Inkblot Passwords

TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."

I doubt it.

[Prince_Ali]

They see SOMETHING in the ink blots, and that something is probably in the dictionary... not that many people make secure passwords anyway.

build a better inkblot

[deke_2503]

It's nice, but the inkblots could use some work. If you look closely, they all look basically similar in construction, with the only differences being the color and size of the shapes. They also are all symetrical along a vertical axis. A little more randomization would be nice I would think.

Random Letters

[aerojad]

Well the idea sounds cool and all, but isn't this just a bit too involved to help people come up with and remember what will become basically random strings of characters? This seems like going through lots more of an effort then just using a random password generator of x-characters and handing the person something to memorize. When it comes to cracking, wouldn't you have just about the same odds of guessing what random password the person got through inkblots with what the person would have got with a random character generator? Sure neither would be really easy, but to hackers... it's still just a password.

The problem with this approach

[Dr.+Bareback]

One of my college professors actually outlined a similar scheme several years ago. But (as he admitted) it had a fatal flaw: the keyspace was too small. In other words, it is not hard to assemble a list of under 50 possible passwords or two-letter combinations that describe a given inkblot.

The other flaw (which is less serious) is that this strategy is only effective when the user has to remember a small, finite number of inkblots. If a user is forced to memorize a few hundred inkblots to cover the dozens of passwords he needs on a daily basis, this mnenomic technique loses its value.

Re:Microsoft Research?

[Wabin]

The sad thing is, MS has long had a good research department. They hire very bright people and pay them a lot. But bright people with great ideas and great research doesn't mean that any of that good stuff will ever make it into production code. Marketing drones and codemonkeys do a good job of stopping that. If only people would listen to the real eggheads.

Ah for Plato's republic of philosopher kings... of course, it didn't really work out on the Simpsons...

How could this possibly work?

[jdan]

This couldn't work for the following reasons:

1) People are lazy. They aren't going to look through ten inkblots and write down each one and then figure out the first and last letter of each. They are more likely to write their password down somewhere, or just click on the link that says "e-mail me a new password".

2) People are stupid. Normaly users would get a page saying "View each of these inkblots and write down ...", but what they actually read is "blah blah blah pretty pictures blah blah blah click". Without the person administering the test standing behind them to explain what to do, most people would just glaze over, like they do whenever they are presented with instructions longer than 1 sentence.

3) Did they have a control group that attempted to remember their "strong" password? They state that it is unusual for a user to remember a strong password after one day, but I wonder how unusual?

4) "... by the umpteenth time you've logged in, you've remembered these twenty characters". Wouldn't it just be simpler to make them type the 20 characters over and over again 15 times? Then they remember it anyway, and don't have to reverse engineer the whole process.

--jdan

Passwords a thing of the past

[kevin_conaway]

Arent passwords becoming more and more outdated these days? Isnt the industry focusing more towards biometric authentication and other types of tokens. I think the best way to remember passwords is the 'first letter of every word in a sentence' method.

Re:Strong passwords?

[goombah99]

Wrong. the strongest possible password is simply the longest string you can reliably comit to memory. It makes no difference if your alphabet is 50% larger.

Surprisingly Inuitive

[FU_Fish]

I don't often say this about a M$ idea, but this seems like quite a good idea. The passwords seem to lack numbers, misc. characters, and mixed-case, but they're still stronger than the average password. This idea has potential for sure.

Re:Microsoft Research?

[zangdesign]

I wish that the ideas that I come up with at my internship would end up on the front page of slashdot.

So every disgruntled nerd in the world can take potshots at your idea, just because it came from Microsoft?

I think not.

Re:Strong passwords?

[tazan]

If my alphabet was only one character I could remember a password hundereds of characters long. It would be the strongest password ever.

Re:Microsoft Research?

[WolfWithoutAClause]

They hire very bright people and pay them a lot. But bright people's great ideas and great research doesn't mean that any of that good stuff will ever make it into production code.

Yes, but on the other side of the coin, bright people and their great ideas don't necessarily deserve to be made into a product.

Before everyone jumps down my throat, all I mean is that a bright idea, something that can be made to work, that's cool, that 'egg' head people like (speaking as atleast a quasiegg head myself), don't necessarily make for a great product.

I mean look at 3G, what's it for? Look at the Space Shuttle; cool as hell, but not a profitable thing. Segway?

At their best marketing drones actually work out how the product can sell, they position it so people actually want to buy it. Segway makes a great toy for rich kids for example; but as a transport tool for getting to work, it may well not be that great; that's the kind of thing that marketing, at their best, sort out. At their worst they completely fuck it all up of course ;-)

Re:your comment was 'easily breakable'

[Raffaello]

No, all a cracker would need to do is to test the permutations of the most likely variant responses *first*. The cracker would need to know *nothing* about the individual user, just what responses were most common statistically. Even if such knowledge consisted entirely of what words people use most often in short descriptive phrases (independent of ink blots), it would shrink the search space dramatically.

Combined with the fact that the cracker is dealing only with alphabetic characters, you end up with a highly structured system, with an obvious, and likely quite fruitful, means of attack.

just letters?

[WebMasterJoe]

Sure, it may be pseudo-random 20-character passwords, but there are some real issues that make brute-force attacks work better:

• Even characters are the last letter of the second word, so this is likely to be an 's' for plural-looking blots, and not so likely to be a, i, o, u, and almost definitely not q.
• The length of the password is known.
• There are no capital letters. In fact, they're all lowercase letters.

A normal dictionary attack on twenty characters would have 94^20, 2.90e39 permutations. The passwords with the restrictions listed above would be at MOST 26^10*25^10 (assuming no q's in the even positions), or 2.37e14, possibilities. Using some "probably's" listed above, you could save some of the less likely combinations for the end of the list.

OTOH, an eight-character max, mixed-case password that could have special characters will have (i=1..8)94^i (sorry, I can't do sigma notation) possibilities, which is 6.16e15. That's 26x as many as the method listed above, and given that the human mind can easily remember between five and nine characters, it seems we're better off memorizing some sequence from /dev/random.

DISCLAIMER: I am not a mathematician. I may be talking out of my ass. Please correct me if I am.

Bad scheme: Not repeatable because guesses aren't

Looking at the 'evil flying henchman' ink blot, three things instantly come to mind:
(1) flyman
(2) viking hat
(3) man taking a bow on stage. The two "wings" are his shadows from two separate light sources.

When I make the password, I might have seen "The fly" or been bitten by a misquito earlier so I'd choose 'F'for my letter because "flies" are on my mind.

Tomorrow, I might come across a viking story or see a Hell's Angel biker so I'd think that the first letter is 'V' because tough "viking-like" people are on my mind.

The next day I might watch a play, see a rock band, or something about the Royal Family so I'd think that the first letter is 'm' or 'b' because bowing is on my mind.

So there's a 1 in 3 chance that I'll reselect this letter right. Since each shape has at least three interpretations, there are 3.5*10^9 possible passwords that I have to try before I get the right one.

There's a far simpler scheme that is reproducable.

Tell a person to look at a long paragraph (at least 1000 lines long) with a mix of opinions and highlight three passages that they like. This scheme generates two three digit numbers for each passage and there are a total of three passages, so there's a total of 9^(3+3+2) or 43 million combinations. Most people don't have much difficulty remembering things they like, so it should be simple to remember them. People who are visual (and not auditory or kinesthetic) wouldn't remember the words, but they would rememember how they highlighted the text, so it should be easy for them too.