue spandex
5. two Chinese soldiers looking longingly at each other
6. abstract goatse
7. A black man with bad posture, a green afro, and wings coming out his ass.
8. Blueberry people flanking goatse.
9. A very fat superhero.
10. Birdman does it doggie style. Possibly with goatse.
Based on this argument, start off with a password of sxsxsxsxsxsxsxsxsxsx.
Seriously, the problem is that with this method the password gets written down. OK, what's rule 1 of security? A written password is a potentially compromised password.
Panurge has posted for the last time. Thanks for the positive moderations.
Nice Lewis Black reference in the sig...
What about passwords that need to be used by more than one person? I suppose if everyone involved got together and agreed on the meaning of the images before creating the password it might work. It would be hard to get a 20-character password from someone and try to remember it based on what they think the pass-symbols mean.
Also, this might be a trivial objection, but the symetry on those images at the bottom of the article made a lot of them look like "things with wings" or "things with arms". Maybe once I got used to the system I'd see more and be more creative with descriptions.
While it's a good way to remind people of their passwords, most people would have to perform the task of reconstructing their password every time they needed it because the resulting password itself is too hard to remember.
So how would you use this to help remember a password on a text-only system? Seriously, it is very annoying that every system we use at work requires a different style of password and that we can't just be recoginized that we are logging in from an previous oked IP or somesuch.
Since the Rorschach Test ( "what do these inkblots represent ?" ) has been used for decades, lots of norms have been collected, so there already are lists about the most popular answers. Even if these are new inkblots, the patterns found in general Rorschach norms can still apply. Way to go Microsoft, you've made a fool out of yourself again.
United States of America, good ol' backers of world peace.
Too Many Users
There are too many connected users. Please try again later.
You can probably hack all of those with a book by Freud on the subject. :)
"it looks like my mother yelling at me!"
stuff |
User6: I'm blind you insensitive Clod!
User7: I have a copyright on Inblots! Cease and Decist!
User8: Cowboyneal . . . Yea . . .
This couldn't work for the following reasons:
...", but what they actually read is "blah blah blah pretty pictures blah blah blah click". Without the person administering the test standing behind them to explain what to do, most people would just glaze over, like they do whenever they are presented with instructions longer than 1 sentence.
1) People are lazy. They aren't going to look through ten inkblots and write down each one and then figure out the first and last letter of each. They are more likely to write their password down somewhere, or just click on the link that says "e-mail me a new password".
2) People are stupid. Normaly users would get a page saying "View each of these inkblots and write down
3) Did they have a control group that attempted to remember their "strong" password? They state that it is unusual for a user to remember a strong password after one day, but I wonder how unusual?
4) "... by the umpteenth time you've logged in, you've remembered these twenty characters". Wouldn't it just be simpler to make them type the 20 characters over and over again 15 times? Then they remember it anyway, and don't have to reverse engineer the whole process.
--jdan
I can see IS Ops and HR coming to me...
Them: We've noticed that ever since we've implemented the new ink blot passwording scheme your passwords have been... ummm... pornographic...
Me: I can't help it!! Everything I see's a p(*%(*#@!!!!
1. Nicole Kidman naked 2. Nicole Kidman naked 3. Nicole Kidman naked 4. Nicole Kidman naked 5. Nicole Kidman naked 6. Nicole Kidman naked 7. Nicole Kidman naked 8. Nicole Kidman naked 9. Nicole Kidman naked 10. Nicole Kidman naked For a password of NdNdNdNdNdNdNdNdNdNd
Too Many Users
There are too many connected users. Please try again later.
Mirror here.
Do not read this sig.
About 30 years ago, I took part in a psychological experiment that had to do with ink blots.
There were 4 test subjects and the psychologist in the room. He'd show an ink blot to each test subject in turn and record the responses.
I was test subject #4.
On the first ink blot, the first three all said the same thing and I said something different.
The second ink blot went like the first.
I remember that on one ink blot, the guy next to me tried to argue with me into agreeing with him, but I didn't.
In fact, in the entire series of ink blots, the only time I agreed with anyone else was the one time he asked me first. Then everyone else agreed with me.
It turned out that there was only one true test subject, test subject #4. The rest were in cahoots with the psychologist.
The purpose of the experiment was to measure our socialness. The psychologist was rather upset with me because I was way off the curve and told me that I was the most anti-social person he had ever met.
That's something coming from a psychologist who worked at a state reformatory.
Anyway, back on topic, I tend to use passwords that are quite long usually by stringing unusual words together or by creating nonsensical sentences. In both cases, unusual spelling, punctuation, and capitalization are present.
20 characters just doesn't seem enough.
I hope not. But they'd be justified if they did, IMHO. This is the first truly new idea in the area of password generation I've heard. I'd sure like to be proven wrong, though. It'd be a shame if only Windows could use this system.
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
I think this method would be great when paired with the previous laughing recognition method presented here
I mean:
1 - Computer displays inkblot
2 - User begins to laugh
3 - login
4 - PROFIT!!!
how long until
So do we get to embrace and extend this into something useful instead of the usual vice versa?
For me the easiest way to come up with a 'secure' password is to m4k3 1t 3r33t
But besides that what does it matter, all your passwords are going to be the same anyway. Thats just human nature. Your told not to use your last 4 of your social or the last 4 of your phone number as your ATM pin, but you do it anyway. And when you have to sign up for something online you use your hotmail password, over, and over again, knowing full well that if some 3r33t hax0r were to compromise your nifty c:\my documents\passwords.doc file you'd be secrewed.
Oh well, I find it more interesting that when submitting your taxes online the IRS makes you create a 5 digit PIN. WHAT! 5 digits?!
;-)
Im dreaming ofa big bndwdth, That can resist the
18 months after MS decides security is important and lauches the biggest security review in history, they spent 10000 man hours and 10's of millions of dollars to determine that:
Stubblefield, and his manager at MSR, Dan Simon, knew that people are the weakest link in secure computing environments
Bad boys rape our young girls but Violet gives willingly.
"Too Many Users"
I thought they were all about monopolizing and gaining more users. Just goes to show you, just when you expect the worst from someone, they make a complete turnaround... I mean, A)an innovation, B)in security and C)they're even denying users.
Apparently hell is freezing over.
though your post was meant to be humorous it also jibes with convention security wisdom for recalling strong passwords.
I forget who it was that said it, but a widely recomended strategy for strong passwords is to think of a shockingly graphic sexual phrase then use the first letters.
The vividness and the link to sexual activity makes it memorable (at least in males). And also its not likely to be a phase you would blurt out or something anyone cold easily guess about you. e.g. "take this job and shove it" would NOT be a good pass phrase because its something that might well be an expression you would use in your writings or speech.
Oh and by the way that's actually me in the batman costume doing your wife. or Ge
Some drink at the fountain of knowledge. Others just gargle.
About two years ago, slashdot ran a story about RealUser, which provides a passface solution. I was shocked at how well I remeber the passfaces I was given. I just tried to login to the site, and I was succesful, I haven't tried to login in months.
www.realuser.com for more info
My other sig is extremely clever...
If you know anything about the Rorshach test (the original inkblot test), you'll know its all about
statistical analyzing. The Rorshach inkblots were randomly chosen - it didn't matter at all what they looked like - as long as they were always the same.
After many decades of testing, psychiatrists were able to plot people on charts based on certain responses and then empirically decide whether someone might have a given mental illness based on whether their response should statistical similarity to others who had proven to have that illness. Most of the categories that the responses were judged on were extremely arbitrary.
The point is, the inkblot test relies on the fact that most people with "normal" brain function will look at an inkblot the same way. You'd be surprised at how many people who list "fly" as the one that looks like a "fly" etc. What you are going to end up with is only a handful of different words for each inkblot. People aren't going to pick phrases like "flying man with with green wings getting ready to lift-off" because those phrases are hard to remember. Most of them will be "fly" "flying man", "wing man" etc.
This is not a secure password.
Personally, I'd find it more helpful if this system would assign me a password based on my complexes and psychoses.
Then I could not only feel better about my data, but about myself as well.
*honk*
This is my sig. It's prescription, I swear. I need it for reading things... on the other side of things
You have to read The Art of Memory by Frances Yates. This book deals with ancient practice of memory training and using, including those fantastic Memory Palaces where you litterally build imaginary (or not) places in your mind and use them to store representations that remind you from one idea, word, sentence, concept, or anything. You can then "walk" from place to place, looking at those representations and re-building a speech for instance.
Actually, this is the "intellectual", generic version of the idea posted (and slashdotted) above, and you can use it to remember your passwords, long speeches, todo-list, anything.
And M$ won't be patenting this any time soon, the greeks used this even BC.
Worth a read and a try, really.
Note: Thomas Harris has had Hannibal Lecter use and play with memory palaces in his novels too.
theefer
I'm not going to put my bank account, or anything else importance on the line for a system that claims that "they way MOST people think is different" all you need is someone smart enough to formulate the most likely responses to a certain ink blot, or set thereof, or just someone who knows you really well (I've seen numerous cases of people who were close to each other giving nearly identical responses to ink-blots). Until you can slap on a label that says this is absolutely better than you sitting down, clearing your mind and picking a word completely out at random, I won't touch it. NOBODY I know can guess my common password. It has nothing to do with me, not something I like, or have interest in, or even know much about, I don't know anyone who fits that description either. After that I threw up a PHP script to give me a 4 digit random # and scrambled that in a random fashion. Lot of work to go through? Yes, but I've NEVER had to do it again because it's NEVER been compromised. So that was worth the 15 minutes or so of time I spent on it. 12 digit password, not breakable by a dictionary attack, I never give it out regardless so social eng. isn't going to work, and its completely unrelated to me, so even if you could guess the WORD portion of it, you still only won half the battle. That seems alot more secure than "well, most people give different responses". Meh, whatever, passwords are good as long as people are not stupid, same person who's stupid enough to write down their text password will write down their response to the inkblot too. Or, like some people at my work, they just TELL other people....so dumb. How about a device that, instead of showing ink-blots, send 10,000 volts coursing through your ass if you do something stupid with your password?
"The saddest words of mice and men, are not those which were, but should have been."
that thinks TechnoPope was looking at an inkblot while writing this? I had to re-read everything to make sense outta what this was trying to say.. >=)
Just when you make it idiotproof, some idiot builds a better idiot.
Microsoft ... ... ... a major breakthrough in security.
/.
im sorry i thought this was
The More Knowledge you have the Luckier you Get- J.R. Ewing
...that nearly every single inkblot reminded me of biology textbook diagrams of female reproductive organs. Except for the ones that reminded me of a upskirt view of a woman's exposed genitalia.
Posted anonymously, because I'm sure I'm going to hell for this as it is....
So, this interviewer asked me to look at a picture and tell him what I saw. I told him it was too embarasing....
;-]
He said, "No, it's ok. Everyone sees something different."
So I told him, "Well, to *me* it looks like pattern number 7 in the Rorschach test for obsessive compulsive dissorder." But, then he got all depressed so I said, "Ok... it's a password prompt."
[with appologies to Emo
Wait a second.....THIS IS the same Micro$oft, right? You know...the one that recently admitted to having a serious security flaw in their self-claimed "most secure" OS? And the same one who won the Homeland Defense contract?
Man....Micro$oft and security.....that's like Bill Clinton and a Intern Convention at a fancy hotel. Not the best when mixed. (Or what Bill calls "one-stop shopping")
Either way, ever since Micro$oft replaced their typing monkeys with cheaper college grads (a long time ago), their code has been getting buggier and buggier. The worst part of it is that they tend to reuse the dysfunctional code over the code that actually works.
Using a more secure password to log into a less secure box.
It wastes your time, and annoys the pig.
The advice up until now: Do not use the word "password" as your password.
The advice from this point forward: Do not associate an inkblot with inkblots.
Mark
(0) Cartman at a pie eating contest.
(1) Sumo Cartman really pissed off.
(2) Black Sumo Cartman doing a split.
(3) Wolverine Cartman blocking his ears.
(4) Cartman in the Olympic 200 m butterfly.
(5) Cartman 7 Anti-Cartman flying toward headlong mutual disintegration.
(6) Cartman butterflying a pork chop.
Password = "beefcake"!
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
assuming that those who use l337 consistently use the same character substitutions, this would make some insanely strong passwords. i mean, heck:
|?h3@4 |\/|y l337 5|1ll5
becomes |yl5 based upon 2 inkblots.
of course, i kinda now hate myself for having found a possible actual value in l337...
[offs self]
ed
Arent passwords becoming more and more outdated these days? Isnt the industry focusing more towards biometric authentication and other types of tokens. I think the best way to remember passwords is the 'first letter of every word in a sentence' method.
What about the inevitable guy whose password will always be 'mother'?
Canthros
Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords.
I don't know about that. Everyone I talked who followed the inkblot link saw the same thing: "Too many users".
Democracy is two wolves and a sheep voting on lunch.
Secur!ty H013
Five Dolla Moddy-Moddy?
"Microsoft Research...major breakthrough in security."
It's official hell hath frozen over. I just read an article on Slashdot lauding a Microsoft security advance. I kid you not.
"I wish I had a Kryptonite cross, because then you could keep both Dracula AND Superman away." --Jack Handy
Try engaging your brain for a couple of seconds before you post. think about it.
Did anyone else think of, "don't use IIS"? Maybe this isn't so secure after all...
No, I didn't think of that, not specifically. Let's see. What does IIS have to do with this? What does the topic of the article and web server security have to do with this?
You've never seen an Apache server barf with mySQL and "too busy" errors? Perhaps the bandwidth is a more important consideration. Yes. For example, eBay uses IIS. Have you ever heard of eBay being borked? I haven't. Ditto for Dell.com, Microsoft.com and all the other high-traffic sites out there that use IIS.
Now, I'd recommend returning to whatever rock you crawled from under and staying there. Your useless and off-topic attempts at lame humour are a waste of brain cells.
How do I retrieve my password if I lost it?
:
To : Joe
From : Support
Sujet Lost Password
In the gang bang picture 37, your password is
Click on the head of the guy in the back with his head in someones a**.
Then click of the hand of the guy, or girl, where not sure since we only see one hand coming out between two legs and the owner is hidden by the midget.
Click on the GSpot (if you can find it).
mantle
linebacker
two hands
knees
two faces
spider
flying frog
smoking
demon
angel
that makes:
melrtskstssrfgsgdnal
~Berj
I laughed 'til I cried.
"Smart is sexy." -- D. Scully ("War of the Coprophages")
This sounds good to me.
So if the user replies:
"Woman carving out her entrails"
"Headless beaver chasing chickens"
"Turtles, lots of turtles, they f333r m3!!!"
etc etc etc
They could just lock the computer.
And moreover, with the buddy-buddy nature MS shares with the fed, I'm sure they could send over some white suits to the users home to fit him/her with a brand new coat.
And maybe just maybe \. will see a few less trolls in the process.
your password is
.
. "bbbbbbbbbbbbbbbbbbbb"
.
.
This could be guessed by someone running their finger up and down thier lips.
A goal is a dream with a deadline
Isn't that the start to a Kylie song?
"Is it in my imagination, there is no hesitation..."
Watch Kylie french-kiss Geri from the Spice girls.
Get your own free personal location tracker
What they're not telling you is that 3/10 microsoft employees actually tried to draw the inkblots on the screen when prompted for a password.
...
When I tried it, in the inkblots I think I saw: "Too Many Users" So I don't know what that makes my password. It's strange how /. never gets /. but Microsoft can.
Hi, my name is Blotty! What would you like to do?
Choose a password?
Let me help you choose one?
Someone you trust is one of us.
Ok CmdrTaco... You almost got me! Where did they took the idea?
Of Code And Men
There is a possible change to the above inkblot generation described.
Instead of basing the inkblot generation solely upon the user name (and of course a server key), it could also base it upon the user name and the time at which the inkblot was generated (or other random input at the time), and then save the inkblots for the user (or at least the inputs to the inkblot generator). This would have the advantage of a malicious user not being able to study a particular user's "inkblot output" by generating the user's inkblot on a different machine, even if the server key was stolen.
A big problem with this inkblot algorithm altogether is that given a particular inkblot, there really are a more finite number of possible answers for a given inkblot. Given enough time and enough different brains looking at the inkblots, a list of 100 or so possible passwords could be attempted.
I agree that this inkblot strategy _does_ help in "brute force" attempts, since the passwords are more complex than "password" which is good. However, what happens when computers can recognize inkblots? Then a computer program could be written to attack one of these inkblot passwords without human "brain" power.
MORTAR COMBAT!
Why do I fear that all of the M$ inkblots will look like MSN butterflies, peeled-corner XBoxes, etc.?
Two wrongs don't make a right, but three lefts do.
Is this MS's answer to secure America, by chance? A bunch of Ashcroft henchies running around blotting D.C.?
Snooze and you lose your sushi.
What about passwords that need to be used by more than one person?
There's your security hole, right there. Everyone should have their own account. If a person needs root privileges, sudo can be used.
Evidently, no hyper-advanced password system in the world can save you from a good old-fashioned Slashdot DDoS attack.
Key fobs are the way to go.
-- Thou hast strayed far from the path of the Avatar.
There should be more stories about silly Microsoft "features" on /., it's always a pleasure to see their puny software crash :)
United States of America, good ol' backers of world peace.
It looks like research.microsoft.com has been slashdotted. I get a "Too Many Users" error.
It would probably be better to drop -ing on the last word for each image before taking the last letter.
People are just plain lazy. How hard is it to memorize an eight character alphanumeric password? As opposed to inkblots, its fast, you don't have to look at twenty different pictures as you enter your password (think about how many times a day YOU enter your password). You could use the same password for multiple accounts and simply change it often. Like my current master password for example: uck29aic
Uh oh. Where is the damn stop button? CANCEL CANCEL CANCEL!!!
Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
Ooooh great. We have secure passwords for an insecure operating system.
I really cannot see users going through any of that.
They have enough difficulty understanding warnings such as "You have six days to change your password"
So instead of changing it from doggy's name to daughters name, they just complain when they cannot login - "something is broken!"
Slashdot Beta should die a painful death.
I don't often say this about a M$ idea, but this seems like quite a good idea. The passwords seem to lack numbers, misc. characters, and mixed-case, but they're still stronger than the average password. This idea has potential for sure.
"We show you a bunch of computer generated inkblots," said Simon. "We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well.
Of course it works, well sort of. Passphrases are easy to remember, that's why they work so well. They could have used any kind of clue and might want to consider that because the things people think of on their own ARE NOT RANDOM, especiall for ink blots. "There are several responses that almost everyone gives; mentioning these shows the psychologist you're a regular guy." So, I'm afraid that these inkblot tests won't be any better than pet names and the other common things in people's heads.
The Microsoft PR department's discovery and promotion passphrases, however, is a welcome innovation. Keep working, but be careful. The easier you make it for users to be unpredictable, the more difficult you make it to blame the user for holes in your code.
Friends don't help friends install M$ junk.
Most of us associate these tests with efforts to "express" (in the sense of squeeze out under pressure) inner feelings, and thus there is an assumption that responses to inkblots will be random. Not so according to their inventor; who asserted that there are correct answers to the standard blots used in his famous test.
It wasn't Freud, by the way.
Too Many Users
There are too many connected users. Please try again later.
--
Too Many Users
There are too many connected users. Please try again later.
Unfortunately, 90% of the users will see people having sex and pick the same password: people having sex.
What about those guys who see a dude with an enormous schlong in every blot? Don't they deserve consideration too? ;)
-Looking for a job as a materials chemist or multivariat
I think this is great and all... But thats like.. one week of unproductivity. I haven't tried this... but like.. I'm guessing for slower users, the first week would lose some serious time.
:-d
Day 1: 30 minutes to figure the thing out and play with it
Day 2: 20 minutes to figure it all out again
Day 3: 25 minutes to figure it out and show it off to all of your friends/coworkers
Day 4: 25 minutes to try and remember in your head, but end up having to go do the pictures again
Day 5: Its friday.. I aint even loggin in.
I'm not saying thats the way it is, but that is the first thing that strikes me.
Now, thats not a whole lot of lost time right? Take that times the number of people in your office... 10? 20? 50? 100? 1000? You end up losing thousands of man hours just playing with the stupid thing.. Then again.. how many man hours does slashdot cost the IT industry?
Can all fish swim?
What kind of geek website is this where no one saw Jabba the Hutt in #2?
"Sounds like a major breakthrough in security"
How is this a security breakthrough? Or, is this all a part of MS's trusted computing platform? I mean, in the end it's still just a password.
> What's even crazier, is that people generally are able to remember the complex passwords.
"Generally"? So that means that people can "generally" get into their systems. Yeah, that's a good idea.
1. Amputee Gymnast 2. Offspring of Dominek Hasek and Donkey Kong. 3. Grinch Performing Root Canal on Mick Jagger. 4. Fuzzy Bunny Foot Cuffs. 5. Oddly Colored Shepard's Pies in Urine Sauce. 6. Invisible Woman Donning Red Brassiere. 7. Flying Amphibious Baker. 8. PBS Logo from Mars. 9. Insignia if Visitors from Planet of Butterfly-men. (and women). 10. Space Wolf. Hope this helps... .
--If 50,000 people say a foolish thing, it is still a foolish thing.
I did this in college. Not to recall passwords, but as a study aid. I had heard once (in psych I believe) that the human brain could recall things with more clarity (or better detail) if associated with a sight, sound or smell.
;-)
So in order to pass tricky exams, I would study formulas to music (thrash and speed metal) and I would create an inkblot to help remember topics.
Upon test time I had a sheet of inkblots with me, and my walkman. Teachers looked at me funny, but never said anything.
Sure, it was probably cheating, but *you* pull a double major in programming (mainframes no less) and chemistry, with a minor in physics and math, and let's see how morally wholesome you stay
So rise up, all ye lost ones, as one, we'll claw the clouds.
Following the directions, my password is scotttigerscotttiger.
Give a man a fish and he will eat for a day.
Teach him to eat and he will fish forever.
Well Apple will release it after MS in a more refined and functional form, and then quickly attempt to patent it.
I'm a firm believer in the philosophy of a ruling class. Especially since I rule. -Randal, Clerks
MOD UP PARENT: GOOD MIRROR
...I see with this method is that it still produces a password of random letters that would be hard to quickly remember (at least for me). On the other hand it would be easy to figure out your own password if you forget it.
Here is my method:
1- Make up a phrase: old red train
2- Translate some of the words in other languages: vieux red treno
3- l33t-ified it: v1u3x r3d tr3n0
4- Assemble: v1u3xr3dtr3n0
But I don't know how secure this method is for general usage.
per dolorem ad astra
Hmmm, microsoft.com is still working ?
We /.ed part of the evil empire atleast !!!
What ? These guys actually are innovative ? So, we hit the only non evil part of the empire ...
"However beautiful the strategy, you should occasionally look at the results" - Winston Churchill
I doubt that these passwords are very strong.
For example, for even-numbered positions in the password, the letters "s" and maybe "g" will be quite common.
It appears as though research.microsoft.com has bene slashdotted ;)
Did you read the article?
... etc.
They say that often times people DO see the same thing, but it's near impossible to predict what word(s) they'll use to describe it...
silhouettes
looking at eachother
face to face
two faces
two busts
faces
love
eye to eye
~Berj
The actual test is kept secret so that people can't see it in advance. Publishing it online can get your ass sued and the actual cards cost about $75. This site examines all the different cards, what they look like, what answers you should get, etc. It's a fascinating read and will show you how crappy of a test this is. They include images of what the blots actually look like but hollowed out to avoid law suit.
Article slashdotted, so the following may be inaccurate. But I think that with inkblots:
- I can't so easily write the 'password' into my agenda or my Palm to remember months later.
- Either we will have the same faces or pictures on all computers, or every system will have a different set of pictures that the people must 'learn'. You don't learn a new alphabet each time you have a new account, do you? That would enforce change of password with different accounts, but also make it harder to have a unique password for uncritical things (news websites...).
- No physical remembering of the passwords. (Yes, my muscles remember better some complicated passwords than my brain; yes I'm a geek).
- One more way for MS to protect his monopoly - you don't expect the pictures to be free of rights, do you?
- It takes longer to click on pictures than to type the same passwords each day.
- You won't have to be next to someone to learn its password; the other side of the room will be enough.
- Anyway, the choice of the pictures must be translated into something that the computer understands. Basically, it's a keyword. If 'red flower-pretty girl-blue car' is stored as 'WYZ' in a file somewhere, I don't see much progress.
Christophe (Don't hesitate to point out my spelling and grammar mistakes, I want to learn - Thanks).
Read the article - they use the first *and* last letter, so the line you quoted from Macbeth becomes:
wnslwetemtanintrlgorrn
Which points up a flaw in the system that a previous poster alluded to, namely, that you end up with only alphanumeric character passwords, so a cracker program would only need to run permutations of first/last letter pairs from a dictionary to crack these passwords.
Moreover, there are undoubtedly some first/last letter combinations that are more common than others in english, even for multi-word phrases, so the crackers would try these first in their search.
In other words, their very structural regularity leads to an easy line of attack.
This is why Kerouac said 'never edit yourself'. Unless you really would like to "take buy" a gun.
Stand back 6 feet from the monitor and the password is obvious Galaxians !
Hey, what do you call that psychology test, the one where they show you all the pornographic pictures?
Do you mean a Rorschach Test?
Yeah, that's the one!
Can anyone tell me how to set my sig on Slashdot?
We've Slashdotted Microsoft
Where's the champagne?
your thin skin doesn't make me a troll
My root password was "Blocky Ink Blot"
You can't judge a book by the way it wears its hair.
Based on your results on this carefully conducted Rorschach test, your psychological profile is incompatible with our company's image and needs. Security is waiting at your cubicle to escort you from the premesis.
Bleh!
That looks like a custom made exception, not IIS bombing.
Ever try apache2 when it was released? It bombed all the time. Lame attempts to insult microsoft doesn't get you the attention you crave (at least not positive attention).
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
He was responding to another poster, not on the article.
relax
If I have ever seen a piece of stupid research, this is it. Not only do I doubt the effectiveness of the method in the long term (what one sees in such inkblots canbe subtly dependent on one's mood, and one's description of one's perception is liable to change in subtle ways,) but, in addition, there far simpler and efficient methods to come up with good passwords.
My personal favorite: Pick a sentence that you like, and type in the first letter thereof and whatever punctuation signs you use. For the previous sentence we get Pastyl,atitfltawpsyu. Even for systems limited to 8 character passwords, this method produces fully satisfactory ones.
A technology called Pass Faces has been around for a few years. Microsoft simply substituted the faces for ink blots. Personally, I think it would be a lot easier to remember faces.
Was it just me, or did all of those inkblots look like blurry characters from Southpark?
"I have never let my schooling interfere with my education." - Mark Twain
Seems like they could make it stronger by having the inkblots actually appear on screen. Each time you need to enter the password the inkblots appear in a random order, you enter your two letter description of each, and the letters are reordered based on the placement of the images. This way you could avoid dictionary attacks, and possibly incorporate a larger set of images.
P.S. that flying frog man is really starting to freak me out.
LIVE, Love, die
But my question isn't about psychology.
I'm hoping there's someone who knows enough about databases and cryptology to answer my question.
Doesn't this sort of scheme introduce problems in tying the public, displayed images to secure data? For example, the way it works now, I assume what happens when you enter a password is that the data gets matched against entries in a database of some sort, and matches--which are unlikely if you don't have a password--indicate access of some sort.
But in this case, it would seem to me that by displaying the images--which are linked to the password necessarily--you're adding an additional link to secure data that could be exploited somehow. For example, let's say my name is Bob Jones. I enter Bob Jones, and it displays my images. Isn't that already necessarily a nonsecure transaction linked to secure data, one that could be exploited somehow?
I'm not sure how it could be done, though--that's my question.
It's true that eventually, someone might learn the sequences of keys without having the pictures displayed. But there's a fair amount of psychological evidence suggesting that someone is almost as likely to forget the keystrokes without the pictures as if the pictures were never present.
Go into notepad and commence bashing the keyboard with your fists. The resulting characters should be completely random numbers and letters.
I usually just take the first 8 since some registrations cap it off at eight characters.
keep it on a piece of paper in your wallet, take it out when you need it. Surprisingly it won't take very long at all to remember.
Other methods that work: Let your family pet walk, slither or crawl across your keyboard, hopefully they are not small rodents that have eaten recently or molting their skin.
signed,
ixnay (from PlanetHalf-Life)
So, what does a password of 'gxgxgxgxgxgxgxgxgxgx' tell you about yourself?
Manta
Microsoft have invented loads of stuff.
How about the easy to use windows GUI?
No that was ripped from macOS.
How about MS-DOS, thats one great thing they came up with?
They brought Q-DOS and changed the name.
Their single instance store?
UNIX has had Symbolic links since always.
The windows IP stack?
Taken from FreeBSD ( and broken. )
edlin?
Taken from the UNIX ed.
Macro virii?
The one thing microsoft did invent.
For example, waliaYs1: "We all live in a yellow submarine". Add in a number or two, capitalize something you emphasize when you say it anyhow, and presto! Strong password.
Toon toon! Black and white army!
No, all a cracker would need to do is to test the permutations of the most likely variant responses *first*. The cracker would need to know *nothing* about the individual user, just what responses were most common statistically. Even if such knowledge consisted entirely of what words people use most often in short descriptive phrases (independent of ink blots), it would shrink the search space dramatically.
Combined with the fact that the cracker is dealing only with alphabetic characters, you end up with a highly structured system, with an obvious, and likely quite fruitful, means of attack.
If you run Linux, just type mkpasswd. You can redirect something from /dev/random to get a random password if you really want to get picky.
It'll give you something like: SvDQCa82VDQeg
That's the output when you type 'foo' as input. You probably want to use a better seed string than foo
If tits were wings it'd be flying around.
Troll1: First Blot!
Troll2: It's that dude in the goatse picture!
Troll3: A slashdot poster who can't spell.
Troll4: It's a duplicate of the second blot!
this could go on forever... :)
- Even characters are the last letter of the second word, so this is likely to be an 's' for plural-looking blots, and not so likely to be a, i, o, u, and almost definitely not q.
- The length of the password is known.
- There are no capital letters. In fact, they're all lowercase letters.
A normal dictionary attack on twenty characters would have 94^20, 2.90e39 permutations. The passwords with the restrictions listed above would be at MOST 26^10*25^10 (assuming no q's in the even positions), or 2.37e14, possibilities. Using some "probably's" listed above, you could save some of the less likely combinations for the end of the list.OTOH, an eight-character max, mixed-case password that could have special characters will have (i=1..8)94^i (sorry, I can't do sigma notation) possibilities, which is 6.16e15. That's 26x as many as the method listed above, and given that the human mind can easily remember between five and nine characters, it seems we're better off memorizing some sequence from
DISCLAIMER: I am not a mathematician. I may be talking out of my ass. Please correct me if I am.
I really hate signatures, but go to my website.
Ok, WTF does a too busy page have to do with security?
Christ, do you people even think?
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
#1 is obviously a Klingon battlecruiser, dorks!
I don't think they will get lots of unique stuff from ink blots. There's nothing new about M$ claiming to have invented something.
Friends don't help friends install M$ junk.
Quote from the article: "Twenty out of 25 people remembered their password the next day." That doesn't seem like a big improvement. After all, I can remember 23 of my 25 passwords.
. . . hereClarencecomes
Oh, sure, maybe they'll get lucky with the first 16 letters or so, but they'll never guess the next few hundred.
KFG
#10 is that Mothman guy.
Either I'm going to die now, or someone is gonna show me a really bad richard gere flick.
Don't know which is worse.
I like this advancement for the average user. I have been in tech support before and so many people have such terrible passwords. It is so much better than 'password' or having the same password as your login.
This is really great for Joe ServicePack, but I already have a 27 character (punctuations and numbers included) password.
wOAH, i KNOW kUngfUUUU. WOah. w'OAh. eHeh
tEH cOOLNNNNess.
By that logic, half the slashdot community has a password somehow connected to the the Goatse.cx Guy.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
OK, I'm very very very concerned.
Don't tell me that nobody else can see in inkblot number (1) a (presumably female) person that is standing on her head, wearing a skirt which has dropped down over her body under gravity?
I'm aghast. Come on folks, it can't be anything else.
If ever there was a topic that legitimately warranted a goatse-guy link, this was it.
I'm disappointed.
There's no mixing of case, numbers, etc. It's twenty random characters. Now you may remember these 20 characters better than your normal random characters but it leaves you with a password where there are only 26 options for the first character, 26 for the next, etc. - it's still trivially easy for a password generator to crack.
Plus, how many places are there on the web that limit the lenght of passwords to like 8 or 10? If you use 4 inblots and generate an 8 character string of letters all in one case, that's not exactly a strong password.
Did those inblots suck ass or what? Some just really didn't lend themselves to pictures for me.
No, actually, this is not what the studies show. Studies show that students who get fewer than 7 hours of sleep the night before a test do decidedly worse than those who get 7 or more hours of sleep. This is especially true of younger students (read, high school age).
Long term memories -which is what you need to lay down for test taking - are apparently finalized in REM sleep, much of which takes place in the last sleep cycle before waking - i.e., the last 90 minutes of a 7-8 hour night of sleep. Most of early sleep is deep sleep, when body repair takes place. Most of late sleep is REM sleep, where dreaming takes place, and, apparently, long term memories from the previous day's experiences are laid down. This division is true both of the individual sleep cycles - deep first, REM last - and of the course of a night's sleep as a whole. Early sleep cycles consist of mostly deep sleep, and later sleep cycles consist of proportionately more REM sleep.
So, if you miss that last hour of needed sleep, your body is repaired, but your memory will suffer. Remember this the next time you take a test. If you need to get up at 8:00, when midnight rolls around, you'd be *much* better off going to sleep, than studying to 1:30 am, and trying to make do on 6 1/2 hours of sleep.
Why the insistence on multiple inkblots, and taking the first and last letters?
Why can't they just have one ink blot and have the users description of it as the password?
Batmantakingashowerwithabagofsnails is better and longer than brrowehsespgtnbgbgbg.
Thank You! I've been wanting to say something like this for a while. Half the posts in this story are "haha, they use ISS, their site is down, ISS sucks!" Please people, it's common sense, apache is down just as often as ISS is. Oh, and btw, it's NOT slashdotted, it has too many users, try checking back later, other people have and have gotten the article.
I want you to assume that all spelling and grammar errors are intentional. Thank You.
Good point. If you can't be bothered giving everyone their own userid/password, you probably don't feel a need for the most unbreakable passwords possible.
These particular inkblots are created in a manner that makes them symmetric along the vertical axis. If MS wanted to research to be applicable, they had to use the same types of inkblots.
Sure, common sense says that random inkblots would work better. But I'll gladly take the empirical results of research over common sense, and there's lots of research on the Rorschach Inkblot test.
[am not! are too! am not!]
/usr/share/dict/words has about 19 bits of entropy, and thus beats out the sentence. A decent PC could crack any of these in seconds flat, if an attacker suspected you had used one of them.
/., have lousy passwords which are variants on an older one, but are easy to remember and quick to enter. You won't guess any one without looking at the others, and I wouldn't care much if you did.
The strongest possible password is the string with the most entropy that you can reliably remember and enter. i.e. the output of a password-generation method that has the largest possible number of different outputs (assuming that they are equally likely up to computational feasibility, and that you can reliably remember and enter the password, and that an attacker has any reasonable chance of guessing how you generated it).
It is NOT the longest string you can commit to memory. There are people who have memorized thousands of digits of pi, but the first thousand digits of pi would be a horrible password if someone knew that you had memorized them. Similarly, Shakespearean soliloquies suck, especially if you are a Shakespeare geek.
A random sentence from War and Peace has maybe 16 bits of entropy. A random paragraph has fewer, because there are fewer paragraphs in War & Peace than there are sentences. A random word from
If the string is anywhere on your hard drive in plaintext form, be it in the words dict, a deleted email from Amazon, or your War and Peace ebook, it has at most 40-some bits of entropy (depending on your hard disk size and its length), and could be cracked on a small cluster in days if your hardrive wore stolen.
A 5-word diceware.com password such as "cleft cam synod lacy yr" has about 63-64 bits of entropy, and is my preferred password type for long passwords because it is fairly easy to remember. A 10-character RAD-64 password such as "4TFA/ii+Xc" has 60 bits. An 18-digit random number has about the same.
If you can narrow each inkblot to 50 possibilities, then a sequence of 10 of them has about 57 bits of entropy in 20 characters. (don't take my word, i calculated it in my head). That's feasible for the govt, or distributed.net, or a very large company. Not bad for a passport account which is unlikely to have its hash lifted anyway, but since I can remember the RAD64 or the diceware one easier and enter it faster, I'll stick with one of them for the accounts I care about.
Anyway, the password strength you need depends on how much you care about what it protects.
For instance, I have 10-word diceware for my PGP master signing key, which is about as strong as the hash. Accounts that I don't really care about, like
I hereby place the above post in the public domain.
I decided long ago then whenever I am asked to submit to an inkblot test, I will state that every inkblot looks like an inkblot.
Therefore, I see:
inkblot inkblot inkblot
inkblot inkblot inkblot
inkblot inkblot inkblot
inkblot
And my password is...
ibibibibibibibibibib
Sounds good to me!
"I mean look at 3G, what's it for? Look at the Space Shuttle; cool as hell, but not a profitable thing. Segway?"
Interesting examples. However you have actually failed to draw a clear cause and effect between egg-head idea and failure of idea in the marketplace. There's many people inbetween those two points. Any of which could have messed up an otherwise good idea. BTW your middle example really doesn't belong because the space shuttle wasn't ment to be a business venture with a coresponding balance sheet, and shareholders. But as a vehicle of exploration, both of ideas as well as space. The let's make money off space will come later when all the pioneers have died off from arrow poisoning.
Most web sites, and I'm sure hotmail is in this number, limit the size of the password field. If I had committed to memory a random string that was 1000 characters long, it doesn't matter much when the web site asking for a password only accepts 10 characters. Now, when you're dealing with a 10 character limit (a reasonable real life example) it matters A LOT if your dictionary is 50% larger.
Sounds like a major breakthrough in security.
Hahahaahahaha. Sounds more like a dictionary attack waiting to happen.
Stop-Prism.org: Opt Out of Surveillance
1) breasts
2) breasts
3) breasts
4) breasts
5) breasts
6) breasts
7) breasts
8) breasts
But, hey to each his own.
Nope. Most people see the same things in ink blot tests. This page puts it, "There are several responses that almost everyone gives; mentioning these shows the psychologist you're a regular guy." Because the original 10 inkblots were reandom to begin with, it does not matter how many random variations M$ decides to use. They are going to get the same kinds of answers.
The article didn't say it will be the most secure password ever, is specifically said that it will be a stronger password than most people use, and that people will be more likely to remember it without writing it on a post-it note 'hidden' by being stuck to the underside of a desk.
Duh, passphrases are like that. Just about any sheme using passphrases is better than asking people to come up with a random word, the M$ default. The silly inkblot detracts from the randomness of the phrase and that was the point. The big gappeing holes that Microsoft is famous for defeat any and all actions the user might take. It's dishonest of Microsoft to even use the word "security" to talk about their junk.
Friends don't help friends install M$ junk.
This is a good idea, because you know, for the life of me, I can never, ever remember my password -- I can remember the keystrokes for it, but I don't remember what it is. I tried making the switch to Dvorak a few months ago, and failed for this reason.
:D), but it's still nice.
Then again, I doubt other people have passwords like Q#34tyb9x!y± (note: not actual password
Most people recomend taking a book from your library and highlighting a sentence to remember. It's nicer if the book is no longer in publication. When you need to get you sentence, just open the book like your were researching something. Local attacks are made difficult if you highlight things ordinarily. Dictionary atacks are made difficult by not knowing how many letters people use.
Friends don't help friends install M$ junk.
Unless you are a blind person. Then I guess you are
kinda screwed, but they are used to that by now I'm
sure.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
Looking at the 'evil flying henchman' ink blot, three things instantly come to mind:
(1) flyman
(2) viking hat
(3) man taking a bow on stage. The two "wings" are his shadows from two separate light sources.
When I make the password, I might have seen "The fly" or been bitten by a misquito earlier so I'd choose 'F'for my letter because "flies" are on my mind.
Tomorrow, I might come across a viking story or see a Hell's Angel biker so I'd think that the first letter is 'V' because tough "viking-like" people are on my mind.
The next day I might watch a play, see a rock band, or something about the Royal Family so I'd think that the first letter is 'm' or 'b' because bowing is on my mind.
So there's a 1 in 3 chance that I'll reselect this letter right. Since each shape has at least three interpretations, there are 3.5*10^9 possible passwords that I have to try before I get the right one.
There's a far simpler scheme that is reproducable.
Tell a person to look at a long paragraph (at least 1000 lines long) with a mix of opinions and highlight three passages that they like. This scheme generates two three digit numbers for each passage and there are a total of three passages, so there's a total of 9^(3+3+2) or 43 million combinations. Most people don't have much difficulty remembering things they like, so it should be simple to remember them. People who are visual (and not auditory or kinesthetic) wouldn't remember the words, but they would rememember how they highlighted the text, so it should be easy for them too.
The cracker would need to know *nothing* about the individual user, just what responses were most common statistically.
The article described a system that would generate an infinite number of random inkblots. Every user would have their own set of inkblots that their password was generated from. If everybody used the same inkblots, I could see how this would be a problem. With random inkblots there would be no statistical answers that were most common. You would have a unique set of inkblots to crack for each unique individual.
I think the big problem with passwords is when you don't use them enough to remember them. If that's the case, then by the time you have to use the password again you've forgotten how you described the inkblot. After 2 months I think the odds are pretty good that you might look at it a little differently (at least enough to change the first letter of ONE of them). In that case the password's lost. If this is to be used for passwords you use every day, then I think people won't have a problem remembering it without the inkblots.
if(!cool) exit(-1);
1. Top-down view of someone 'dining at the Y'.
2. Fat lady doing the splits.
3. Vagina with some piercings and an ugly-ass tattoo.
4. Some guy with hemorrhoids bent over and spreading.
5. Two oriental guys with green hats looking at each other.
6. What I would see just before 'dining at the Y'.
7. Flying frog/alligator guy.
8. Two aliens looking at each other with a symbol of crossed condoms between them.
9. Batman flashing some kids.
10. Batman doing 'purple woman' from behind.
There's no way I'm going to remember my password without writing this down. I think I'll stick with the method for password generation that I have now. No, I'm not telling you what it is. Security through obscurity will work in this instance.
Is there a psychiatrist or psychologist reading this? Am I normal?
At first I didn't see the explicit sexual iamgery people are posting about on slashdot...but after being told what to look for...those inkblot creators are perverts !
I got: 1) Turtle mouth 2) Iceberg chunks 3) Indiana Jones 4) An apple peel 5) Oktoberfest 6) Orange cream puff 7) Black tutu 8) Llama stool 9) Superman's couch 10) Insect repellant So I guess my password is: Thisisalotofbullshit
I played a game in school to pass time in class where one person would write down a name of a place on a map. The next person would write down another place on a map starting with the last letter of the previous word. After a while I started to realize that a lot of the words on (at least) maps have a high probability of ending with a certain subset of the lettters.
I think you could create a certain weighting on letters to help crack the password that would be created in a manner like this. Just off the top of my head I would think letters like 'n', 'y', 's', and 'e' would be weighted highly for the end letters. To make this method stronger I would try to find a way to incorporate numbers and other characters into the password.
Do you see what I see?
--
This system is not friendly to the blind, since you have to know which inkblot is displayed in order to enter the correct corresponding password. So its not a solution for everyone.
Well I think it is proven that different people see different things when looking at these shapes. Here is a complation of what people have said so far. And yes, it did take friggin' long to compile this:
Please blame the lameness of the formatting of this list on slashcode: "Your comment has too few characters per line (currently 20.0)."
Image 1:
-butterfly swimmer, Snooty Nose, mantle, Mask and dress, Mugatu from Zoolander, Person with hands behind back looking at feet
-Two birds on a tree with two dogs breathing fire -on them, Angry hippie, diablo howling into the air, A rabbit with horns lifting weights, Angry robot with guns
-Strongbad, Fighter Plane, Two birds singing, Missouri, tripod mortar
Image 2:
-fat person stretching, Christian Slater, Bear in a T-shirt, Board Meeting, Gravity challenged lady in lycra super hero outfit doing the splits
-Sumo wrestler on his ass, Jabba the hutt wearing a cape, fat sumo man in his fight stance, Squatting sumo, Cartman (I haven't even seen many SP episodes)
-Headboard or a bed, A gorilla in sweats doing a split, Fat woman stretching, linebacker, Kneeling fat man, recycle logo
Image 3:
-WWE Smackdown Enterance, Transformer, two hands, Zoro meets Willie Nelson, Someone eating coffee grounds from a filter with chopsticks
-Bob the Tomato from Veggie Tales, Someone drawing with both hands, Knitting a fez, one of the things from the movie Gremlins, An ambidexterous person writing with both hands
-Two bunny rabits eating guts, Bee face close up, Cockpit, Tropical island with two palms without tops, Obviously Goatse, buglike jetboat
Image 4:
-bushy woman on the shitter, Oak leaf, Hands washing black socks, LAN Party, Woman with grey arms force feeding candy to two children
-Batman's crotch, A large table saw designed to work in a gravity-less environment run by a tip driving magnetic motor, pelvic bone yo
-Hands full of glue, I have no idea. Nothing comes up., Comfy slippers , Feet of a reclining person
-Woman with panties down doing the Charleston, knees, Earmuffs, Evil Eyes
Image 5:
-Person Gasping, Pierre and Pierre, two faces, Two green berets talking, Two ice cream cones, Arab looking in a mirror, Two weeping men with large green hats
-Rastafarian argument, two men crying as they face eachother with big puffy green hats, two frogs wearing hats sticking their tongues out, Two green berets with black eyes, Two malnourished mullah's with camouflaged hats discussing the art of fellatio,
-Osama, Two boys playing soldiers, Trent Reznor, two eyes with big green brows
Image 6:
-grinning insect mouth, Edmonton (Canada), Camp entrance, Bloody Chest, Super hero adjusting bra
-Football shoulder pads, a person's hat with fake hair and pigtails attached, another pelvic bone?
-Hands holding a brassiere, Spider, Monkey doing telepathy
-A headless woman, Man hiding eyes, spider, Mittens, Person Gasping
Image 7:
-Turtle man, Flying Monkey, flying frog, Flyman, A frog in an apron, Frog with wings in apron, Mean green fly, Dragonfly frog, totally a flying frog chef duh!
-A winged frog wearing coveralls, Fairy frog wearing an apron, Jack Osbourne dressed as an angel, Frog Ferry, Green winged mole, Letter label, Yoda with bug wings
Image 8:
-The fat blue guys from yellow dubmarine shooting condoms out of their bellies
-Yugos
-Blue rabbits smoking.
-Globe
-Two Blue Meanies looking at a big butterfly
-Two sheep heads crapped on by a butterfly
-2 dinosaurs watching a large butterfly
-two men in suits watching a butterfly fly between them
-Tying a bowtie
-Dino men from Super Mario Brothers movie
-RC controllers
-Snapping fingers
-Two men shot in their heads thinking about bras.
-smoking
-Two Aliens
-Boys Spitting
Image 9:
-Batman fighting
-Bird in the hand
-demon
-Italian man twirling two pizzas.
-Batman peeing
An innovative, potential useful idea coming from Microsoft?
:-)
LOL, maybe that's going too far, but it is pretty interesting, and certainly fun. I like the hidden secret aspect especially.
Lots of security systems use the notion of a hidden secret -- CHAP is probably the most common. The secret is most often part of the computing platform and not part of the user, although textual prompts to the user have been in use for many years so the general mechanism is not new.
Here they're using two hidden secrets, chained: the inkblot input gets transformed first by one's fairly unique pattern recognizer and then by one's fairly unique word association machinery, neither of which is ever externalized. In principle that sounds pretty viable, although it does raise the question of whether both transformations are deterministic, and if not, then whether one helps the other to converge or whether a failure in one always leads to divergence. As with anything related to our inner workings, there are a lot of unanswered questions in this area, and not just for psychoanalysts.
Reproducibility could be a concern too. Since our pattern matching is sensitive to color and brightness and not just to shape alone, the method of encoding the inkblots to generate always the same image attributes regardless of platform or display is probably going to be non-trivial.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Because the least common denominator has never been my thing. That's my whole point.
United States of America, good ol' backers of world peace.
(1) An inkblot
(2) An inkblot
(3) An inkblot
(4) An inkblot
(5) An inkblot
(6) An inkblot
(7) An inkblot
(8) An inkblot
(9) An inkblot
(10) Standing in sort of sun-god robes on a pyramid with thousands of naked women screaming and throwing little pickles.
So the correct password is atatatatatatatatatss
Mod me down and I will become more powerful than you can possibly imagine!
I think her hashing scheme needs a little work. Looking through the comments, lots of people identify blots as [noun] [present participle] (e.g. "batman flying"). All present participles end in -ing, so I think you would find a high incidence of 'g' in even positions of passwords generated with this scheme.
....that this doesn't really matter, as long as an attacker has physical access to the machine...because there are those handy little hardware keyloggers. They are quite handy ;).
I belong to the ______ generation.
Meth
In a word: Amen!
From the article it seems that 'most' people remembered the password the next day. What about a couple of month later after not using it? Oh, and:
Umm...
Sounds to me like, if you're going to write it down, you may as use a password encrypted private key file and then pop your public key into all the servers to which you need access.
Heck, using SSH and public/private keys you can use a 1024 bit key, have secure access to hundreds of systems, and only have to enter your password once per bootup.
- Peter
RimuHosting - UML VPS Hosting
1. a space creature taking a dump
2. fat chick wearing tights and doing a split
3. a squished Cacodemon
4. blue and grey podracer
5. podracer nacelles that have lost their pod
6. lady about to rip off her red top
7. a dead and bloated green skinned gardner lying in a pool of green blood as pictured on rotten.com
8. a bird just took a purple dump on 2 guys
9. batman takes a piss while being attacked by 2 pickles
10 . batman in flight humping a purple creature
I think I just lost my job.....
Huh?
grrr. realuser
My other sig is extremely clever...
I do a lot of reading and usually jot down sentences that I find interesting in those books.
When it comes time to change passwords, I simply pick the sentence that appeals to me most at the time and use the first letter of every word in the sentence. I combine this with a few *rules* i have set... One rule, for example: a,e,i,o,u is represented by 1,2,3,4,5 repsectively. Another rule: the first, last, and *keyword* (the main word/point of the quote) is capitalized... you get the idea...
So when it comes time to type in my password, all I have to do is simply recite the quote in my head. This not only helps me remember my password, but it also helps me remember quotes I think are worth remembering!
I like my system better: Change everyone's password directly on the server. Keep them in an encrypted (but easily searchable) database which only the admin can keep.
Tell the user to remember their password.
Demerit the user each time they have to ask for it, and publish the demerit count every week. Shame them. Demerit them further during daily inspections of workspaces if they have written it down anywhere.
Encourage "Survivor" tactics where workers try to figure out each other's passwords, and earn points for each password they discover. Keystroke logging, hidden cameras, it's all fair in the name of security. And of course, demerit the person who's password was compromised.
They will remember. Oh yes, they will remember.
On first day of hire: "WELCOME TO STRICTCO! YOUR EMPLOYEE NUMBER IS 103489923477730493. THE COSINE OF THAT IS YOUR PASSWORD. FORGET IT, AND WE DOCK YA!"
# Erik - 27 password demerits since 1997
Disclaimer: According to section 39485 of StrictCo's Employee Handbook, by using STRICTCO's Internet connection to post this message, the user's name and password demerit count must be published with each message, along with this disclaimer. Please report any violations to hr@strictco.gg
# Erik
to your dictionary attack, because most people will see most inkblots as the Moth Man.
Great. Just what we've always needed. Rorschach tests administered en masse and stored in Spylladium.
Isn't it a weakness that the password will always be of a certain length (in the example in article 20 chars) and it'll most likely be only the letters a-z?
my diceware. Really long, easy to remember, and obviosly secure. Sometimes I do use a random product key (not just microsoft) that I have used enough times to commit to memory, but thats only for hotmail and other stuff I couldn't care less about.
... you insensitive clod!
Blogs eating mother
Dead blogs
Mother eating dead blog
Dead blogs
Dead mother
Blog...dead
Mother killed by blog
Dying blog eating dead blog
Mother giving birth to dead blog
Death
Noo not the blogs.
Vehicle Stars used car search is my current project
Take a look at number 6.
It is clearly the goatse man!!
Will code a sig generator for food
To put that number into perspective, you could break ALL random 7-letter (a-zA-Z0-9) passwords with 62^7 guesses. This is about 3 times less than you would need to break only 25% of those inkblot passwords.
If you studdied inkblot frequencies they might even be more predictable (i saw a lot of words ending with 'ing or 'er in the slashdoters posts), but probably not so much as to make them consideably less secure than completely random passwords.
Well, it's easy if all possible outcomes are equally likely. It's just log_2 (# of outcomes). So flipping n fair coins has n bits of entropy.
If they're not equally likely, then it's messier. I don't recall the formal definition, but I think it goes something like this in the case of passwords: if your nth guess has probability P_n of being right, then entropy is
sum (all n) P_n log_2 (n)
That is, the entropy is the average number of bits you'd need to encode a randomly selected password if you had perfectly-tuned compression. This assumes that you can generate those guesses in descending order of likelyhood without wasting too much CPU though.
The entropy measurement applies better to a corporate password policy, or something like the inkblot system, or a PIN, where an attacker could reasonably know how your passwords are generated (at least what sorts of things are likely to end up as passwords). If you mangle a word out of an old Russian dictionary, and the attacker doesn't guess this, she'll have to pretty much do a brute-force search.
I hereby place the above post in the public domain.
Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords.
Yeah right. Almost every male is gonna see a vagina. That is not a secure password.
Table-ized A.I.
1) tiki mask
2) hutt overlord
3) mutant tomato with arms
4) bottom of feet w/ weird light blue toe-slippers
5) donald duck in a mirror w/ a berret
6) chick's breasts + arms w/ read bra and grape oven mitts
7) gangster fairy frog
8) lobster and eagle "hands"
9) The Tick
10) a gargoyle or dragon
anyone else see these things? maybe I'm overly imaginitive.
I would never be able to remember the resulting password; the images, sure I could remember them, but I think i'd have an easier time remembering 5k23amZ or such.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Try re-reading his comment. He is saying that this concept of inkblots is not very secure because several people would be thinking of the same thing when seeing that "ink blot". (This act of saying something that the author does not actually seriously believe is called a joke.)
I don't know about anyone else, but this hurts my eyes.
quiquid id est, timeo puellas et oscula dantes.
This is the dumbest thing I've seen yet regarding security.
Who the fuck are these moderators anyway? If I'd said that macs are heaping piles of flaming shit with a $3000 price tag, maybe... I didn't think a comment to a sub-sub-oringal post was worth moding at all, but I think I was closer to funny, ya asshats.
SIG: TAKE OFF EVERY 'CAPTAIN'!!
Is this a password hint system or a test to see if you are insane enough to use MS products?
Strong encryption, I love the idea that we are using images (worth a thousand words apiece = 4k) to create the number space of the possible answers. As IBM has proven with their past "random number generator", once the "random" solutions are placed through a filter of n-dimensional space, patterns immerge. Even with every human (6B plus) having a different idea (most likely not since culture should divide the answers) and multiple permutations, I imagine this still falls far below modern standards of encryption. Since I am not a mathematician, but I play one on TV;), I am confident the real folks who know this stuff will confirm or deny the results of this "randomness" is not just smoke and mirrors.
Coporate America and their M$ whores could care less about you. You have to pass the Minnisota Multiphasic Personality test to work for them, and if you can answer that you can pass the ink blot like any other corporate drone - no brains, no imagination - you fit in great. Otherwise, out you go to hustle or starve with the rest of us.
Friends don't help friends install M$ junk.
You know, the whole seeing thing? And there are probably more blind people than there are people with prosopagnosia.
On the other hand, just because a small segment of the population has an odd disorder that prevents them from recognizing faces doesn't mean the system is worthless.
I still think it's a good idea, so long as it isn't the *only* solution.
This is a great quote from one of my favorite movies, Real Genius
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
namely you assume that distribution over the alphabet is uniform and its way not. people who put numbers in their passwords rarley put more than one and they are usually consecutive. putting in consecutive numbers DECREASES the effective alphabet size rather than increasing it.
Thus any scheme which has an high entropy of the distribution over alphabet is superior to a larger alphabet whose entropy is less. The Microsoft scheme which uses first and last letters (unlikely to be correlated) is such a high entropy scheme. Admittedly, the suggestions you made using dise wear and rad-64 do have high entropy over their components but they are also hard to remember.
hence my original statment that the best password is the longest one you can remember is essentially true, but should have been qualified to say the characters distribtuion has a high entropy.
Some drink at the fountain of knowledge. Others just gargle.
> (7) A frog in an apron (According to the article everyone thinks it's a flying person!)
Better then mine. I saw an extra large green fairy bending over a sheep for his own bidding...
(and my list for completness sakes)
alien
???
draw bridge over red river with oil spill
people dancing
french guys
spider
large green fairy fucking a sheep
pot smokers with little green hats
muscle man with tiny head
winged monster sitting on a bench.
We don't need an "overrated" so much as we need a "you completely missed the parent's point, dumbass..."
Now that's a woman
that's a house
that's a butterfly
that's a beeeeee
furthermore in addition to getting your arithmatic wrong, you make the hideous assumption that the distribution over your enlarge alphabet is uniform. it is not at all. if you used half the characters twice as often in your enlarged alphabet then you would be much worse off than a completely random distribution over just the lowercase alpha. the latter being (almost) what the ms folks are suggesting (admittedly first and last letters are not uniformly distributed over the alphabet, however since adjacent letters will have almost no correlation there will be further gains here).
so the goal is to make the password as short as possible that is easy to remember and has the highest entropy over its component distribtuions. the MS scheme is very close to optimal I would bet.
Some drink at the fountain of knowledge. Others just gargle.
each glyph in the article was not a single word but rather a phrase. thus the first and last letters are from different words and thus decoupled from the dictionary.
Cool!
So they can set a unique (like you) password and make you a psichoanalisis at the same time...
Huh...
Did microsoft went THAT far into our minds...
Let me fly about it...
Hacker: hey!, just got this guy inkblot-passwords, Hack-the-sike v2.f says he is a maniac-deppressive and also has serious pedophile tendencies...
1. Britney
2. Britney
3. Britney
4. Britney
5. Britney
6. Britney
7. Britney
8. Britney
9. Britney
10. Britney
What a gal!
All things in moderation; including moderation
So I guess it's too much to ask of people to create a password that isn't "12345" or "qwerty" that's easy to remember, huh? Wow, Americans really are lazy.
nt
& I wish I knew the password to your heart . . . &
Patrick speaks truth. The point of the original article is that inkblots may be an elegant solution to the "strong password" and "weak password" problems.
With the classical strong password consisting of long, completely random characters, you risk forgetting it and needing to leave sticky-notes reminders to yourself, or calling the admin (or a spoof admin calling you!) to reset the password.
With the classical weak password, you of course are a major security risk.
The inkblot scheme is a trade-off, like all security schemes, but it seems to me it's meant to kill off the weak password, and consequently the vast majority of attackers who are capable of weak-password attacks on your accounts. That's a good thing in my estimation.
Lansdowne
In a real company, they would be tossed out the door.
A while back, I came across this article that really put into perspective how successful the *real* companies are at making computer products. Look towards the end of the article for the really good part.
The jist of it is that Mitch Kapor, after Lotus became wildly successful and turned into a "real company", did an experiment and submitted the resumes of the first 40 people who started Lotus (including Kapor himself) to the hiring department (I assumed they changed the names but keeping the characteristics of the CV's). Not a single one of the people responsable for the original innovation that made all the money ever received any kind of response.
Ergonomica Auctorita Illico!
This has got to be the stupidest idea, how long before Microsoft sends out a Press release saying its a joke (just like it did with the ipoo/iloo.)
Free Instant Site Inclusion
lets see, assimung they used first letter last letter pairs of phrases (like the list) you have
* 26 *25*26*25 (assuming that q does not end words, I know it ends a few though).
26*25*26*25*26*25*26*25*26*25*26*25*26*25*26*25
you know the password is 20 characters long (does not help much)
I get 8*10^30 (about, I may have added a 25*26)
I typical strong password has ]95 possible characters a place (a-z,A-Z,0-9,shifted 0-9, space, and another series of symbols between enter and the letters.
so if we rounf that to 100 we have the equivelent of 15 random characters (100^15=1(10^30)).
so I would call that 20 character all lowercase password strong, very very strong. It is a huge Pain in the ass though.
Also statistical analysis could possibly speed up the prossess. (for example e ends a lot of words)
Also will a tape recorder be a powerful tool to crack these? I imagine that a lot of people will think out load remembering what they saw.
I doubt that the structural regularity is going to make it weaker then a typical "strong" 8-12 character password.
Just my guess though.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Do the passface method but use similar looking inkblots instead of the faces, it should have the desired effect, shouldn't it? You can't give away the passwords either, since "nobody" else interprets the inkblots as you do ("Well, first you click on the blot that looks like a mutated frog being raped."). You might not even need to interpret them to remember them, come to think of it.
Imagine - youv'e been using the new M$ blot password system for 2 years when all of sudden you get a knock at the door, it's the Feds Sir open up - we've got a tip off from M$ alledging your a potential serial killer :-)
I used sentences in my War & Peace example for simplicity, they're not a good choice.
If each book has 1024 pages, and each page has 64 sentences, and you have 512 books, then that's 25 bits of entropy, or about 32 million sentences to guess. That's as many as a 2-word diceware password or 5 alphanumeric characters (ignoring case). It's stronger than those, because to crack the sentence you'd need an electronic library, but it sure would be a pain to type.
It turns out that even if you picked a random sentence from the Library of Congress, that would be at most 40-something bits, as there are only order of trillions of sentences in the LOC (although you'd have to have the electronic LOC to crack it, which only the govt could be expected to do). If you're going to pick a password from a book, start with a random word on a random page on a random book in the largest library that's convenient, use the next n words, and memorize the sentence(s) they're in.
Diceware passwords are strong and really not that hard to memorize. You can learn a 5-word one in a few minutes, type it fast, and only distributed.net or larger could attack it. Go 7 words and you're probably out of reach of the govt for the next decade.
I hereby place the above post in the public domain.
Hey pen, here's a great example of why you should keep your wisdom to yourself. If we follow your logic, the Linux kernel mailing list host should drop Apache and mySQL. Ironic, isn't it?
And they would know your consume tendencies..., if you are a potential hacker or terrorist...
Just another way of spying and controlling us.
Well, not "just", but a very deep one.
Anyhow wouldnt like anyone without my concentment to analyze me.
The ATM security model is a two part model - one part physical (do you have the card) the other part mental (do you know the password). You have to satisfy BOTH conditions to gain access. Completely different security model than a password for a web site.
:)
My point about the 26 was that it would be a lot better to replace that 26 with 40 - something that the ink blot method rules out. If your only security model is that it would take a long time to try all the combinations of characters, then anything that limits that set of characters is a step in the wrong direction.
The current password security model assumes (incorrectly) that the characters chosen are usually random. The ink blot model COMPLETELY RULES OUT the possibility of them being random - psychiatrists used the rorshack tests for years under the assumption that 'normal' people see the same patterns in inkblots. So every normal persons password would be the same and only freaks like me would.... wait a minute... never mind, this security model ROX you should implement it immediately
That is that 100 people seeing the inkblots will see 100 different things. Not so. 90 of them will see identical things. The other 10 are plotting violent revolution, worship satan, are on lsd, etc - normal people see the same things in inblots. This is the basis of Rorshack tests btw, normal people see the same things, if you see something else it is a clear sign of mental abnormality. So now rather than 100 people picking passwords that are their kids names, you have 90 people picking bnbmskeiotspelk - a somewhat strong password, but now one password that works on 90 accounts.
Not an improvement.
Why not ask 10 different questions about your life to generate your password, each one generating 2 letters - then if you forget your password you just answer the ten question again. Things like city of birth, moms maiden name, etc that wont change.
Wait till my mod points arrive, you're going down LOSER!
That's why you have to pick a phrase that only you would know, or even twist a common phrase.
i tesearch?filter=col100&query=*&submit=Go ...easily parsed by looking between the keys QUOTATION and ATTRIBUTION.
As for Bartlett...
10484 results in this search...
http://www.bartleby.com/cgi-bin/texis/webinator/s
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
why not just give everyone a series of different questions about their life? what is soooo special about inkblots? 1000 people may have 500 different answers for one inkblot, and about 500 different answers to 'what city were you born in?' I would personally have much more confidence in my ability to answer what city i was born in with the same answer consistently than I would what does given inkblot look like.
the inkblots don't add randomness, the giving people different inkblots is much more responsible for that. And some of those inkblots really didn't look like pictures to me - what do i do then, am i just screwed? I'll never remember what i decided on last time if i need to recreate my password again. while i would remember my mother's maiden name.
ANY system that's used will give better passwords than 'normal', but that doesn't mean this system is great - if it doesn't pass the laugh test on slashdot do you seriously see someone using it to secure their online banking?
perhaps this post will clarify the matter.
consider a password that is N letters long drawn from an alphabet of length D. the number of possible passwords is:
W = D^N
if I increase D by 50% by including numbers and punctuation then
W' = W * 1.5^N
if N is 10 then this a factor of 57 times more combinations, not very significant.
Now assume that certain users will always place their punctuation and numbers at the end of their ten letter password. so if they used say two of these characters then this makes
W" = W*(1/3)^2
which is 1/9th as many combinations.
thus having a large alphabet in the best case helps little and in a common scenario hurts.
more significantly your ten letters/numbers are probably not truly random and if they are then you mayhave trouble recalling them. the MS scheme provides a good hinting scheme for close to random letter distributions.
thus the statement that longer memeorable passwords beats a longer alphabet holds.
consider a password that is N letters long drawn from an alphabet of length D. the number of possible passwords is:
W = D^N
if I increase D by 50% by including numbers and punctuation then
W' = W * 1.5^N
if N is 10 then this a factor of 57 times more combinations, not very significant.
Now assume that certain users will always place their punctuation and numbers at the end of their ten letter password. so if they used say two of these characters then this makes
W" = W*(1/3)^2
which is 1/9th as many combinations.
thus having a large alphabet in the best case helps little and in a common scenario hurts.
more significantly your ten letters/numbers are probably not truly random and if they are then you may have trouble recalling them. the MS scheme provides a good hinting scheme for close to random letter distributions.
thus the statement that longer memeorable passwords beats a longer alphabet holds.
A good way I've found to generate some random alphanumeric password, and remember it, is to start up a new game of something like The Legend of Zelda, and enter you character name by mashing the buttons. It works fantastically, because your character's name comes up almost every line of dialogue, so you quickly learn it. This would only work if you are generating the password at home and using it at work (or vice versa? :))... But it's not as though a cracker can h4x0r your N64 to retrieve your character name :)