Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inkblot Passwords

Posted by CmdrTaco on from the i-see-a-walrus-humping-a-turkey dept.

TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."

8 of 590 comments (clear)

  1. build a better inkblot by deke_2503 · · Score: 5, Insightful

    It's nice, but the inkblots could use some work. If you look closely, they all look basically similar in construction, with the only differences being the color and size of the shapes. They also are all symetrical along a vertical axis. A little more randomization would be nice I would think.

  2. Random Letters by aerojad · · Score: 3, Insightful

    Well the idea sounds cool and all, but isn't this just a bit too involved to help people come up with and remember what will become basically random strings of characters? This seems like going through lots more of an effort then just using a random password generator of x-characters and handing the person something to memorize. When it comes to cracking, wouldn't you have just about the same odds of guessing what random password the person got through inkblots with what the person would have got with a random character generator? Sure neither would be really easy, but to hackers... it's still just a password.

    --

    SecondPageMedia - Wha
  3. The problem with this approach by Dr.+Bareback · · Score: 5, Insightful
    One of my college professors actually outlined a similar scheme several years ago. But (as he admitted) it had a fatal flaw: the keyspace was too small. In other words, it is not hard to assemble a list of under 50 possible passwords or two-letter combinations that describe a given inkblot.

    The other flaw (which is less serious) is that this strategy is only effective when the user has to remember a small, finite number of inkblots. If a user is forced to memorize a few hundred inkblots to cover the dozens of passwords he needs on a daily basis, this mnenomic technique loses its value.

  4. Re:Microsoft Research? by Wabin · · Score: 5, Insightful

    The sad thing is, MS has long had a good research department. They hire very bright people and pay them a lot. But bright people with great ideas and great research doesn't mean that any of that good stuff will ever make it into production code. Marketing drones and codemonkeys do a good job of stopping that. If only people would listen to the real eggheads.

    Ah for Plato's republic of philosopher kings... of course, it didn't really work out on the Simpsons...

    --
    Most exciting phrase in science: not "Eureka!" but "Hmm... That's funny..." -Asimov (abridged for \. limits)
  5. How could this possibly work? by jdan · · Score: 3, Insightful

    This couldn't work for the following reasons:

    1) People are lazy. They aren't going to look through ten inkblots and write down each one and then figure out the first and last letter of each. They are more likely to write their password down somewhere, or just click on the link that says "e-mail me a new password".

    2) People are stupid. Normaly users would get a page saying "View each of these inkblots and write down ...", but what they actually read is "blah blah blah pretty pictures blah blah blah click". Without the person administering the test standing behind them to explain what to do, most people would just glaze over, like they do whenever they are presented with instructions longer than 1 sentence.

    3) Did they have a control group that attempted to remember their "strong" password? They state that it is unusual for a user to remember a strong password after one day, but I wonder how unusual?

    4) "... by the umpteenth time you've logged in, you've remembered these twenty characters". Wouldn't it just be simpler to make them type the 20 characters over and over again 15 times? Then they remember it anyway, and don't have to reverse engineer the whole process.

    --jdan

  6. Re:Strong passwords? by goombah99 · · Score: 3, Insightful

    Wrong. the strongest possible password is simply the longest string you can reliably comit to memory. It makes no difference if your alphabet is 50% larger.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  7. Re:Strong passwords? by tazan · · Score: 5, Insightful

    If my alphabet was only one character I could remember a password hundereds of characters long. It would be the strongest password ever.

  8. Re:your comment was 'easily breakable' by Raffaello · · Score: 3, Insightful

    No, all a cracker would need to do is to test the permutations of the most likely variant responses *first*. The cracker would need to know *nothing* about the individual user, just what responses were most common statistically. Even if such knowledge consisted entirely of what words people use most often in short descriptive phrases (independent of ink blots), it would shrink the search space dramatically.

    Combined with the fact that the cracker is dealing only with alphabetic characters, you end up with a highly structured system, with an obvious, and likely quite fruitful, means of attack.