Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inkblot Passwords

Posted by CmdrTaco on from the i-see-a-walrus-humping-a-turkey dept.

TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."

10 of 590 comments (clear)

  1. Strong passwords? by gpinzone · · Score: 2, Informative

    Take the first letter from the first word and the last letter from the last word in the first blot. That forms your first two password letters. If you described the first blob as a 'flying gardener,' your first two letters would be fr. Continue doing this with all of the inkblots. You'll end up with a strong twenty-letter password.

    Not quite. You password will be long, but still only consist of letters. A truly strong password includes non-alpha and non-numbers to increase the search space to help against brute force attacks.

    1. Re:Strong passwords? by Yagdrasil · · Score: 2, Informative

      Wrong. the strongest possible password is simply the longest string you can reliably comit to memory. It makes no difference if your alphabet is 50% larger.

      Say what? In terms of a brute force attack, which is what the previous poster cited, the larger your "alphabet" the better.

      As a simplified example, if you use only lower case alpha characters with an 8 byte password then you have a keyspace of 26^8 passwords (about 209 billion). However, if you can use all 8 bits of every byte (something you could get if your passwords allowed the full ASCII set), you then get 256^8 passwords (about 1.8 x 10^19) passwords.

      Even given something a user can memorize reliably, as you suggest, a set of lower case letters and numbers produce a much large keyspace than letters alone. I would say a user can pretty much as easily memorize "doggy1" as "doggy".

      Of course, this completely ignores the most fundamental problem of passwords - users tend to pick really bad ones. This is where the inkblot test would help, by generating a seemingly random string of letters. This was the orginal poster's point - a biger keyspace would help.

  2. Don't worry, he did. by twitter · · Score: 2, Informative
    There's nothing new here. M$ has reimplemented passphrases, with a picture hint. Who has not thought of that? From the article,

    "We show you a bunch of computer generated inkblots," said Simon. "We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well.

    Of course it works, well sort of. Passphrases are easy to remember, that's why they work so well. They could have used any kind of clue and might want to consider that because the things people think of on their own ARE NOT RANDOM, especiall for ink blots. "There are several responses that almost everyone gives; mentioning these shows the psychologist you're a regular guy." So, I'm afraid that these inkblot tests won't be any better than pet names and the other common things in people's heads.

    The Microsoft PR department's discovery and promotion passphrases, however, is a welcome innovation. Keep working, but be careful. The easier you make it for users to be unpredictable, the more difficult you make it to blame the user for holes in your code.

    --

    Friends don't help friends install M$ junk.

  3. Re:build a better inkblot by ytwang · · Score: 2, Informative

    Inkblots are symmetrical because they are made by pouring ink on a piece of paper and then folding the piece of paper in half.

  4. Re:build a better inkblot by MrScience · · Score: 2, Informative

    Uh, you do know how inkblots are made, don't you?

    --

    You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco

  5. Re:I doubt it. by Lemmeoutada+Collecti · · Score: 2, Informative

    Well, given how few English words begin with Q, Z, and X, and that the Odd characters are word starting letters, and the frequencies of letters in the english language is well known with relation to starting positions...
    Given also that every Even character is a word termination character, and the letter frequency is well known with respect to terminal positions as well...
    Given further than most people start a phrase when typing with a capital letter...

    I would say some minor combinatorics based on these facts would yield a very strong cracking algorithm very quickly.

    --

    You can have it fast, accurate, or pretty. Pick any 2.
  6. You're both wrong... by wirelessbuzzers · · Score: 5, Informative

    [am not! are too! am not!]

    The strongest possible password is the string with the most entropy that you can reliably remember and enter. i.e. the output of a password-generation method that has the largest possible number of different outputs (assuming that they are equally likely up to computational feasibility, and that you can reliably remember and enter the password, and that an attacker has any reasonable chance of guessing how you generated it).

    It is NOT the longest string you can commit to memory. There are people who have memorized thousands of digits of pi, but the first thousand digits of pi would be a horrible password if someone knew that you had memorized them. Similarly, Shakespearean soliloquies suck, especially if you are a Shakespeare geek.

    A random sentence from War and Peace has maybe 16 bits of entropy. A random paragraph has fewer, because there are fewer paragraphs in War & Peace than there are sentences. A random word from /usr/share/dict/words has about 19 bits of entropy, and thus beats out the sentence. A decent PC could crack any of these in seconds flat, if an attacker suspected you had used one of them.

    If the string is anywhere on your hard drive in plaintext form, be it in the words dict, a deleted email from Amazon, or your War and Peace ebook, it has at most 40-some bits of entropy (depending on your hard disk size and its length), and could be cracked on a small cluster in days if your hardrive wore stolen.

    A 5-word diceware.com password such as "cleft cam synod lacy yr" has about 63-64 bits of entropy, and is my preferred password type for long passwords because it is fairly easy to remember. A 10-character RAD-64 password such as "4TFA/ii+Xc" has 60 bits. An 18-digit random number has about the same.

    If you can narrow each inkblot to 50 possibilities, then a sequence of 10 of them has about 57 bits of entropy in 20 characters. (don't take my word, i calculated it in my head). That's feasible for the govt, or distributed.net, or a very large company. Not bad for a passport account which is unlikely to have its hash lifted anyway, but since I can remember the RAD64 or the diceware one easier and enter it faster, I'll stick with one of them for the accounts I care about.

    Anyway, the password strength you need depends on how much you care about what it protects.

    For instance, I have 10-word diceware for my PGP master signing key, which is about as strong as the hash. Accounts that I don't really care about, like /., have lousy passwords which are variants on an older one, but are easy to remember and quick to enter. You won't guess any one without looking at the others, and I wouldn't care much if you did.

    --
    I hereby place the above post in the public domain.
  7. Re:I liked faced passwords better by sharky611aol.com · · Score: 2, Informative

    Actually, we are incredibly bad at remembering faces, contrary to popular opinion. This is the reason why lineups are so flawed.

    About a year ago, I ran an experiment as part of my thesis where I showed subjects twenty faces in random order (think criminals). The next day, and on seven consecutive days thereafter, I showed 100 faces in random order, 20 of which were the original "criminals". Anybody wanna fashion I guess as to how many were remembered by day 7?

    Less than five were accurately recalled after one week.

    Face recognition password? I'll pass...

  8. Re:your comment was 'easily breakable' by KenDaMan · · Score: 2, Informative

    The cracker would need to know *nothing* about the individual user, just what responses were most common statistically.

    The article described a system that would generate an infinite number of random inkblots. Every user would have their own set of inkblots that their password was generated from. If everybody used the same inkblots, I could see how this would be a problem. With random inkblots there would be no statistical answers that were most common. You would have a unique set of inkblots to crack for each unique individual.

  9. Re:I liked faced passwords better by J.+Tang · · Score: 2, Informative

    Relying on face recognition a bad idea. Certain segments of the population have a condition called "prosopagnosia" in which victims are unable to recognize faces, even familiar ones like their mother's or even their own. A similar condition is described in the famous book "The Man Who Mistook His Wife for a Hat". Here the researcher describes the more general condition of object agnosia which is the inability to recognize any type of object. Presumably those with object agnosia would fail the inkblot password scheme.

    Note that prosopagnosia is not a subset of object agnosia; some with one do not suffer the other (which is the cause of much controversy as to their origins, but that's getting off topic).