Slashdot Mirror
Inkblot Passwords
TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."
Anyone else see these shapes?
butterfly swimmer
recycle logo
WWE Smackdown Enterance
Helping Hands
Evil Eyes
Person Gasping
Turtle man
Boys Spitting
Batman fighting
Batman flying
with an end password of brrowehsespgtnbgbgbg
Hmm, maybe i shouldn't of shared that. This seems to be a really cool system. I look forward to MS adding it to passport!
Blot number 10 would be "Bn": Batman having sex with Catwoman.
From the movie Van Wilder:
Random man (being shown an ink blot picture): "DUDE! It's a guy... and he's giving a circumcision... to HIMSELF!"
How exactly would his password turn out?
If they showed this to the /. crowd:
. .
:)
User1: It's Natalie Portman, i mean look at those curves . .
User2: Beowulf cluster of Linux boxen!
User3: Its the dead body of Steven King.
User4: Hot Grits . . . definately .
User5: In Soviet Russia, the inkblots analyze you!
Think I covered them all
Your hair look like poop, Bob! - Wanker.
An innovative, potential useful idea coming from Microsoft?
I can't figure out which is more incredible - that, or the fact that the story got told here...
Stop by my site where I write about ERP systems & more
I would love this so much more, and find it much more useful, if Steve Jobs had thought of this.
They'll make a total mess of
Trolling is a art,
Great. Now every password will have something to do with sex.
NetInfo connection failed for server 127.0.0.1/local
I used this system, with 5 different inkblots to generate my 5 most important passwords. They are, in turn:
o ther
MyMother.
Mom.
MyMother.
Momagain.
and
MyM
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Here is some more of our favorite Slashdot composition style for your pleasure.
"Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots."
Makes one want to weep really.
Here's the passwords I came up with:
Inky
Blotty
inkblotty
inkyblot
I bet there's not too many of these. Put 'em in a wordlist, and, bang!, you're a hacker!
Best Windows Freeware
It's nice, but the inkblots could use some work. If you look closely, they all look basically similar in construction, with the only differences being the color and size of the shapes. They also are all symetrical along a vertical axis. A little more randomization would be nice I would think.
Well the idea sounds cool and all, but isn't this just a bit too involved to help people come up with and remember what will become basically random strings of characters? This seems like going through lots more of an effort then just using a random password generator of x-characters and handing the person something to memorize. When it comes to cracking, wouldn't you have just about the same odds of guessing what random password the person got through inkblots with what the person would have got with a random character generator? Sure neither would be really easy, but to hackers... it's still just a password.
SecondPageMedia - Wha
Its obvious number 7 is a frog getting blown by a kitten and fucked doggy style by something with wings. All the rest are my mother.
We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well.
/.er's computer would be P[]Y, T[]S, A[]S...
Sounds to me like this is tailor-made for dictionary attacks. The only letters you'll need to break into any
(Oh, crap, I'd better post AC or else I'll lose my squeaky-clean image!)
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
How strong are these passwords. For each blot, might you guess what somebody will see? Some seemed more obvious than others.
I like the face password system. With this system you remember some faces, something we are very good at doing. Then you are shown tablets of faces, around 16 of them. Your face is among them and you click on it -- 4 bits of data. You do this several times to generate a strong enough password.
The really interesting aspect of this system is, unless you are a skilled police sketch artist, you can't tell other people your password. Even if they torture you, you can't reveal it. Many people will find themselves unable to even describe the faces in their set, they just know them when they see them.
You might be able to go to the terminal and sketch or digitally photograph your faces to tell somebody else, but if this is used as an access control system, for example, with a guard watching you as you enter your code, it's hard to do. Thus the military is interested in such systems. But even if you don't care about the no-torture feature, you can generate memorable passwords that use an entirely different type of memory.
The other flaw (which is less serious) is that this strategy is only effective when the user has to remember a small, finite number of inkblots. If a user is forced to memorize a few hundred inkblots to cover the dozens of passwords he needs on a daily basis, this mnenomic technique loses its value.
Also, most people's passwords are a string that they easily remember + some numbers. It's much easier to remember blahblah123 than to look at the blobs every time you want to login and reconstruct "frherotspsmt..." from the images.
Perhaps this system could be used to help people remember forgotten passwords, like being able to select 5 of out 10 images in the correct order.
Have fun: Join D.N.A. (National Dyslexics Association)
Take the first letter from the first word and the last letter from the last word in the first blot. That forms your first two password letters. If you described the first blob as a 'flying gardener,' your first two letters would be fr. Continue doing this with all of the inkblots. You'll end up with a strong twenty-letter password.
Not quite. You password will be long, but still only consist of letters. A truly strong password includes non-alpha and non-numbers to increase the search space to help against brute force attacks.
The sad thing is, MS has long had a good research department. They hire very bright people and pay them a lot. But bright people with great ideas and great research doesn't mean that any of that good stuff will ever make it into production code. Marketing drones and codemonkeys do a good job of stopping that. If only people would listen to the real eggheads.
Ah for Plato's republic of philosopher kings... of course, it didn't really work out on the Simpsons...
Most exciting phrase in science: not "Eureka!" but "Hmm... That's funny..." -Asimov (abridged for \. limits)
"Take your own inkblot test - what do you see in these blobs?"
1. nothing whatsoever
2. fat black sumo wrestler with purple arms doing the splits
3. goatse with chopsticks
4. CowboyNeal's legs in blue spandex
5. two Chinese soldiers looking longingly at each other
6. abstract goatse
7. A black man with bad posture, a green afro, and wings coming out his ass.
8. Blueberry people flanking goatse.
9. A very fat superhero.
10. Birdman does it doggie style. Possibly with goatse.
Based on this argument, start off with a password of sxsxsxsxsxsxsxsxsxsx.
Seriously, the problem is that with this method the password gets written down. OK, what's rule 1 of security? A written password is a potentially compromised password.
Panurge has posted for the last time. Thanks for the positive moderations.
This couldn't work for the following reasons:
...", but what they actually read is "blah blah blah pretty pictures blah blah blah click". Without the person administering the test standing behind them to explain what to do, most people would just glaze over, like they do whenever they are presented with instructions longer than 1 sentence.
1) People are lazy. They aren't going to look through ten inkblots and write down each one and then figure out the first and last letter of each. They are more likely to write their password down somewhere, or just click on the link that says "e-mail me a new password".
2) People are stupid. Normaly users would get a page saying "View each of these inkblots and write down
3) Did they have a control group that attempted to remember their "strong" password? They state that it is unusual for a user to remember a strong password after one day, but I wonder how unusual?
4) "... by the umpteenth time you've logged in, you've remembered these twenty characters". Wouldn't it just be simpler to make them type the 20 characters over and over again 15 times? Then they remember it anyway, and don't have to reverse engineer the whole process.
--jdan
About 30 years ago, I took part in a psychological experiment that had to do with ink blots.
There were 4 test subjects and the psychologist in the room. He'd show an ink blot to each test subject in turn and record the responses.
I was test subject #4.
On the first ink blot, the first three all said the same thing and I said something different.
The second ink blot went like the first.
I remember that on one ink blot, the guy next to me tried to argue with me into agreeing with him, but I didn't.
In fact, in the entire series of ink blots, the only time I agreed with anyone else was the one time he asked me first. Then everyone else agreed with me.
It turned out that there was only one true test subject, test subject #4. The rest were in cahoots with the psychologist.
The purpose of the experiment was to measure our socialness. The psychologist was rather upset with me because I was way off the curve and told me that I was the most anti-social person he had ever met.
That's something coming from a psychologist who worked at a state reformatory.
Anyway, back on topic, I tend to use passwords that are quite long usually by stringing unusual words together or by creating nonsensical sentences. In both cases, unusual spelling, punctuation, and capitalization are present.
20 characters just doesn't seem enough.
I think this method would be great when paired with the previous laughing recognition method presented here
I mean:
1 - Computer displays inkblot
2 - User begins to laugh
3 - login
4 - PROFIT!!!
how long until
18 months after MS decides security is important and lauches the biggest security review in history, they spent 10000 man hours and 10's of millions of dollars to determine that:
Stubblefield, and his manager at MSR, Dan Simon, knew that people are the weakest link in secure computing environments
Bad boys rape our young girls but Violet gives willingly.
though your post was meant to be humorous it also jibes with convention security wisdom for recalling strong passwords.
I forget who it was that said it, but a widely recomended strategy for strong passwords is to think of a shockingly graphic sexual phrase then use the first letters.
The vividness and the link to sexual activity makes it memorable (at least in males). And also its not likely to be a phase you would blurt out or something anyone cold easily guess about you. e.g. "take this job and shove it" would NOT be a good pass phrase because its something that might well be an expression you would use in your writings or speech.
Oh and by the way that's actually me in the batman costume doing your wife. or Ge
Some drink at the fountain of knowledge. Others just gargle.
About two years ago, slashdot ran a story about RealUser, which provides a passface solution. I was shocked at how well I remeber the passfaces I was given. I just tried to login to the site, and I was succesful, I haven't tried to login in months.
www.realuser.com for more info
My other sig is extremely clever...
If you know anything about the Rorshach test (the original inkblot test), you'll know its all about
statistical analyzing. The Rorshach inkblots were randomly chosen - it didn't matter at all what they looked like - as long as they were always the same.
After many decades of testing, psychiatrists were able to plot people on charts based on certain responses and then empirically decide whether someone might have a given mental illness based on whether their response should statistical similarity to others who had proven to have that illness. Most of the categories that the responses were judged on were extremely arbitrary.
The point is, the inkblot test relies on the fact that most people with "normal" brain function will look at an inkblot the same way. You'd be surprised at how many people who list "fly" as the one that looks like a "fly" etc. What you are going to end up with is only a handful of different words for each inkblot. People aren't going to pick phrases like "flying man with with green wings getting ready to lift-off" because those phrases are hard to remember. Most of them will be "fly" "flying man", "wing man" etc.
This is not a secure password.
You have to read The Art of Memory by Frances Yates. This book deals with ancient practice of memory training and using, including those fantastic Memory Palaces where you litterally build imaginary (or not) places in your mind and use them to store representations that remind you from one idea, word, sentence, concept, or anything. You can then "walk" from place to place, looking at those representations and re-building a speech for instance.
Actually, this is the "intellectual", generic version of the idea posted (and slashdotted) above, and you can use it to remember your passwords, long speeches, todo-list, anything.
And M$ won't be patenting this any time soon, the greeks used this even BC.
Worth a read and a try, really.
Note: Thomas Harris has had Hannibal Lecter use and play with memory palaces in his novels too.
theefer
...that nearly every single inkblot reminded me of biology textbook diagrams of female reproductive organs. Except for the ones that reminded me of a upskirt view of a woman's exposed genitalia.
Posted anonymously, because I'm sure I'm going to hell for this as it is....
So, this interviewer asked me to look at a picture and tell him what I saw. I told him it was too embarasing....
;-]
He said, "No, it's ok. Everyone sees something different."
So I told him, "Well, to *me* it looks like pattern number 7 in the Rorschach test for obsessive compulsive dissorder." But, then he got all depressed so I said, "Ok... it's a password prompt."
[with appologies to Emo
Using a more secure password to log into a less secure box.
It wastes your time, and annoys the pig.
Arent passwords becoming more and more outdated these days? Isnt the industry focusing more towards biometric authentication and other types of tokens. I think the best way to remember passwords is the 'first letter of every word in a sentence' method.
Secur!ty H013
Five Dolla Moddy-Moddy?
I don't often say this about a M$ idea, but this seems like quite a good idea. The passwords seem to lack numbers, misc. characters, and mixed-case, but they're still stronger than the average password. This idea has potential for sure.
"We show you a bunch of computer generated inkblots," said Simon. "We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well.
Of course it works, well sort of. Passphrases are easy to remember, that's why they work so well. They could have used any kind of clue and might want to consider that because the things people think of on their own ARE NOT RANDOM, especiall for ink blots. "There are several responses that almost everyone gives; mentioning these shows the psychologist you're a regular guy." So, I'm afraid that these inkblot tests won't be any better than pet names and the other common things in people's heads.
The Microsoft PR department's discovery and promotion passphrases, however, is a welcome innovation. Keep working, but be careful. The easier you make it for users to be unpredictable, the more difficult you make it to blame the user for holes in your code.
Friends don't help friends install M$ junk.
1. Amputee Gymnast 2. Offspring of Dominek Hasek and Donkey Kong. 3. Grinch Performing Root Canal on Mick Jagger. 4. Fuzzy Bunny Foot Cuffs. 5. Oddly Colored Shepard's Pies in Urine Sauce. 6. Invisible Woman Donning Red Brassiere. 7. Flying Amphibious Baker. 8. PBS Logo from Mars. 9. Insignia if Visitors from Planet of Butterfly-men. (and women). 10. Space Wolf. Hope this helps... .
--If 50,000 people say a foolish thing, it is still a foolish thing.
Hmmm, microsoft.com is still working ?
We /.ed part of the evil empire atleast !!!
What ? These guys actually are innovative ? So, we hit the only non evil part of the empire ...
"However beautiful the strategy, you should occasionally look at the results" - Winston Churchill
I just think that it was really cool that an intern came up with the idea. I wish that the ideas that I come up with at my internship would end up on the front page of slashdot.
Read the article - they use the first *and* last letter, so the line you quoted from Macbeth becomes:
wnslwetemtanintrlgorrn
Which points up a flaw in the system that a previous poster alluded to, namely, that you end up with only alphanumeric character passwords, so a cracker program would only need to run permutations of first/last letter pairs from a dictionary to crack these passwords.
Moreover, there are undoubtedly some first/last letter combinations that are more common than others in english, even for multi-word phrases, so the crackers would try these first in their search.
In other words, their very structural regularity leads to an easy line of attack.
Good point, this is actually less insecure then it seems.
Consider if %30 of the people see the same object in the inkblots and %30 of those start their description with the object, (hence: batman running, batman peeing, batman standing) now you have 1/2 the password for %10 of the users, couple the rest with brute force on the second word(using a high probability of g's then with all the other common letters ending in verbs).
I dont think this is going to make it. You see an inkblot, give a discription, the software says "sorry thats a stupid description everyone will guess that" and you write an elaborate description that you wont renember.
Sounds more like an MIT experiment then microsoft.
Based on your results on this carefully conducted Rorschach test, your psychological profile is incompatible with our company's image and needs. Security is waiting at your cubicle to escort you from the premesis.
Bleh!
I wish that the ideas that I come up with at my internship would end up on the front page of slashdot.
So every disgruntled nerd in the world can take potshots at your idea, just because it came from Microsoft?
I think not.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
A technology called Pass Faces has been around for a few years. Microsoft simply substituted the faces for ink blots. Personally, I think it would be a lot easier to remember faces.
Yes, but on the other side of the coin, bright people and their great ideas don't necessarily deserve to be made into a product.
Before everyone jumps down my throat, all I mean is that a bright idea, something that can be made to work, that's cool, that 'egg' head people like (speaking as atleast a quasiegg head myself), don't necessarily make for a great product.
I mean look at 3G, what's it for? Look at the Space Shuttle; cool as hell, but not a profitable thing. Segway?
At their best marketing drones actually work out how the product can sell, they position it so people actually want to buy it. Segway makes a great toy for rich kids for example; but as a transport tool for getting to work, it may well not be that great; that's the kind of thing that marketing, at their best, sort out. At their worst they completely fuck it all up of course ;-)
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"No, all a cracker would need to do is to test the permutations of the most likely variant responses *first*. The cracker would need to know *nothing* about the individual user, just what responses were most common statistically. Even if such knowledge consisted entirely of what words people use most often in short descriptive phrases (independent of ink blots), it would shrink the search space dramatically.
Combined with the fact that the cracker is dealing only with alphabetic characters, you end up with a highly structured system, with an obvious, and likely quite fruitful, means of attack.
- Even characters are the last letter of the second word, so this is likely to be an 's' for plural-looking blots, and not so likely to be a, i, o, u, and almost definitely not q.
- The length of the password is known.
- There are no capital letters. In fact, they're all lowercase letters.
A normal dictionary attack on twenty characters would have 94^20, 2.90e39 permutations. The passwords with the restrictions listed above would be at MOST 26^10*25^10 (assuming no q's in the even positions), or 2.37e14, possibilities. Using some "probably's" listed above, you could save some of the less likely combinations for the end of the list.OTOH, an eight-character max, mixed-case password that could have special characters will have (i=1..8)94^i (sorry, I can't do sigma notation) possibilities, which is 6.16e15. That's 26x as many as the method listed above, and given that the human mind can easily remember between five and nine characters, it seems we're better off memorizing some sequence from
DISCLAIMER: I am not a mathematician. I may be talking out of my ass. Please correct me if I am.
I really hate signatures, but go to my website.
I don't think they will get lots of unique stuff from ink blots. There's nothing new about M$ claiming to have invented something.
Friends don't help friends install M$ junk.
. . . hereClarencecomes
Oh, sure, maybe they'll get lucky with the first 16 letters or so, but they'll never guess the next few hundred.
KFG
Well, given how few English words begin with Q, Z, and X, and that the Odd characters are word starting letters, and the frequencies of letters in the english language is well known with relation to starting positions...
Given also that every Even character is a word termination character, and the letter frequency is well known with respect to terminal positions as well...
Given further than most people start a phrase when typing with a capital letter...
I would say some minor combinatorics based on these facts would yield a very strong cracking algorithm very quickly.
You can have it fast, accurate, or pretty. Pick any 2.
There's no mixing of case, numbers, etc. It's twenty random characters. Now you may remember these 20 characters better than your normal random characters but it leaves you with a password where there are only 26 options for the first character, 26 for the next, etc. - it's still trivially easy for a password generator to crack.
Plus, how many places are there on the web that limit the lenght of passwords to like 8 or 10? If you use 4 inblots and generate an 8 character string of letters all in one case, that's not exactly a strong password.
Did those inblots suck ass or what? Some just really didn't lend themselves to pictures for me.
[am not! are too! am not!]
/usr/share/dict/words has about 19 bits of entropy, and thus beats out the sentence. A decent PC could crack any of these in seconds flat, if an attacker suspected you had used one of them.
/., have lousy passwords which are variants on an older one, but are easy to remember and quick to enter. You won't guess any one without looking at the others, and I wouldn't care much if you did.
The strongest possible password is the string with the most entropy that you can reliably remember and enter. i.e. the output of a password-generation method that has the largest possible number of different outputs (assuming that they are equally likely up to computational feasibility, and that you can reliably remember and enter the password, and that an attacker has any reasonable chance of guessing how you generated it).
It is NOT the longest string you can commit to memory. There are people who have memorized thousands of digits of pi, but the first thousand digits of pi would be a horrible password if someone knew that you had memorized them. Similarly, Shakespearean soliloquies suck, especially if you are a Shakespeare geek.
A random sentence from War and Peace has maybe 16 bits of entropy. A random paragraph has fewer, because there are fewer paragraphs in War & Peace than there are sentences. A random word from
If the string is anywhere on your hard drive in plaintext form, be it in the words dict, a deleted email from Amazon, or your War and Peace ebook, it has at most 40-some bits of entropy (depending on your hard disk size and its length), and could be cracked on a small cluster in days if your hardrive wore stolen.
A 5-word diceware.com password such as "cleft cam synod lacy yr" has about 63-64 bits of entropy, and is my preferred password type for long passwords because it is fairly easy to remember. A 10-character RAD-64 password such as "4TFA/ii+Xc" has 60 bits. An 18-digit random number has about the same.
If you can narrow each inkblot to 50 possibilities, then a sequence of 10 of them has about 57 bits of entropy in 20 characters. (don't take my word, i calculated it in my head). That's feasible for the govt, or distributed.net, or a very large company. Not bad for a passport account which is unlikely to have its hash lifted anyway, but since I can remember the RAD64 or the diceware one easier and enter it faster, I'll stick with one of them for the accounts I care about.
Anyway, the password strength you need depends on how much you care about what it protects.
For instance, I have 10-word diceware for my PGP master signing key, which is about as strong as the hash. Accounts that I don't really care about, like
I hereby place the above post in the public domain.
Most web sites, and I'm sure hotmail is in this number, limit the size of the password field. If I had committed to memory a random string that was 1000 characters long, it doesn't matter much when the web site asking for a password only accepts 10 characters. Now, when you're dealing with a 10 character limit (a reasonable real life example) it matters A LOT if your dictionary is 50% larger.
The cracker would need to know *nothing* about the individual user, just what responses were most common statistically.
The article described a system that would generate an infinite number of random inkblots. Every user would have their own set of inkblots that their password was generated from. If everybody used the same inkblots, I could see how this would be a problem. With random inkblots there would be no statistical answers that were most common. You would have a unique set of inkblots to crack for each unique individual.
Well I think it is proven that different people see different things when looking at these shapes. Here is a complation of what people have said so far. And yes, it did take friggin' long to compile this:
Please blame the lameness of the formatting of this list on slashcode: "Your comment has too few characters per line (currently 20.0)."
Image 1:
-butterfly swimmer, Snooty Nose, mantle, Mask and dress, Mugatu from Zoolander, Person with hands behind back looking at feet
-Two birds on a tree with two dogs breathing fire -on them, Angry hippie, diablo howling into the air, A rabbit with horns lifting weights, Angry robot with guns
-Strongbad, Fighter Plane, Two birds singing, Missouri, tripod mortar
Image 2:
-fat person stretching, Christian Slater, Bear in a T-shirt, Board Meeting, Gravity challenged lady in lycra super hero outfit doing the splits
-Sumo wrestler on his ass, Jabba the hutt wearing a cape, fat sumo man in his fight stance, Squatting sumo, Cartman (I haven't even seen many SP episodes)
-Headboard or a bed, A gorilla in sweats doing a split, Fat woman stretching, linebacker, Kneeling fat man, recycle logo
Image 3:
-WWE Smackdown Enterance, Transformer, two hands, Zoro meets Willie Nelson, Someone eating coffee grounds from a filter with chopsticks
-Bob the Tomato from Veggie Tales, Someone drawing with both hands, Knitting a fez, one of the things from the movie Gremlins, An ambidexterous person writing with both hands
-Two bunny rabits eating guts, Bee face close up, Cockpit, Tropical island with two palms without tops, Obviously Goatse, buglike jetboat
Image 4:
-bushy woman on the shitter, Oak leaf, Hands washing black socks, LAN Party, Woman with grey arms force feeding candy to two children
-Batman's crotch, A large table saw designed to work in a gravity-less environment run by a tip driving magnetic motor, pelvic bone yo
-Hands full of glue, I have no idea. Nothing comes up., Comfy slippers , Feet of a reclining person
-Woman with panties down doing the Charleston, knees, Earmuffs, Evil Eyes
Image 5:
-Person Gasping, Pierre and Pierre, two faces, Two green berets talking, Two ice cream cones, Arab looking in a mirror, Two weeping men with large green hats
-Rastafarian argument, two men crying as they face eachother with big puffy green hats, two frogs wearing hats sticking their tongues out, Two green berets with black eyes, Two malnourished mullah's with camouflaged hats discussing the art of fellatio,
-Osama, Two boys playing soldiers, Trent Reznor, two eyes with big green brows
Image 6:
-grinning insect mouth, Edmonton (Canada), Camp entrance, Bloody Chest, Super hero adjusting bra
-Football shoulder pads, a person's hat with fake hair and pigtails attached, another pelvic bone?
-Hands holding a brassiere, Spider, Monkey doing telepathy
-A headless woman, Man hiding eyes, spider, Mittens, Person Gasping
Image 7:
-Turtle man, Flying Monkey, flying frog, Flyman, A frog in an apron, Frog with wings in apron, Mean green fly, Dragonfly frog, totally a flying frog chef duh!
-A winged frog wearing coveralls, Fairy frog wearing an apron, Jack Osbourne dressed as an angel, Frog Ferry, Green winged mole, Letter label, Yoda with bug wings
Image 8:
-The fat blue guys from yellow dubmarine shooting condoms out of their bellies
-Yugos
-Blue rabbits smoking.
-Globe
-Two Blue Meanies looking at a big butterfly
-Two sheep heads crapped on by a butterfly
-2 dinosaurs watching a large butterfly
-two men in suits watching a butterfly fly between them
-Tying a bowtie
-Dino men from Super Mario Brothers movie
-RC controllers
-Snapping fingers
-Two men shot in their heads thinking about bras.
-smoking
-Two Aliens
-Boys Spitting
Image 9:
-Batman fighting
-Bird in the hand
-demon
-Italian man twirling two pizzas.
-Batman peeing
(1) An inkblot
(2) An inkblot
(3) An inkblot
(4) An inkblot
(5) An inkblot
(6) An inkblot
(7) An inkblot
(8) An inkblot
(9) An inkblot
(10) Standing in sort of sun-god robes on a pyramid with thousands of naked women screaming and throwing little pickles.
So the correct password is atatatatatatatatatss
Mod me down and I will become more powerful than you can possibly imagine!
I think her hashing scheme needs a little work. Looking through the comments, lots of people identify blots as [noun] [present participle] (e.g. "batman flying"). All present participles end in -ing, so I think you would find a high incidence of 'g' in even positions of passwords generated with this scheme.
I like my system better: Change everyone's password directly on the server. Keep them in an encrypted (but easily searchable) database which only the admin can keep.
Tell the user to remember their password.
Demerit the user each time they have to ask for it, and publish the demerit count every week. Shame them. Demerit them further during daily inspections of workspaces if they have written it down anywhere.
Encourage "Survivor" tactics where workers try to figure out each other's passwords, and earn points for each password they discover. Keystroke logging, hidden cameras, it's all fair in the name of security. And of course, demerit the person who's password was compromised.
They will remember. Oh yes, they will remember.
On first day of hire: "WELCOME TO STRICTCO! YOUR EMPLOYEE NUMBER IS 103489923477730493. THE COSINE OF THAT IS YOUR PASSWORD. FORGET IT, AND WE DOCK YA!"
# Erik - 27 password demerits since 1997
Disclaimer: According to section 39485 of StrictCo's Employee Handbook, by using STRICTCO's Internet connection to post this message, the user's name and password demerit count must be published with each message, along with this disclaimer. Please report any violations to hr@strictco.gg
# Erik
yeah but this is all assuming the attacker knows that you've used this as a basis for your password.
it also assumes he knows which books you have - I own books that aren't in the LOC.
Since most sentences are too long for the average 8-10 character password field you I wouldn't even use a simple sentence - I could take the first letter of each word in the sentence, or the second, or the first letter of each word in reverse order.
These are all easy to remember and difficult to crack, because you just don't know my algorithm - security through obscurity, sure, but could be tough to reverse engineer.
E.g. the password '.cnspoye' was made up by reading something off the webpage I'm typing into. Normally you wouldn't know that's my password, and even if you did you wouldn't know the webpage I based it on, and even though you do it's still non-obvious (but I'm sure you could figure it out if you cared).
I'm not saying this is how I pick my passwords normally - oddly enough, that's not something I discuss in public. I'm just saying that even if it only has 9 bits of entropy, it's just as secure as your fancy diceware passwords and (for me) much easier to remember.
~Cederic