Slashdot Mirror
Inkblot Passwords
TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."
Is It Just My Imagination?
by Suzanne Ross
Are inkblots meaningless smears of ink, or the secret key to your personality? Though most psychologists no longer use inkblots to determine the twists and turns of your psyche, sometimes they pay attention to the stories you tell yourself about the blobs.
Adam Stubblefield, an intern with Microsoft Research, thought that our ability to tell ourselves unique stories about inkblots might be a secret key to a strong digital lock - the online password.
Stubblefield, and his manager at MSR, Dan Simon, knew that people are the weakest link in secure computing environments. They knew that users generally pick weak passwords because they can remember them. They tend to use birthdays, pet's names, spouse's names or birthdays, or a favorite hobby. If a computer system forces us to pick a strong password, we often write it on a post-it note and stick it to the side of our computer, where it can be read and used by any passerby.
Give Me A Hint
"Good passwords are hard to remember. And easy to remember passwords are easy for other people to guess. What we wanted to do is give people a hint to help them remember a good password," said Simon.
They needed a hint that would mean something to the user, but not to anyone else. They wanted to use some type of image-based authentication. But there were problems. Most of the methods had what they considered to be a fatal flaw.
"All used a pointing device rather than a keyboard for input," explained Stubblefield. "This limited the rate at which the password could be entered, and exposed the password to anyone looking over the user's shoulder. We realized that a better scheme would provide some way for users to somehow construct a private textual entry from an image displayed on their monitor."
What Do You See?
Stubblefield used his imagination to come up with a solution. "I realized that a child accomplishes a very similar task when he points at an oddly shaped cloud and announces that there is a moose in the sky. There are not, unfortunately, huge amounts of published data on this cloud naming phenomenon." But there are volumes of information on the Rorschach Inkblot test. They decided to use inkblots to help users remember their passwords.
Sound too odd to be true? Even Simon was a bit skeptical at first. "I thought people wouldn't remember what they had seen in the blots. My first reaction was, 'oh, come on,' but it turned out well."
Stubblefield said the users had a similar initial reaction. "When we first explained the task to the users in the studies, the users were almost uniformly incredulous. Even after using the inkblot passwords, they were amazed that such an unconventional scheme actually works."
Computer Generated Inkblots
To make the system work, they developed a program that can generate an infinite amount of random inkblots.
"We show you a bunch of computer generated inkblots," said Simon. "We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well. We do that for a sequence of inkblots. At the end of all that we take you through it a few more times, but we scramble it in a random order first to make sure you haven't just typed in whatever you wanted to and ignored the inkblots altogether. We run it a few more times to make sure you have it in your memory, and thereafter whenever you try and log in we'll give you that second order of your inkblots. Eventually you'll just commit it to muscle memory and you'll learn it. And the inkblots will trigger the same memory."
Stubblefield and Simon found out that once we've identified the inkblot we see it the same way every time. And even though people sometimes see similar things in inkblots, they describe it in different ways. For instance, almost all the users in their study identified the inkblot below as some type of flying person. But the users described their flying person differently, such
This stuff has already been worked on. Visual passwords are nothing new. Someone at the USENIX Security Symposium was working on the same stuff with landscapes in 2000 (not sure on the exact year) but around then. The difference was they would provide you with a series of landscape pictires. Good stuff in my opinion, much easier to remember a series of images than a series of passwords.
Take the first letter from the first word and the last letter from the last word in the first blot. That forms your first two password letters. If you described the first blob as a 'flying gardener,' your first two letters would be fr. Continue doing this with all of the inkblots. You'll end up with a strong twenty-letter password.
Not quite. You password will be long, but still only consist of letters. A truly strong password includes non-alpha and non-numbers to increase the search space to help against brute force attacks.
"We show you a bunch of computer generated inkblots," said Simon. "We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well.
Of course it works, well sort of. Passphrases are easy to remember, that's why they work so well. They could have used any kind of clue and might want to consider that because the things people think of on their own ARE NOT RANDOM, especiall for ink blots. "There are several responses that almost everyone gives; mentioning these shows the psychologist you're a regular guy." So, I'm afraid that these inkblot tests won't be any better than pet names and the other common things in people's heads.
The Microsoft PR department's discovery and promotion passphrases, however, is a welcome innovation. Keep working, but be careful. The easier you make it for users to be unpredictable, the more difficult you make it to blame the user for holes in your code.
Friends don't help friends install M$ junk.
Inkblots are symmetrical because they are made by pouring ink on a piece of paper and then folding the piece of paper in half.
Uh, you do know how inkblots are made, don't you?
You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco
Well, given how few English words begin with Q, Z, and X, and that the Odd characters are word starting letters, and the frequencies of letters in the english language is well known with relation to starting positions...
Given also that every Even character is a word termination character, and the letter frequency is well known with respect to terminal positions as well...
Given further than most people start a phrase when typing with a capital letter...
I would say some minor combinatorics based on these facts would yield a very strong cracking algorithm very quickly.
You can have it fast, accurate, or pretty. Pick any 2.
[am not! are too! am not!]
/usr/share/dict/words has about 19 bits of entropy, and thus beats out the sentence. A decent PC could crack any of these in seconds flat, if an attacker suspected you had used one of them.
/., have lousy passwords which are variants on an older one, but are easy to remember and quick to enter. You won't guess any one without looking at the others, and I wouldn't care much if you did.
The strongest possible password is the string with the most entropy that you can reliably remember and enter. i.e. the output of a password-generation method that has the largest possible number of different outputs (assuming that they are equally likely up to computational feasibility, and that you can reliably remember and enter the password, and that an attacker has any reasonable chance of guessing how you generated it).
It is NOT the longest string you can commit to memory. There are people who have memorized thousands of digits of pi, but the first thousand digits of pi would be a horrible password if someone knew that you had memorized them. Similarly, Shakespearean soliloquies suck, especially if you are a Shakespeare geek.
A random sentence from War and Peace has maybe 16 bits of entropy. A random paragraph has fewer, because there are fewer paragraphs in War & Peace than there are sentences. A random word from
If the string is anywhere on your hard drive in plaintext form, be it in the words dict, a deleted email from Amazon, or your War and Peace ebook, it has at most 40-some bits of entropy (depending on your hard disk size and its length), and could be cracked on a small cluster in days if your hardrive wore stolen.
A 5-word diceware.com password such as "cleft cam synod lacy yr" has about 63-64 bits of entropy, and is my preferred password type for long passwords because it is fairly easy to remember. A 10-character RAD-64 password such as "4TFA/ii+Xc" has 60 bits. An 18-digit random number has about the same.
If you can narrow each inkblot to 50 possibilities, then a sequence of 10 of them has about 57 bits of entropy in 20 characters. (don't take my word, i calculated it in my head). That's feasible for the govt, or distributed.net, or a very large company. Not bad for a passport account which is unlikely to have its hash lifted anyway, but since I can remember the RAD64 or the diceware one easier and enter it faster, I'll stick with one of them for the accounts I care about.
Anyway, the password strength you need depends on how much you care about what it protects.
For instance, I have 10-word diceware for my PGP master signing key, which is about as strong as the hash. Accounts that I don't really care about, like
I hereby place the above post in the public domain.
Actually, we are incredibly bad at remembering faces, contrary to popular opinion. This is the reason why lineups are so flawed.
About a year ago, I ran an experiment as part of my thesis where I showed subjects twenty faces in random order (think criminals). The next day, and on seven consecutive days thereafter, I showed 100 faces in random order, 20 of which were the original "criminals". Anybody wanna fashion I guess as to how many were remembered by day 7?
Less than five were accurately recalled after one week.
Face recognition password? I'll pass...
The cracker would need to know *nothing* about the individual user, just what responses were most common statistically.
The article described a system that would generate an infinite number of random inkblots. Every user would have their own set of inkblots that their password was generated from. If everybody used the same inkblots, I could see how this would be a problem. With random inkblots there would be no statistical answers that were most common. You would have a unique set of inkblots to crack for each unique individual.
Relying on face recognition a bad idea. Certain segments of the population have a condition called "prosopagnosia" in which victims are unable to recognize faces, even familiar ones like their mother's or even their own. A similar condition is described in the famous book "The Man Who Mistook His Wife for a Hat". Here the researcher describes the more general condition of object agnosia which is the inability to recognize any type of object. Presumably those with object agnosia would fail the inkblot password scheme.
Note that prosopagnosia is not a subset of object agnosia; some with one do not suffer the other (which is the cause of much controversy as to their origins, but that's getting off topic).