Slashdot Mirror
Inkblot Passwords
TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."
How strong are these passwords. For each blot, might you guess what somebody will see? Some seemed more obvious than others.
I like the face password system. With this system you remember some faces, something we are very good at doing. Then you are shown tablets of faces, around 16 of them. Your face is among them and you click on it -- 4 bits of data. You do this several times to generate a strong enough password.
The really interesting aspect of this system is, unless you are a skilled police sketch artist, you can't tell other people your password. Even if they torture you, you can't reveal it. Many people will find themselves unable to even describe the faces in their set, they just know them when they see them.
You might be able to go to the terminal and sketch or digitally photograph your faces to tell somebody else, but if this is used as an access control system, for example, with a guard watching you as you enter your code, it's hard to do. Thus the military is interested in such systems. But even if you don't care about the no-torture feature, you can generate memorable passwords that use an entirely different type of memory.
Also, most people's passwords are a string that they easily remember + some numbers. It's much easier to remember blahblah123 than to look at the blobs every time you want to login and reconstruct "frherotspsmt..." from the images.
Perhaps this system could be used to help people remember forgotten passwords, like being able to select 5 of out 10 images in the correct order.
Have fun: Join D.N.A. (National Dyslexics Association)
His password would turn out like this.
How are you going to keep them down on the farm once they've seen Karl Hungus?
though your post was meant to be humorous it also jibes with convention security wisdom for recalling strong passwords.
I forget who it was that said it, but a widely recomended strategy for strong passwords is to think of a shockingly graphic sexual phrase then use the first letters.
The vividness and the link to sexual activity makes it memorable (at least in males). And also its not likely to be a phase you would blurt out or something anyone cold easily guess about you. e.g. "take this job and shove it" would NOT be a good pass phrase because its something that might well be an expression you would use in your writings or speech.
Oh and by the way that's actually me in the batman costume doing your wife. or Ge
Some drink at the fountain of knowledge. Others just gargle.
About two years ago, slashdot ran a story about RealUser, which provides a passface solution. I was shocked at how well I remeber the passfaces I was given. I just tried to login to the site, and I was succesful, I haven't tried to login in months.
www.realuser.com for more info
My other sig is extremely clever...
If you know anything about the Rorshach test (the original inkblot test), you'll know its all about
statistical analyzing. The Rorshach inkblots were randomly chosen - it didn't matter at all what they looked like - as long as they were always the same.
After many decades of testing, psychiatrists were able to plot people on charts based on certain responses and then empirically decide whether someone might have a given mental illness based on whether their response should statistical similarity to others who had proven to have that illness. Most of the categories that the responses were judged on were extremely arbitrary.
The point is, the inkblot test relies on the fact that most people with "normal" brain function will look at an inkblot the same way. You'd be surprised at how many people who list "fly" as the one that looks like a "fly" etc. What you are going to end up with is only a handful of different words for each inkblot. People aren't going to pick phrases like "flying man with with green wings getting ready to lift-off" because those phrases are hard to remember. Most of them will be "fly" "flying man", "wing man" etc.
This is not a secure password.
You have to read The Art of Memory by Frances Yates. This book deals with ancient practice of memory training and using, including those fantastic Memory Palaces where you litterally build imaginary (or not) places in your mind and use them to store representations that remind you from one idea, word, sentence, concept, or anything. You can then "walk" from place to place, looking at those representations and re-building a speech for instance.
Actually, this is the "intellectual", generic version of the idea posted (and slashdotted) above, and you can use it to remember your passwords, long speeches, todo-list, anything.
And M$ won't be patenting this any time soon, the greeks used this even BC.
Worth a read and a try, really.
Note: Thomas Harris has had Hannibal Lecter use and play with memory palaces in his novels too.
theefer
(1) Mugatu, from Zoolander
(2) A gorilla in sweats doing a split
(3) Someone eating coffee grounds from a filter with chopsticks
(4) Feet of a reclining person
(5) Two ice cream cones
(6) A headless woman
(7) A frog in an apron (According to the article everyone thinks it's a flying person!)
(8) Snapping fingers
(9) Batman peeing
(10)Batman vomiting
I conclude that your a healthier person than I am...
What I'm listening to now on Pandora...
Read the article - they use the first *and* last letter, so the line you quoted from Macbeth becomes:
wnslwetemtanintrlgorrn
Which points up a flaw in the system that a previous poster alluded to, namely, that you end up with only alphanumeric character passwords, so a cracker program would only need to run permutations of first/last letter pairs from a dictionary to crack these passwords.
Moreover, there are undoubtedly some first/last letter combinations that are more common than others in english, even for multi-word phrases, so the crackers would try these first in their search.
In other words, their very structural regularity leads to an easy line of attack.
Good point, this is actually less insecure then it seems.
Consider if %30 of the people see the same object in the inkblots and %30 of those start their description with the object, (hence: batman running, batman peeing, batman standing) now you have 1/2 the password for %10 of the users, couple the rest with brute force on the second word(using a high probability of g's then with all the other common letters ending in verbs).
I dont think this is going to make it. You see an inkblot, give a discription, the software says "sorry thats a stupid description everyone will guess that" and you write an elaborate description that you wont renember.
Sounds more like an MIT experiment then microsoft.
Yes, but 50^8 is:
:) You calculated 8^50 by mistake.
1427247692705959881058285969449495136382746624
That makes the odds of guessing the password astronomically low.
Actually, it's 39062500000000. Note that your number doesn't end in a zero.
Either way, the problem is that a password cracking program can search through that space in a reasonable amount of time. 50^8, representing 50 possible words for each of 8 inkblots, is about equal to 2^45. A single computer trying every possible password would find the right password in, what, a week or two? Under circumstances in which you had this much time to work (e.g. decoding an encrypted file which you have a copy of) the password can be found using brute force.
A technology called Pass Faces has been around for a few years. Microsoft simply substituted the faces for ink blots. Personally, I think it would be a lot easier to remember faces.
I don't think they will get lots of unique stuff from ink blots. There's nothing new about M$ claiming to have invented something.
Friends don't help friends install M$ junk.
There's no mixing of case, numbers, etc. It's twenty random characters. Now you may remember these 20 characters better than your normal random characters but it leaves you with a password where there are only 26 options for the first character, 26 for the next, etc. - it's still trivially easy for a password generator to crack.
Plus, how many places are there on the web that limit the lenght of passwords to like 8 or 10? If you use 4 inblots and generate an 8 character string of letters all in one case, that's not exactly a strong password.
Did those inblots suck ass or what? Some just really didn't lend themselves to pictures for me.
Most web sites, and I'm sure hotmail is in this number, limit the size of the password field. If I had committed to memory a random string that was 1000 characters long, it doesn't matter much when the web site asking for a password only accepts 10 characters. Now, when you're dealing with a 10 character limit (a reasonable real life example) it matters A LOT if your dictionary is 50% larger.
So? people trying to guess your password will still use the strongest option, unless you tell them "I only use letters in my password!"
Y2K Compliant since the late 1890s
I think her hashing scheme needs a little work. Looking through the comments, lots of people identify blots as [noun] [present participle] (e.g. "batman flying"). All present participles end in -ing, so I think you would find a high incidence of 'g' in even positions of passwords generated with this scheme.
yeah but this is all assuming the attacker knows that you've used this as a basis for your password.
it also assumes he knows which books you have - I own books that aren't in the LOC.
Since most sentences are too long for the average 8-10 character password field you I wouldn't even use a simple sentence - I could take the first letter of each word in the sentence, or the second, or the first letter of each word in reverse order.
These are all easy to remember and difficult to crack, because you just don't know my algorithm - security through obscurity, sure, but could be tough to reverse engineer.
E.g. the password '.cnspoye' was made up by reading something off the webpage I'm typing into. Normally you wouldn't know that's my password, and even if you did you wouldn't know the webpage I based it on, and even though you do it's still non-obvious (but I'm sure you could figure it out if you cared).
I'm not saying this is how I pick my passwords normally - oddly enough, that's not something I discuss in public. I'm just saying that even if it only has 9 bits of entropy, it's just as secure as your fancy diceware passwords and (for me) much easier to remember.
~Cederic