Slashdot Mirror
Inkblot Passwords
TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."
Anyone else see these shapes?
butterfly swimmer
recycle logo
WWE Smackdown Enterance
Helping Hands
Evil Eyes
Person Gasping
Turtle man
Boys Spitting
Batman fighting
Batman flying
with an end password of brrowehsespgtnbgbgbg
Hmm, maybe i shouldn't of shared that. This seems to be a really cool system. I look forward to MS adding it to passport!
Blot number 10 would be "Bn": Batman having sex with Catwoman.
From the movie Van Wilder:
Random man (being shown an ink blot picture): "DUDE! It's a guy... and he's giving a circumcision... to HIMSELF!"
How exactly would his password turn out?
If they showed this to the /. crowd:
. .
:)
User1: It's Natalie Portman, i mean look at those curves . .
User2: Beowulf cluster of Linux boxen!
User3: Its the dead body of Steven King.
User4: Hot Grits . . . definately .
User5: In Soviet Russia, the inkblots analyze you!
Think I covered them all
Your hair look like poop, Bob! - Wanker.
An innovative, potential useful idea coming from Microsoft?
I can't figure out which is more incredible - that, or the fact that the story got told here...
Stop by my site where I write about ERP systems & more
I would love this so much more, and find it much more useful, if Steve Jobs had thought of this.
They'll make a total mess of
Trolling is a art,
Great. Now every password will have something to do with sex.
NetInfo connection failed for server 127.0.0.1/local
I used this system, with 5 different inkblots to generate my 5 most important passwords. They are, in turn:
o ther
MyMother.
Mom.
MyMother.
Momagain.
and
MyM
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Here is some more of our favorite Slashdot composition style for your pleasure.
"Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots."
Makes one want to weep really.
Here's the passwords I came up with:
Inky
Blotty
inkblotty
inkyblot
I bet there's not too many of these. Put 'em in a wordlist, and, bang!, you're a hacker!
Best Windows Freeware
It's nice, but the inkblots could use some work. If you look closely, they all look basically similar in construction, with the only differences being the color and size of the shapes. They also are all symetrical along a vertical axis. A little more randomization would be nice I would think.
Well the idea sounds cool and all, but isn't this just a bit too involved to help people come up with and remember what will become basically random strings of characters? This seems like going through lots more of an effort then just using a random password generator of x-characters and handing the person something to memorize. When it comes to cracking, wouldn't you have just about the same odds of guessing what random password the person got through inkblots with what the person would have got with a random character generator? Sure neither would be really easy, but to hackers... it's still just a password.
SecondPageMedia - Wha
Its obvious number 7 is a frog getting blown by a kitten and fucked doggy style by something with wings. All the rest are my mother.
How strong are these passwords. For each blot, might you guess what somebody will see? Some seemed more obvious than others.
I like the face password system. With this system you remember some faces, something we are very good at doing. Then you are shown tablets of faces, around 16 of them. Your face is among them and you click on it -- 4 bits of data. You do this several times to generate a strong enough password.
The really interesting aspect of this system is, unless you are a skilled police sketch artist, you can't tell other people your password. Even if they torture you, you can't reveal it. Many people will find themselves unable to even describe the faces in their set, they just know them when they see them.
You might be able to go to the terminal and sketch or digitally photograph your faces to tell somebody else, but if this is used as an access control system, for example, with a guard watching you as you enter your code, it's hard to do. Thus the military is interested in such systems. But even if you don't care about the no-torture feature, you can generate memorable passwords that use an entirely different type of memory.
The other flaw (which is less serious) is that this strategy is only effective when the user has to remember a small, finite number of inkblots. If a user is forced to memorize a few hundred inkblots to cover the dozens of passwords he needs on a daily basis, this mnenomic technique loses its value.
Also, most people's passwords are a string that they easily remember + some numbers. It's much easier to remember blahblah123 than to look at the blobs every time you want to login and reconstruct "frherotspsmt..." from the images.
Perhaps this system could be used to help people remember forgotten passwords, like being able to select 5 of out 10 images in the correct order.
Have fun: Join D.N.A. (National Dyslexics Association)
The sad thing is, MS has long had a good research department. They hire very bright people and pay them a lot. But bright people with great ideas and great research doesn't mean that any of that good stuff will ever make it into production code. Marketing drones and codemonkeys do a good job of stopping that. If only people would listen to the real eggheads.
Ah for Plato's republic of philosopher kings... of course, it didn't really work out on the Simpsons...
Most exciting phrase in science: not "Eureka!" but "Hmm... That's funny..." -Asimov (abridged for \. limits)
Based on this argument, start off with a password of sxsxsxsxsxsxsxsxsxsx.
Seriously, the problem is that with this method the password gets written down. OK, what's rule 1 of security? A written password is a potentially compromised password.
Panurge has posted for the last time. Thanks for the positive moderations.
This couldn't work for the following reasons:
...", but what they actually read is "blah blah blah pretty pictures blah blah blah click". Without the person administering the test standing behind them to explain what to do, most people would just glaze over, like they do whenever they are presented with instructions longer than 1 sentence.
1) People are lazy. They aren't going to look through ten inkblots and write down each one and then figure out the first and last letter of each. They are more likely to write their password down somewhere, or just click on the link that says "e-mail me a new password".
2) People are stupid. Normaly users would get a page saying "View each of these inkblots and write down
3) Did they have a control group that attempted to remember their "strong" password? They state that it is unusual for a user to remember a strong password after one day, but I wonder how unusual?
4) "... by the umpteenth time you've logged in, you've remembered these twenty characters". Wouldn't it just be simpler to make them type the 20 characters over and over again 15 times? Then they remember it anyway, and don't have to reverse engineer the whole process.
--jdan
About 30 years ago, I took part in a psychological experiment that had to do with ink blots.
There were 4 test subjects and the psychologist in the room. He'd show an ink blot to each test subject in turn and record the responses.
I was test subject #4.
On the first ink blot, the first three all said the same thing and I said something different.
The second ink blot went like the first.
I remember that on one ink blot, the guy next to me tried to argue with me into agreeing with him, but I didn't.
In fact, in the entire series of ink blots, the only time I agreed with anyone else was the one time he asked me first. Then everyone else agreed with me.
It turned out that there was only one true test subject, test subject #4. The rest were in cahoots with the psychologist.
The purpose of the experiment was to measure our socialness. The psychologist was rather upset with me because I was way off the curve and told me that I was the most anti-social person he had ever met.
That's something coming from a psychologist who worked at a state reformatory.
Anyway, back on topic, I tend to use passwords that are quite long usually by stringing unusual words together or by creating nonsensical sentences. In both cases, unusual spelling, punctuation, and capitalization are present.
20 characters just doesn't seem enough.
I think this method would be great when paired with the previous laughing recognition method presented here
I mean:
1 - Computer displays inkblot
2 - User begins to laugh
3 - login
4 - PROFIT!!!
how long until
18 months after MS decides security is important and lauches the biggest security review in history, they spent 10000 man hours and 10's of millions of dollars to determine that:
Stubblefield, and his manager at MSR, Dan Simon, knew that people are the weakest link in secure computing environments
Bad boys rape our young girls but Violet gives willingly.
though your post was meant to be humorous it also jibes with convention security wisdom for recalling strong passwords.
I forget who it was that said it, but a widely recomended strategy for strong passwords is to think of a shockingly graphic sexual phrase then use the first letters.
The vividness and the link to sexual activity makes it memorable (at least in males). And also its not likely to be a phase you would blurt out or something anyone cold easily guess about you. e.g. "take this job and shove it" would NOT be a good pass phrase because its something that might well be an expression you would use in your writings or speech.
Oh and by the way that's actually me in the batman costume doing your wife. or Ge
Some drink at the fountain of knowledge. Others just gargle.
If you know anything about the Rorshach test (the original inkblot test), you'll know its all about
statistical analyzing. The Rorshach inkblots were randomly chosen - it didn't matter at all what they looked like - as long as they were always the same.
After many decades of testing, psychiatrists were able to plot people on charts based on certain responses and then empirically decide whether someone might have a given mental illness based on whether their response should statistical similarity to others who had proven to have that illness. Most of the categories that the responses were judged on were extremely arbitrary.
The point is, the inkblot test relies on the fact that most people with "normal" brain function will look at an inkblot the same way. You'd be surprised at how many people who list "fly" as the one that looks like a "fly" etc. What you are going to end up with is only a handful of different words for each inkblot. People aren't going to pick phrases like "flying man with with green wings getting ready to lift-off" because those phrases are hard to remember. Most of them will be "fly" "flying man", "wing man" etc.
This is not a secure password.
You have to read The Art of Memory by Frances Yates. This book deals with ancient practice of memory training and using, including those fantastic Memory Palaces where you litterally build imaginary (or not) places in your mind and use them to store representations that remind you from one idea, word, sentence, concept, or anything. You can then "walk" from place to place, looking at those representations and re-building a speech for instance.
Actually, this is the "intellectual", generic version of the idea posted (and slashdotted) above, and you can use it to remember your passwords, long speeches, todo-list, anything.
And M$ won't be patenting this any time soon, the greeks used this even BC.
Worth a read and a try, really.
Note: Thomas Harris has had Hannibal Lecter use and play with memory palaces in his novels too.
theefer
...that nearly every single inkblot reminded me of biology textbook diagrams of female reproductive organs. Except for the ones that reminded me of a upskirt view of a woman's exposed genitalia.
Posted anonymously, because I'm sure I'm going to hell for this as it is....
So, this interviewer asked me to look at a picture and tell him what I saw. I told him it was too embarasing....
;-]
He said, "No, it's ok. Everyone sees something different."
So I told him, "Well, to *me* it looks like pattern number 7 in the Rorschach test for obsessive compulsive dissorder." But, then he got all depressed so I said, "Ok... it's a password prompt."
[with appologies to Emo
Secur!ty H013
Five Dolla Moddy-Moddy?
Wrong. the strongest possible password is simply the longest string you can reliably comit to memory. It makes no difference if your alphabet is 50% larger.
Some drink at the fountain of knowledge. Others just gargle.
I just think that it was really cool that an intern came up with the idea. I wish that the ideas that I come up with at my internship would end up on the front page of slashdot.
If my alphabet was only one character I could remember a password hundereds of characters long. It would be the strongest password ever.
No, all a cracker would need to do is to test the permutations of the most likely variant responses *first*. The cracker would need to know *nothing* about the individual user, just what responses were most common statistically. Even if such knowledge consisted entirely of what words people use most often in short descriptive phrases (independent of ink blots), it would shrink the search space dramatically.
Combined with the fact that the cracker is dealing only with alphabetic characters, you end up with a highly structured system, with an obvious, and likely quite fruitful, means of attack.
[am not! are too! am not!]
/usr/share/dict/words has about 19 bits of entropy, and thus beats out the sentence. A decent PC could crack any of these in seconds flat, if an attacker suspected you had used one of them.
/., have lousy passwords which are variants on an older one, but are easy to remember and quick to enter. You won't guess any one without looking at the others, and I wouldn't care much if you did.
The strongest possible password is the string with the most entropy that you can reliably remember and enter. i.e. the output of a password-generation method that has the largest possible number of different outputs (assuming that they are equally likely up to computational feasibility, and that you can reliably remember and enter the password, and that an attacker has any reasonable chance of guessing how you generated it).
It is NOT the longest string you can commit to memory. There are people who have memorized thousands of digits of pi, but the first thousand digits of pi would be a horrible password if someone knew that you had memorized them. Similarly, Shakespearean soliloquies suck, especially if you are a Shakespeare geek.
A random sentence from War and Peace has maybe 16 bits of entropy. A random paragraph has fewer, because there are fewer paragraphs in War & Peace than there are sentences. A random word from
If the string is anywhere on your hard drive in plaintext form, be it in the words dict, a deleted email from Amazon, or your War and Peace ebook, it has at most 40-some bits of entropy (depending on your hard disk size and its length), and could be cracked on a small cluster in days if your hardrive wore stolen.
A 5-word diceware.com password such as "cleft cam synod lacy yr" has about 63-64 bits of entropy, and is my preferred password type for long passwords because it is fairly easy to remember. A 10-character RAD-64 password such as "4TFA/ii+Xc" has 60 bits. An 18-digit random number has about the same.
If you can narrow each inkblot to 50 possibilities, then a sequence of 10 of them has about 57 bits of entropy in 20 characters. (don't take my word, i calculated it in my head). That's feasible for the govt, or distributed.net, or a very large company. Not bad for a passport account which is unlikely to have its hash lifted anyway, but since I can remember the RAD64 or the diceware one easier and enter it faster, I'll stick with one of them for the accounts I care about.
Anyway, the password strength you need depends on how much you care about what it protects.
For instance, I have 10-word diceware for my PGP master signing key, which is about as strong as the hash. Accounts that I don't really care about, like
I hereby place the above post in the public domain.
(1) An inkblot
(2) An inkblot
(3) An inkblot
(4) An inkblot
(5) An inkblot
(6) An inkblot
(7) An inkblot
(8) An inkblot
(9) An inkblot
(10) Standing in sort of sun-god robes on a pyramid with thousands of naked women screaming and throwing little pickles.
So the correct password is atatatatatatatatatss
Mod me down and I will become more powerful than you can possibly imagine!