Using a Password One Doesn't Consciously Remember

ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it. It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000. Not ready for practical use yet, but very interesting concept that can develop further."

My tinfoil hat

[Zegnar]

My tinfoil hat protects me from the mind readers anyway!

Re:My tinfoil hat

[Baron+Eekman]

How's this going to help?

I'm not remebering my passwords all the time already

Re:My tinfoil hat

My Observational Deduction Ray is +1/+4 against loons with tinfoil hats.

Re:My tinfoil hat

I choose the same password for everything, except when I'm not allowed to.

Re:My tinfoil hat

[pavon]

Don't you know? Thats an added feature of the tinfoil hat! It keeps you brainwaves in your head, where they belong instead of out in the world where they can be probed. This has the amazing effect of increasing memory, mental accuity and the ability to connect seemly unrelated things.

Re:My tinfoil hat

[theguitarizt]

Is your hat grounded? According to this it needs to be in order to be effective.

Re:My tinfoil hat

[forkazoo]

Ahh, the old debate about grounded vs. ungrounded deflector headgear. It's quite simple! Are you being spied on my mole men or government satellites? If Uncle Sam, ground your headgear. If mole men, install antennae. The mole men will have improved reception on a grounded deflective helm. Likewise, Uncle Sam's spying eyes in the sky love antennae. When you ground, Uncle Sam won't be able to isolate your brain waves because he will be picking up mole man carriers,, and vice versa.

Disclaimer : I am a board certified metallic foil haberdasherer, but this is not official certified advice. Everybody's paranoia is unique and healthy. Stop by the store for a personal consultation of Neuro-absorptive/Nero-reflective helmets and headgear that best suits your needs. Initial consultation only $39.95 while supplies last.

Re:My tinfoil hat

[kristau]

That's because someone cracked their way into your brain, obtained all your password ans wiped them to cover their tracks.

Wear the tinfoi hat, dude!

Well

At least it's a new use for my porn archive.

Do we get to use touch screens?

Re:Well

[Sv1ad]

Nah, the whole point is that you can't quite recall the pictures in any detail. Not much point then unless you like your pr0n entered subconsciously.

Super!

My password might be 5777364.

Rock, Paper, or Scissors

[xmas2003]

You should have no problem if you pick one of the above passwords ... but remember, no dynamite! ;-)

Read more about RoShamBo here

Re:Rock, Paper, or Scissors

[TwistedSquare]

I thought RoShamBo was when you kicked each other in the nuts as hard as you could...

Re:Rock, Paper, or Scissors

[irokitt]

Yeah, well you try to do that via webcam.

Crack

[Opticalsky]

This is rather a stupid thing to study if you ask me, any password can be cracked, and the ironic thing is what if companies started doing this to their employees and when they leave they ask the employees what their password is? well they arent gonna know it and then the company will have to find another way to get the password.

Their own metrics are so awful.

[mlyle]

Compare to a normal password-- 90% chance of successful identification? 100,000 possible combinations? Ick.

It better not be used in any situation where a machine can attempt the password, and hopefully they've avoided storing the password itself on the disk, though it certainly could be found with brute CPU (see above).

Basically, it looks like this is a very unimpressive system.

Re:Their own metrics are so awful.

Yup. That's not secure in the least. 100,000 possible combinations is equivalent to having a password of only lowercase letters, exactly four letters in length, where the first letter has to be from "a" through "f" (6 * 26 * 26 * 26 = 105,456).

Definitely one of the worst password-type mechanisms proposed in recent history.

Re:Their own metrics are so awful.

[jwe21]

In most environments, the human factor is the weakest link, not the false positive probability. It doesn't matter if the probability of guessing the password is 1/100,000 or as they'd probably get with a bit better training algorithm and a bigger database 1/10,000,000 --- the point is that the user can't write their password down on a sticky note on their monitor.

Think of it as sacrificing limited security against one unlikely technique (brute force attack) for perfect security against a more common one (human fallibility).

Re:Their own metrics are so awful.

Compare to 4 digit pin codes... =) There could be some applications for this kind of passwords.

Re:Their own metrics are so awful.

... only lowercase letters, exactly four letters in length, where the first letter has to be from "a" through "f"

Damn, "bosco" is one character too long!

Re:Their own metrics are so awful.

[Oculus+Habent]

in reality a truely random four-letter password is probably more secure than most people's password. Have you forgotten they'll likely Give it up for chocolate, anyway? If they don't really know it, they can't write it down and can't divulge it.

The specific implementation may need work, but the concept has very real possibility.

Best comment when I told someone their password expires every 90 days and they can't use the last two:

"That's OK, I have four grandchildren."

Re:Their own metrics are so awful.

Only a 90% of the user getting it right is terrible however you spin it.

Re:Their own metrics are so awful.

[pavon]

For reference an eight character password consisting of random upper-case, lower-case and numbers has about 200,000,000,000,000 combinations. A twelve character pronouncable password is about the same, and is what I use for all of my "important" passwords with about a 20% chance of typos. If one were to pick a random english word out of /usr/share/dict/words, that password would be twice as secure as this method, and we know easy a dictionary attach is.

Re:Their own metrics are so awful.

A little simpler: you can get a system that is 40% more resistant to brute-force by using a three letter password of mixed case.

Re:Their own metrics are so awful.

The math goal of that example was to resolve to right around 100,000, equivalent to the system explained in the article. Your is, as you say, off from that by 40%. No good.

Re:Their own metrics are so awful.

[jwe21]

And that's only best case - their measured rates were between 75 and 90% for the picture recall method. On the other hand, I imagine with frequent reinforcement there would be no problem getting recall accuracy higher.

Re:Their own metrics are so awful.

[pavon]

There is an easy solution to that. Don't ask them to make a password. Give them one of a appropriate security (random sylabols or random passphrases work well), and don't change it for 6 months to a year. This has worked fine in all the work environments that I have been in. If people still have problems remembering their password you should revaluate wheter you are giving them the best possible length password. But humans are horrible random number generators, so don't base you security on expecting them to create secure passwords. I wouldn't trust myself to create a secure password without a good random method.

Oh and I would lie to some for chocolate as well :)

Re:Their own metrics are so awful.

I'm sure you've gotten AOL CDs in the mail. We all have.

The passwords are two English words with a plus sign in the middle:

hookworm+tectum
beech+plow
paradox+deject

Those are easy to remember, just two words, and quite secure. web2, for instance, has 234,936 words. 234,936 x 234,936 = 55,194,924,096. (In real life, you'd probably limit yourself to maybe half of the words in web2, so around 10,000,000,000 possibilities instead.)

If you need a really secure password, add a third word. Still easy to remember, and insanely secure.

Re:Their own metrics are so awful.

The passwords are two English words with a plus sign in the middle:

hookworm+tectum
beech+plow
paradox+deject


bsd+dying
soviet+russia
beowulf+cluster
step3 profit

Re:Their own metrics are so awful.

[gotr00t]

I notice that with my passwords, which are random alphanumeric sequences, I don't really memorize them either. If I need to write it down or say it out loud, I just can't do it becuase I don't really memorize the password itself, but rather, the movements needed to type it out.

Though this is probably not based on the same principle, as I consciouslly know my passwords, just not in plaintext form, it has the same effect, to where in both cases, I am prevented from revealing the password under everyday circumstances.

Re:Their own metrics are so awful.

[hyphz]

The thing is, this already exists.

There's a system called PassFace which issues passwords consisting of sets of pictures of faces. The idea is that faces are easy to remember but hard to describe, thus preventing passing on of the password.

It was tested as part of a student project. The project found that PassFaces are *trivial* to sniff. In some cases it only took one "shoulder surfing" session for someone to sniff a password. So if a person wants to transfer their password to someone else, they might not be able to speak it aloud, but all they have to do is to allow the other person to watch them logging in once or twice and presto.

Re:Their own metrics are so awful.

[gnu-generation-one]

"If they don't really know [their password], they can't write it down and can't divulge it."

Unchangeable embarassing passwords are good for that too...

Re:Their own metrics are so awful.

[ag0ny]

If I understood it correctly, the merit of this technique isn't the difficulty in finding a user's password, but the fact that the user himself cannot remember his own password, while being able to enter it. As the submitter said, this is not or practical use yet, but it is nevertheless a very interesting approach that should be investigated in more detail.

Re:Their own metrics are so awful.

hookworm+tectum
beech+plow
paradox+deject

Those are easy to remember, just two words, and quite secure.
Not quite as secure as you say, because you do the wrong calculation. There are only about 25000 English words in common use (the dictionary has more, but many are words not in most people's vocabulary, like 'pierian'). So there are only 25000*25000 passwords of the above form. Still a lot, but only about 1% as many as you calculated.

Re:Their own metrics are so awful.

[John+Starks]

I would be willing to bet that most of your users write their passwords down and put them in their desk drawer. This is the problem of the average user and the complicated password.

Re:Their own metrics are so awful.

[John+Starks]

RTFA. In this system, once pictures are used, they are never used again. So much for *trivial* sniffing.

Re:Their own metrics are so awful.

[Mycroft_VIII]

7 characters would probably be ideal from a memory standpoint as most peoples short term memory is approx 7 items and thus one of the easiest lengths to memorize.
I strongly suspect this is why phone numbers in the usa are the length they are, 7 digits for the most part and then 3 digits for area code, but the structure makes 'area codes' a seperate item cognitively. that is you don't think of someones number as 5554324321 but as 4324321 in the 555 area code, which you usualy associate with an area whereas the 4324321 is the person.

Mycroft

Re:Their own metrics are so awful.

[logicnazi]

Not at all, it is going to be extremely uncommon to have 2 failed logins in a row. Even with passowrds I remember I mistype them occasionally.

Re:Their own metrics are so awful.

[Ateryx]

Basically, it looks like this is a very unimpressive system.

Agreed. Tell me now a better system? I work at a credit union and in one eight hour shift handle in cash, 1-2 years salary of the average american. There are several different passwords for many things but truth be told, I'm sure will careful watching/talking you could social engineer almost any password or combination.

How is the integrity of the entire banking system not compromised? Because everything is always watched or double checked by another person. Now this doesn't apply to every situation, but by in large if you build a system of routine double checks, you cut your problems to ziltch.

Re:Their own metrics are so awful.

[mattyrobinson69]

the system used at premium bonds blackpool uk a couple of years ago was:

take one word (with a minimum length of 6 i think), split it in half, switch them and put 4 random numbers in the middle.

so:

matthew 1567 thew1567mat

easy to remember, hard to crack. thing was, 4/5 phone calls were for password resets - women!!!

Re:Their own metrics are so awful.

[hyphz]

Oh yea, sorry, I missed that.

So:

- Find the person you want to give your password to
- Log in and log out over and over again until all your pictures are used up
- The system then triggers a retrain, and the person you want to tell your password to can watch the retrain too

Seems easy enough, really.

Re:Their own metrics are so awful.

[octalc0de]

True, that may happen, but once the user types it in so many times (digging out the sheet every time), they've got it committed to memory. Hopefully they're smart enough then to shred it.

Re:Their own metrics are so awful.

[Hognoxious]

I just can't do it becuase I don't really memorize the password itself, but rather, the movements needed to type it out.

The so-called "muscle memory". Great till you have to use a different keyboard - even if you don't travel to France (and thus avoid, among other things, the evil that is AZERTY) most lappies have slightly non-standard keyboards.

As an aside, we managed to do all our photocopying free at college once we figured out that the staff's pin codes for the machines all formed simple patterns on the keypad.

Re:Their own metrics are so awful.

[spiko-carpediem]

Hah... Security noobs. I have mine glued to the bottom of the keyboard :! Noone will find it there .

I do this now

[Lxy]

I use the same root password for all of my test boxes. It's 15 characters and made up of random letters and numbers. What is it? I have no idea :-)

I can type my password, but if you asked for it I couldn't tell you what it is. The other day someone needed my password for one of the test boxes. I had to open vi, type in the password, and read it back to them.

The only problem with this is that it takes so long to remember such a password, so as soon as you learn it you can't change it often.

Re:I do this now

[Servo]

I've always had the same "problem" with passwords and phone numbers. I can't remember my mother's phone number, but sit me down at a phone and I'll dial her up without thinking about it.

Re:I do this now

Try being used to a Dvorak key layout, and then having to type your password when logging in remotely from a QWERTY keyboard. I can do it, but I do suddenly have to think about it, instead of just letting my fingers reproduce the pattern automagically.

Lourens

Re:I do this now

If you're going to give someone else your "cryptic" password, why not spare yourself the trouble and just use "password" as your password. You're kind of defeating the purpose. And for root no less?

Re:I do this now

The problem is, because you use one password, if you have to give it to someone (like in your example) then all of a sudden they now have access to everything. Surely not a good design.

Think

Re:I do this now

[Wordsmith]

Don't worry. I've got your mother's phone number right here ...

Re:I do this now

[Kithraya]

I'm in pretty much the same boat. I have a script that generates a password that's complicated enough that I don't actually know it very well. If I had to write it on a notecard, I'd be hosed. But I can type it correctly. It's interesting to see someone doing actual research into what many of us have experienced for the last (#include "NumYearsAdminingBoxes.h") years.

Re:I do this now

[Zerth]

Oi, I've the same problem. One time I was using a computer with a dvorak keyboard and, for the life of me, couldn't consciously remember my password for that system. I had to go get a qwerty from another machine and swap.

What's worse, if I think too hard about trying to remember it, I stop using muscle memory to type it and mess up.

Re:I do this now

[vspazv]

Sounds like my passwords. I find a quote thats easy to remember then use the first letter of each word including punctuation and capitolization. I end up with 10-16 digit passwords that are nearly impossible to crack but easy to recall when entering it in.

Re:I do this now

[Entropy+Unleashed]

Why not just use some primitive "keyboard art"? The main alphanumeric area can be considered a 4 by 10 area of pixels, with a possible 3 colors(normal, not typed, and with Shift key). This would offer the possibility of easy visual recognition/reconstruction with ~10^19 possible combinations. For example, we could use a drawing of a TIE Bomber as a password.

......0...0......
.....0__0__0.....
......0...0......

would become ridFGhIJkcm, which is judged to be a rather strong password by http://www.securitystats.com/tools/password.php .

Re:I do this now

[sporty]

The only problem with this is that it takes so long to remember such a password, so as soon as you learn it you can't change it often.

You learned it because you practiced it in a real life setting.

I'm sure if you typed it 100 times in a row, your muscle memory would kick in and push it to long term memory.

Re:I do this now

[timmi]

That's largely the same system I use, (Except I go for phrases from songs that I like to "Sing along" with)

Re:I do this now

[augustz]

There's a bit of irony in having a 15 charachter password (random) and then telling it to someone else. Perhaps reduce it to 8 chars.

Re:I do this now

[CAIMLAS]

Same thing for me, to a large degree. I know all my passwords by heart, and I no longer think about the key combination. There's been a time or two when I've had to do remote phone admin, and I couldn't recall the passwords for the life of me until I closed my eyes and air-typed them out.

Really, I don't see how this memory process is any different than remembering something like, "Right click on desktop, go to Properties. Click on the Display tab. Go to "Advanced"...." or such. Or for that matter, memorizing directions to a meeting place you've never been to before, and being able to recall the directions to get there. It doesn't seem too secure to me.

Re:I do this now

[rylin]

I guess the question of "how long is your password" might still be relevant then, eh?

...............
..8=========D..
......... ......

Re:I do this now

the only thing worse than using the same root password for all of your boxes is telling everyone that.

i currently remember 24 16-random-character passwords which i generate by locking myself in the closet with a torch, pad, pencil and 3 dice. for each character of the password, i roll each die once and concatenate the 3 individual numbers to give me one of 216 codes which i map to the numbers 0 through 215. i then divide this number by 72 and take the remainder as an index into my character table. the table contains uppercase, lowercase, numerals, and shift+numerals, which of course adds up to 72 characters. i sometimes replace some of the characters at random with characters outside the set (plus, brace, comma, etc) when i am feeling paranoid. i repeat this process until i have my 16-character password, writing each character on my pad as i go. i then study the written password until i feel i have remembered it. then i immediately tear the paper up take it into the bathroom and burn it in the toilet. i throw the rest of the pad in the fire incase someone tries to get the imprints, and usually i break the pencil in half and throw it in too. then if i need to go to the toilet, i'll go before i flush everything down. it sometimes takes a while for the pencil to burn. i then wash my hands thoroughly, twice, and turn the light switch on and off 5 times before i leave the room. i then go and unplug my machine from the network, take it into the closet, boot single-user mode and change my password.

Re:I do this now

[simcop2387]

i'm not sure how well i'd trust that password script, it told me that

p455W0rD was a pretty strong password

Re:I do this now

[Entropy+Unleashed]

It's obviously not exhaustive, and probably could check a few more things, but seems like a decent shorthand. On the other hand, my method might tend to produce consecutive strings of numbers a lot more often, depending on the picture chosen. It should be OK for a while, since I don't believe that it would be a standard part of most PW crackers. YMMV.

Re:I do this now

[God!+Awful+2]

Why (#include "NumYearsAdminingBoxes.h")? That doesn't make sense. It should be just NUMYEARSADMININGBOXES or $NUMYEARSADMININGBOXES.

-a

Re:I do this now

[Matt]

I've always had the same "problem" with passwords and phone numbers. I can't remember my mother's phone number, but sit me down at a phone and I'll dial her up without thinking about it.

I'm much the same. I think I "remember" phone numbers primarily by the pattern formed by entering the sequence on a keypad.

To quote a phone number I almost have to watch myself dial it. Even worse is remembering my own phone number. I don't exactly call it often.

Re:I do this now

[Mycroft_VIII]

I've found even though I KNOW how to fix many problems, I don't know the exact steps unless I'm following them.
I often can't tell someone the exact sequence over the phone unless I can see it in front of me.
It's very frustrating sometimes when someone new comes along and has trouble believing I know what I'm doing when I can't easily walk them through a fix. Fourtuneately thats rare, I usually goto them and just fix it on the spot.
I've fixed a few problems in seconds a few of my more tech savy friends have beat thier brains out over for a couple days before I was available to help, does wonders for rep with them, and my ego of course. :) they think I'm some kinda eccentric genius (or rainman) because I'll rarely try to help them over the phone, and when I do it's often a painfull waste of time, yet I show up at thier home and a few minutes later everything is running just fine.

Mycroft

Re:I do this now

[E_elven]

I usually bring this up whenever there's a password discussion but looks like you're already on the ball. To recap:

My users are given the task of creating an 8-12 character password. This is usually, for beginning users, achieved by selecting a letter, -the first letter of their name, for example. This letter is then 'drawn' on the keyboard using each key as one 'pixel' and alternating the shift key every other stroke. For example, for the letter 'E', we can create the following picture:

` 1 2 3 - - - 7 8 9 0 - = \
q w e r | - u i o p [ ]
a s d f | h j k l ; '
z x c v | _ _ , . /

This would produce, if starting from top with non-shift: 4RfV5^tBn. The user needs to remember one letter, one starting point and one shift mode.

Advanced users usually find a variation of this scheme suitable for them since the password policy is to change every 30 days, but even completely computer-illiterate people pick this up very quickly and since it's easy people don't place post-its on their monitor or complain about having to change the password so often.

Re:I do this now

[Mycroft_VIII]

hmm, seems a bit insecure at that last step, unless your closet is tempest shielded AND your running on battery power. otherwise they could get the data from powerline fluctuations.

Mycroft

Re:I do this now

[E_elven]

Ah -one more trick when talking about /completely/ computer-illiterate people (I do some work with the elderly): when teaching this method of password creation I always have slices of paper -red, but I assume anything works- cut very thin with slight variances in thickness. If anyone has a problem understanding the keyboard as etch-a-scetch concept, I simply ask the user to give the key and then place the paper slices on the keyboard so that the 'picture' is clearly visible. This usually gets even the worst cases.

Of course, nothing is completely foolproof/infallible.

Re:I do this now

[sploo22]

Yeah, you need to get pencil and paper, and MD5-hash your passwords by hand (don't use a calculator! you fool!)

Then you just use a little magnetic stylus or something and toggle the bits on your hard-drive platter. You do have your hard drive geometry and the sector address for /etc/passwd memorized, don't you?

Until you've taken proper precautions like this, don't fool yourself into thinking you're safe.

Re:I do this now

[steffl]

"I think I "remember" phone numbers primarily by the pattern"

back in the days we used to have mostly rotary phones and I noticed that when we switched to keypads it was suddenly much easier to remember phone numbers (by shape/pattern on the keypad)

erik

Re:I do this now

Without first lining the closet with tinfoil your
method is wide open.

Re:I do this now

It *is* pretty strong, given the vast majority of passwords in use today.

Re:I do this now

[cynic10508]

Good point. "p455W0rD" may seem more secure at first because of the numbers thrown in, but any dictionary attack can be trivially modified to try each word with alteration rules such as "4" for "A". May take a few more clock cycles but in security terms it's still woefully inadequate.

Re:I do this now

Did you consider posting as AC?

Re:I do this now

[Door-opening+Fascist]

I can type my password, but if you asked for it I couldn't tell you what it is. The other day someone needed my password for one of the test boxes. I had to open vi, type in the password, and read it back to them.

I'm the same way. When I dislocated my shoulder, I had a hard time typing my passwords in the original sling, because I was basically limited to one hand, and I only knew the passwords with two hands. With some creative torso-twisting, I managed to get both hands on the keyboard at the same time. Fortunately, I regained mobility pretty fast.

Touch Typing?

When typing has gotten to the point of a reflex, you can just learn a pattern as opposed to a word to type. Often times I don't recall what my password is until I open a window where I can see the cleartext of what I'm typing.

Very interesting

[bigberk]

I'm sure there are many variations on this possible. Probably by linking mnemonics and visual cues you could come up with a code-entry system that works reliably, yet makes it nearly impossible for someone to simply write down their code -- hence, easily steal. Use the brain for crypto.

Re:Very interesting

Use the brain for crypto.

Oooh, yes! Every employee could be issued a prime number and a protractor. Then the computer would display a large number that is the product of all of the primes that have been issued. The employee would divide that by their prime, then use the resulting number as one parameter for an elliptic curve. Using their protractor, they would solve for the missing parameter. Bingo! Access!

Re:Very interesting

[Some_Llama]

didn't they do this in the movie "Johnny Mnemonic"

Keanu Reaves played Johnny who had a password made up of pictures stored in his brain as encoded data...

heh, article reminded me of this movie and I said Whoaaa... :P

Time?

[blike]

The beauty of string passwords is that I can recall and input it within 3 seconds. It would become quite a hassle to take the time to go through a series of images everytime I wanted to sign into an account.

Still, it's an interesting concept, though I can't forsee it ever becoming applicable to personal computing.

Re:Time?

[Obfiscator]

Related to time, here's a suggestion that I don't ever recall seeing posted here w.r.t. password security, but is part of the security implimented where I work: only allow users 3 guesses per [time interval]. At work, this is about 30 seconds.

Now a brute force attack on a six character password made up of only upper and lowercase letters takes 197706096640 seconds for all possible combinations. That's 150000 years. I hope you change your password a bit more often than that. :-)

This is also a really nice system because the time required remains the same even though hardware will get faster. So why is this solution not common? Do users complain too much?

Re:Time?

[pdbaby]

Now a brute force attack on a six character password made up of only upper and lowercase letters takes 197706096640 seconds for all possible combinations. That's 150000 years. I hope you change your password a bit more often than that. :-)

Technically it should only take 150000/2 years on average for a 6-character password
Short alpha passwords aren't too difficult to memorise by looking over someone's shoulder, though

Re:Time?

[Corbets]

It actually is implemented rather frequently, as it's one of the easy-to-enable options in MS Windows. However, it results in a HUGE load to your local helpdesk (numlock, capslock, typos, etc cause quick lockouts) and a lot of companies don't want to deal with that.

To prevent eavesdropping, use iris tracking

[arvindn]

Simple. Don't have the user click on an image, but track their iris to see which image they're looking at. Kills eavesdropping dead, and lets you reuse images too. Drives cost way up, but maybe it can come down with mass production? Just a thought.

Re:To prevent eavesdropping, use iris tracking

[djcapelis]

Mmmmm... intellegent software and webcams... sounds like a hacking attempt to me...

Now just by taking pictures of a person looking at their computer you can authenticate as them. Although I suppose you'd also have to see which ones were on the screen.

Re:To prevent eavesdropping, use iris tracking

[Basje]

It depends on the number of images of course, but selecting could be done another way.

eg: with 3 images at a time, you could use left-middle-right mousebutton. For up to 10 the number keys are usable.

Re:To prevent eavesdropping, use iris tracking

[SiMac]

If you can track someone's iris, then just use the iris scanner to authenticate. It's a lot simpler and a lot more secure than even the method described in the article, since about the only way to forge it would be to find someone with an identical iris (a much more difficult "brute force" attack than with the described system) or to rip out the person's eyeballs.

Come on guys. If you buy an iris scanner, make use of it.

Re:To prevent eavesdropping, use iris tracking

[ion++]

there is a difference between eye tracking and iris scanning and recognition.
Scanning is quite easy, but recognition is harder, so it isnt just as simple as you say it is, and it is not any particularly more secure.
You seem to forget the 3. possible forgery, namely creating a fake eye. To create this fake eye, you just need a pretty detailed picture of the persons eye, and then you create the fake eye. Possibly using a normal technology as contactlinses. Thinking about it, i can not imagien that CIA and alike doesnt already have this technology.

Suppose that someone does manage to copy your iris and create a fake "eye". Suppose you know that someone has a copy of your iris. What then? how do you change your "password"? Rip out your eye?

There is a saying that strong security requires these 3 things:
Something you know, a password or passphrase
Something you have, a key, a usb drive
Something you are, fingerprint or iris scan

Personaly i dont believe in biometrical identification, i mean even the DNA testing in Gattaca was fooled.

Re:To prevent eavesdropping, use iris tracking

[SiMac]

Scanning is quite easy, but recognition is harder

If you have the $$ to buy eye tracking equipment, and the $$ the necessary software for that, you can probably afford the recognition software.

You seem to forget the 3. possible forgery, namely creating a fake eye. To create this fake eye, you just need a pretty detailed picture of the persons eye, and then you create the fake eye. Possibly using a normal technology as contactlinses. Thinking about it, i can not imagien that CIA and alike doesnt already have this technology.

But yet you think the CIA doesn't have the capability to send 100,000 requests to a website to brute force their password protection scheme? They could probably even send every single request from a separate IP address in order to fool any anti-brute-force mechanism.

Suppose that someone does manage to copy your iris and create a fake "eye". Suppose you know that someone has a copy of your iris. What then? how do you change your "password"? Rip out your eye?

Then you don't use your iris scan for matters of national security. But the number of people who get their eyes copied will probably be very low.

Something you know, a password or passphrase
Something you have, a key, a usb drive
Something you are, fingerprint or iris scan

Yes, a combination of factors is always most secure.

Personaly i dont believe in biometrical identification, i mean even the DNA testing in Gattaca was fooled.

But you can't fool DNA testing at present. If you could, you could make millions off of fathers who don't want people to find out it was their child.

Re:To prevent eavesdropping, use iris tracking

[ion++]

Eye tracking equipment is cheap and it is easy to do. I remember someone doing it with 2 webcams.

Sure CIA can bruteforce their way in, but 100000 failed login attempts should NOT go unnoticed. The point with faking an iris recognition is that you dont get a hole lot of failed logins.

If the gain is high enough someone will use iris copying, and if it is cheap enough and easy enough, you will see it much more widespread. If you use iris recognition alot of places, people will try to fool the recognition. And thus the number of people getting their eyes copied will increase.

In gattaca they fooled the DNA recognition by using a fake skin on the tip of the finger which contained real blood from the one they tried to be. So, it was just plain old deception. When they toke a bloodsample from the arm, it was fooled as well. So maybe it wasnt fooling the recognition it self, but the sample. Faking an eye is the same.

I never can remember my password

[lecithin]

My current 'standard' password is 10 characters, upper/lower cased with number/special characters. I have no clue what it is. Put me in front of a keyboard, I can type it out without fail each and every time.

This is too complicated - try this

[SimianOverlord]

It struck me yesterday that the answer to making secure and difficult to guess passwords that are immune to dictionary attacks is staring us all in the face. Let's recap:

A good password is:

Greater than 6 letters long

Composed of numbers and letters

Easy to remember, easy to reremember when changed.

Now it struck me that ideally we needed to create a new language that was innovative and imaginative which people could talk in, and use as passwords. Then it struck me: we already have it: L33T SPEEK .

Passwords such as OMGN00BSUXSROR! and ROFLGH3YB0ISTFU and almost impossible to guess, are immune to dictionary attacks, and are perfectly memorable. Perhaps L33T language classes could be started at major institutions, and a Creative Commons licenced dictionary created.

It's about time someone started talking sense - password security is a problem which needs innovative solutions.

Re:This is too complicated - try this

[ffsnjb]

are immune to dictionary attacks,...and a Creative Commons licenced dictionary created.

Uh, heh. Yeah, that's it! :)

Re:This is too complicated - try this

[abscondment]

A good password is:

• Greater than 6 letters long
• Composed of numbers and letters
• Easy to remember, easy to reremember when changed.

I don't think so. On a single machine it takes l0phtcrack a day or two to crack passwords with only letters and numbers.

It took my comp 36 days to crack the M$ generated ASPNET user account; it's generated from the full keyboard charset.

Password policies like this won't enhance security. Maybe disabling LM hashes would, but the vulnerability is still there.

Re:This is too complicated - try this

I already do this, every password I have is either:

e733+hAx0r

-or-

]-[4x0r

Re:This is too complicated - try this

pwgen 8 1

That's all you need. Maybe not so easy to remember, but it's about as secure as most people would ever need.

Re:This is too complicated - try this

Most dictionary attackers already try the "l33t" substitutions. It isn't hard to add.

So you're not really gaining anything.

Re:This is too complicated - try this

[way2trivial]

My work,
we have a password I have to occasionally give over the phone to an employee fix an account. every time, I change the password the next day.

they all more or less rhyme,
i.e. fish, dish, kiss, phish, miss,

no matter what, I'll rerember it eventually..

Re:This is too complicated - try this

[Geoffreyerffoeg]

My strongest password is a l33t-ized version of a former password (two words in plain English...well, not English, a proper noun from a French novel). It contains about half numbers and symbols, enough that I don't think it'll be cracked too easily.

Don't forget to mix upper- and lowercase.

Re:This is too complicated - try this

L33t is too simple to obfuscate passwords, as previous repliers have already indicated. A stronger solution though, is to transpose passwords together. For example:

ELITE with 31337 becomes E3L1I3T3E7.

Effectively it's two passwords rolled into one. Going further and using mixed numerical and alphabetic passwords further obfuscates things. Defeats dictionary based cracks with ease.

The downside is that it requires you to remember two passwords at a time, making it primarily a resource to be used on high-security-at-all-costs resources, such as one's wireless access.

Re:This is too complicated - try this

[cap'n+foolsy]

truth be told, i already do this using odd dictionary words that i translate into l33t. for example: defenestrate - > d3f3n3str4t3. what does it mean? i dont know! and it's pretty easy to type, as well.

Re:This is too complicated - try this

[Metaldsa]

My password for my computer science computer in college was M3talM4n. Just like my online nick, metalman. So I would tell people my password but unless they spent a while to think and guess for it they would fail.

Re:This is too complicated - try this

[CAIMLAS]

Cracking passwords requires access to the system's password file.

If someone has gotten that far into your system, you're already fucked. Your security measures have failed.

No, the more important thing is that someone never gets into the system in the first place. Thus, this password scheme would work, as the word of the day is guessable - such passwords are not guessable unless you know the person well, and know their password naming scheme (everyone has one) - and even then it would take some time.

I encourage people to use mixed l33tspeak/alphanumeric mnemonics with a special character or two, at the least. Random is better, as it's more immune to the "get to know a person and their excentricity" methodology attack. I'd suspect that excentric/odd folks are vulnerable to such social engineering, as they're more likely to have a pattern of behavior that is predictable (I know a person or two like this).

Re:This is too complicated - try this

[godblessthenet]

defenestrate means to throw a person out of a window. As a resident of Simmons Hall, I hear that one a lot.

Re:This is too complicated - try this

thanks! now i can drain your ATM account knowing that the pin is 1337

-a

Re:This is too complicated - try this

Is it standard elite hacker behavior to post your (sadly inadequate number of) passwords in a public forum?

You may be AC, but what if michael or CmdrTaco wants to h4x0rz you for some reason :)...

Re:This is too complicated - try this

[electrichamster]

Actually, it means to throw *something* out of a window, not just a person.

Is it sad that I know that?

Re:This is too complicated - try this

[Artifakt]

"I'd suspect that excentric/odd folks are vulnerable to such social engineering, as they're more likely to have a pattern of behavior that is predictable (I know a person or two like this)."

Like SF oriented geeks who use alien names - Cthulhu, Gharlane, Nostromo?
From only the social engineering standpoint, the most unguessable password might be as simple as GTO, if your co-workers think you don't pay any attention to cars, or sosa if you don't seem to follow baseball. Such passwords are lousy from other viewpoints, of course, which suggests there is a need to get away from passwords entirely.

Re:This is too complicated - try this

I was at a lan party with some buddies and went to the 7-11 for some munchies. My lan friend in front of me used his debit card and i watched him type in his PIN, 1-3-3-7. I laughed to myself as I found it so easy to watch him type his password. It wasnt until I got to the car when I figured it out and bursted out, "Your password is leet!"

Re:This is too complicated - try this

Most password cracking software will use "l33t" type characters. You're not really doing anything special.

Re:This is too complicated - try this

[advance512]

You're kidding, but I use 1337-speech passwords myself. A common theme (like super-heroes or drinks) connects a set of passwords, and each password in a set starts with the a numeral which is then converted to a letter.

(1nv3rt3d, 2tr3tch3d, 3l0ng4t3d, 4lph4bl3nd3d.. only EXAMPLES.)

Re:This is too complicated - try this

immune to dictionary attacks

fair enough.

a Creative Commons licenced dictionary created

OK, so you're going to make a dictionary... How difficult will dictionary attacks be then? Well, just as hard as they were fo the old spellings that were in the other dictionary!

Re:This is too complicated - try this

It's vulnerable to the pwgen dictionary attack. Every password generator is vulnerable to a dictionary attack based on the generator itself.

Re:This is too complicated - try this

So I should use words that rhyme with fish when attacking financiallegend.com

Re:This is too complicated - try this

Was that meant as a joke or did you pick defenestrate by coincidence?

Re:This is too complicated - try this

[CAIMLAS]

Thus, why it would make sense for a SF-oriented geek to pick a password like, "S0sa_hI7", for instance. :)

It successfully combats both social engineering by excentricity, and a quick dictionary crack. Granted, it's still 'l33tspeak', but knowing which characters were l33ted will not be something terribly easy to guess.

Until there is something that is as scaleable and as practical as a password that works better on the security front, I think we'll be using passwords.

Re:This is too complicated - try this

[way2trivial]

no, from behind the desk of a hotel somewhere on the east coast....

Huh?

Whats wrong with using the name of the month and sequential numbers up to the maximum 8 characters?

Re:Huh?

What's the IP to your machine?

It's for... research. Yeah, research.

Similar Experience

[MoP030]

I cant really remember the PIN for my bank account, but when i'm standing in front of the cash automat i remember the moves i have to do with my fingers without problem. If i wanted to remember the PIN as a number i can close my eyes and pretend to type it though, so there is a way for me to know it consciously.

Re:Similar Experience

[Simon+Lyngshede]

I have the same thing with my pin, don't know what it is, but I know where to push. What isn't so cool is that all the terminals in stores are being changed, not all at once of cause, and the new one have a different layout. That is isn't very clever, I almost had my card closed after having entered the wrong pin twice, because I had to figure out what my pin was.

Re:Similar Experience

I think I might have it even weirder. I can't really remember phone numbers, but I can recall the DTFM signals from a touchtone phone. I actually have trouble typing in phone numbers on my cell phone because of this.

Re:Similar Experience

[Artifakt]

One reason not-so-many people are this way is that the numeric keypads on an ATM, a phone, a calculator or a keyboard are all often laid out differently. Standardize the layout more and more people would rely on visual or audio for the actual numbers, rather than kenetic memory.

Re:Similar Experience

[Jonavin]

Same thing here, but when I went to Asia the key patterns were switched around and that really screwed me up the first time I tried to take money in China.

ObUselessFactoid: Incidently taking out cash from an ATM China is actually cheaper than doing the currency conversion with real cash.

Excellent!

[Phurd+Phlegm]

Now even if I am tortured to death I can't reveal the password to my eBay account!

This should come in handy to all the other costumed crime fighters in the Slashdot community, too!

Re:Excellent!

[GPLDAN]

You joke, but remember this technique was developed in Israel. You can bet that torture is one of the angles they have thought of. Why else would you develop such a technique.

Now presenting... The Manchurian Password...

the best password is......

[Steve_Jobs_HNIC]

the best password is to have no password

along the same line.... what's the shortest distance between two points?


the shortest distance is to have NO distance at all. (Try the folding paper trick)
If you said a straight line, that'll do for now.

Re:the best password is......

a) Who said the points were on paper? (Try folding the state of Nevada in half) b) You'll never get NO distance. Electronic repulsion will make sure there's is always SOME distance between those points.

Re:the best password is......

[Geoffreyerffoeg]

I had no password this year in Computer Science. My programs were subconsciously obfuscated enough that none would be insane enough to steal my code and pass it as his own, and I didn't care if the other students looked in there (the teacher can open my home directory anyway). It made it a few milliseconds faster to log in.

Re:the best password is......

[gantrep]

That's pretty stupid dude. You think the only reason somebody would want in to your home directory would be to steal your code? There are plenty of people that would log in as you and do a "rm -rf ~" just to teach you a lesson about the importance of having a password.

Re:the best password is......

[Geoffreyerffoeg]

I really don't care. I can rewrite the most recent program, and I don't nead the earlier programs. Besides, who'd do that anyway - who hates me enough?

Re:the best password is......

[gantrep]

Must be pretty small/lame programs, and it's not necessarily an issue of hating you, just teaching you a lesson.

Your parents didn't discipline you when you were a kid because they hated you, they did it because they wanted to change your behavior. Blank passwords are definitely an activity that should be discouraged.

What if someone used your account as a starting point and tried to escalate their user rights, or uses your account to launch a fork-bomb and bring the system to it's knees while people who(unlike you), do care about their work are trying to get something done, maybe before the end of a term?

Easy 24 or more letter-number combinations

[Prince+Vegeta+SSJ4]

I use a password of a phrase or group of words that I easily remeber, then translate to l33t. That way I can easily have a strong password well over 20 characters. I am assuming of course that it is harder to break 5la5|-|d0t as opposed to slashdot.

maybe someone could expand?

Re:Easy 24 or more letter-number combinations

[Scarblac]

I use passwords from Nethack, e.g. #@d_..C# is me and my dog standing next to an altar with a centaur on the other side of the room. Not hackable by dictionary attack :-)

Re:Easy 24 or more letter-number combinations

[solicit]

Or use a one-liner perl regex as your password, easy to remember if you know what it does, but also not breakable by dictionary attack. :)

Sounds like that bit in "Johnny Mnemonic".

[Samurai+Cat!]

Keanu gets all the data locked in his head, and the password is a series of images...

Re:Sounds like that bit in "Johnny Mnemonic".

[lothrids]

I was thinking the same thing. I wonder if TriStar Pictures will be filing a law suit for the copy right?!?!?!?

Re:Sounds like that bit in "Johnny Mnemonic".

[kunudo]

I was thinking the same thing. I wonder if TriStar Pictures will be filing a law suit for the copy right?!?!?!?

Probably not, then they'd have to admit to being behind that movie. Don't get me wrong, I love Gibson, especially neuromancer, but that movie is.. crap. Keanu looks like he's trying to learn to act, and ice cube or whovever it is is sorta ridiculous... Wish they could remake it and do it for real this time... And lose ice cube, for chrissake. Even though they're supposed to be 'lo-tek's, somehow I get the impression that none of them would know how to use, let alone build, anything more complicated than a... kitchen table. I mean, they've built a fucking electronic interface to a dolphins brain, but... argh.. [/rant]

why use passwords?

[djsmiley]

WHen we have DNA?

Anyone last check their dna string...

I use a 9 letter password, it was 6 but some fuker saw it a few years back, now i type it so fast (plus fake key strokes).

Truth is, dont put anything behind a password which is THAT important. ANY password is crackable, what isn't tho is your imagination. We need mind readers so we can just "think" a image of our password :)

Password is the wrong word

they should call it passphrase if you want people to use long passes

all the time websites/apps ask for a password it just re-enforces the insecurity of using a single word

8 character passwords/filenames should of died in the 70's

Re:Password is the wrong word

Dude, even though it sounds like "should of," should've is short for "should have." This is basic english.

Re:Password is the wrong word

maybe he/she isn't English ? the world/internet is a lot bigger than you think

Better editing, please

[ChuckleBug]

Yeesh, what a horribly written intro:

[...]to assign a password to a user in a way that prevents the user from conciously remember or describe it[...]

cant

Come on. The next sentence is really wretched. Not only is there a verb-subject agreement problem, is doesn't even parse:

Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000.

Re:Better editing, please

[ChuckleBug]

is doesn't even parse:

Sigh. OK, I typoed. But my comments still stand.

Re:Better editing, please

[Drathus]

Hello my name is Werner Brandis, my voice is my passport verify me.

Great

[Pan+T.+Hose]

Finally we have something which is not vulnerable to the rubber-hose cryptanalysis. Now the attackers can brute-force me as hard and as long as they want and I will not be able to tell them my password even if I want to! Now I feel totally safe, because even in the case of the most inhumane torturing, I will take my password to my grave. It's like using fingerprints in ATMs so the thief has to cut my finger off instead of taking my ATM card in order to steal my money, except for the lack of gelatin exploit. This is great news. I can stop recommending Password Safe to my users now.

This actually makes a lot of sense

[darkest_light]

When I was taking Spanish in high school, my teacher always told me that recognition was a much lower mental skill than composition. This is true--years later I can still *understand* spanish, but I can't speak it myself. Having a password system that relies on this lower-order mental process is a great idea. Recognizing the correct password would be much easier than remembering it, but the process for cracking it would be just as hard as cracking an alphanumeric password if enough pictures were used.

That said, I do end up memorizing most things this way--I know pin numbers, telephone numbers, and even my password by the "feel" of typing them, and I usually can't remember what they are when I'm not using a keyboard or number pad.

Security?

[kaoshin]

Would a screenshot then be enough to compromise your system? I recall reading a story on /. about monitors being viewed remotely somehow from like vans parked outside. Put the two together and I would be scared for my network. Another question would be why we haven't heard much in the last 2 years since Microsoft has been working on this same technology?

Re:Security?

[magefile]

That tech is called Tempest, but it's very sensitive to the weather, other computers/monitors/sources of EM radiation in the area. It's also very expensive.

Re:Security?

[kaoshin]

Thats it. Yeah, I think a small camera would be much more reliable and inexpensive. On second thought I don't think passwords are much of an issue anyway (at least on windows) because they are already worthless. Legacy Windows versions you can escape past the logon. On either 2000 or XP you can boot from a 2000 CD and use recovery console to access the filesystem without being prompted for a password. Its not like anyone needs any help in fitting through the gaping windows security holes.

Re:Security?

[ModMeFlamebait]

Given unrestricted physical access to a machine (like booting from a CD requires - it should be disabled in setup anyway), no operating system is secure. Your only way to protect data is to encrypt it (e.g. using an encrypted loopback) using passwords typed in by hand or taken from some removable media (otherwise it will have to be present on the disk, defating security).

Re:Security?

[kaoshin]

it should be disabled in setup anyway

Heres my real life situation, which will maybe help you understand my point. Like most companies, mine can't afford an infrastructure capable of supporting a network based method of image deployment. We use a bootable CD method of reimaging PCs. Even if this was not an obstacle in our restoration method, a restriction like that would never fly in my company anyway because it would cause too much complaining to management (the guys who make the decisions on such changes). I have worked for 3 large corporations so far and the story was nearly identical with all of them.

Your only way to protect data is to encrypt it

I realize other operating systems are vulnerable without encryption, but you also don't have many other operating systems in large companies being used as workstations. From my experience, when alternatives ARE used they are usually configured more securely. The unix boxes in our company do use encryption. Do our windows XP users use encrypted folders? Hell, we have windows administrators who don't even know any better.

Re:Security?

[ModMeFlamebait]

Yeah, I sure do understand that technology is only one of the factors in any real world environment and I also met clueless windows admins. And bootable CDs aren't a bad way in some cases, too. (I've used them to reimage PCs in an internet cafe - daily). If you have enough horsepower on the server(s), why not move everything there and export with SMB/NFS/whatever from an encrypted FS? And throw IPSEC in there just to be sure ;) You'd get the benefits of centralisation:

• simpler backups
• smaller "area" to secure (deny write access to local disks and store profile and documents on the server)
• single point of failure <g>

It should also be more difficult to boot a server off a live CD without being noticed :)

Re:Security?

[kaoshin]

First of all we have numerous branch office on very low bandwidth network connections so network speed is an issue. We also have a bunch of jerk managers who want to save a buck now to look good and get their bonus regardless of the long term effects which means we we get limited network attatched storage capacity with no failover or redundancy. We have a hard enough time fitting someones personal folders on network storage, much less ALL of their spreadsheets and word documents, etc. As technicians, we realize the potential benefits of a setup like this, but when it comes down to cash the cheapest way always seems to win and the people who put us in the position to have problems like this in the first place are the first (and often the only) to be rewarded.

been there, done that

[menscher]

About 10 years ago I had a password where I typed an easy-to-remember non-word with my hands shifted on the keyboard. I actually went over a year without knowing what my password was, until one day I accidentally typed it at a login prompt.

My bank-card pin-number uses a different trick. I just used four consecutive digits of pi. The trick is that they're pretty far into the sequence. Oh, and I made a mistake when I set it, so it's actually wrong. Oops. Guess it's pretty random, then. ;)

Re:been there, done that

[droleary]

About 10 years ago I had a password where I typed an easy-to-remember non-word with my hands shifted on the keyboard. I actually went over a year without knowing what my password was, until one day I accidentally typed it at a login prompt.

Is that when you found out that all along you were using "password"? I hate it when that happens!

Re:been there, done that

[gnu-generation-one]

"My bank-card pin-number uses a different trick. I just used four consecutive digits of pi. The trick is that they're pretty far into the sequence. Oh, and I made a mistake when I set it, so it's actually wrong. Oops. Guess it's pretty random, then. ;)"

I reckon it's probably still four consecutive digits of pi... (and indeed would be, no matter which 4 digits you chose!)

Re:been there, done that

[Doofus]

mod parent up -

I was going to state something similar, that the original pi-user's actual pin was no more or less random than if he hadn't made a mistake -

Re:been there, done that

[SamSim]

No, trust me, they are definitely four consecutive digits of pi even so. Somewhere in the first 99849 digits, in fact.

Maths is so cool.

Re:been there, done that

[gnu-generation-one]

If you want a really secure PIN, simply use the last 4 digits of pi... apparently it would take thousands of years of supercomputer effort to crack that one...

Re:been there, done that

[cshark]

Yes, but it was in caps. heh.

Keepass

[DarkHelmet]

I keep a copy of Keepass with me on a USB keystick. It keeps all of my passwords in a secure place. Most of the passwords I have are 21 characters, generated randomly.

The only thing I have to remember is the password to get into Keypass and decrypt its database.

Re:Keepass

keeping all your egs in 1 basket egh ? so if i crack your keypass (rubber hose/torture/brute force) i get ALL your passes, nice

Re:Keepass

yes, but this is better then if you do what most poeple do and have one password for everything. If you catch that password on the wire you are good for all the accounts. I used to have just two password one for important things and one for not so important things. So if someone at a bank wanted my password they could easily get it.

Re:Keepass

[Hognoxious]

I do something similar, but I don't store the password/phrases, I store a clue to them that only I would be able to solve. Well, in some cases one other person might (winks). Ooops, this is slashdot, nobody will get that bit.

This is natural...

[222]

I use this a lot when im trying to navigate my way through a new 3d enviornment or backtrack to find an old website link.
You simply go with your instinct, and more often than not it ends up being the path previously traveled. An interesting approach to idiot proof security ;).

Re:This is natural...

[Spazmogazm]

This gave me the best idea. At login I should be dropped into a Quake map where I have to retrace my steps from point A to point B with only a marginal degree of error. I'm pretty sure my path would be unique. Then I could explain to my boss that I'm just trying to log in but I guess I must have forgotten my password so that's why it's taking so long.

1/100,000?

[prof187]

i know it says it's "not ready yet"
but even an 8 character, lower-case letter only password has 208827064576 possibilities...
it might take a while for that to catch up

Tell me your password or you're dead!!!

[rice_burners_suck]

and the chances of guessing it is 1 [in] 100,000

How long does it take a computer program to make 100,000 guesses? Not too long, I'd wager. I think the reason text passwords are so effective is that you can have different length passwords with uppercase, lowercase, numerical, and symbol characters, giving you some 100 characters to play with, in any combination, and in any length (within range), meaning that there are probably a lot more than 100,000 combinations.

If Hebrew University figures out a way to dramatically increase the number of possible combinations, while retaining one's ability to remember, but not describe, the password, that would be very useful in situations, for example, where your filesystem is encrypted with one of these passwords, and there is no way you can tell the CIA/FBI/NYPD/MPAA/RIAA/DEA/Microsoft/SEC what it is, in case one of these organizations seizes your equipment.

Sounds like Passfaces

[Beautyon]

Passfaces uses a similar idea; you can remember the faces that make up your password, but you cannot describe that password to anyone. It relies on your brains ability to recognise faces, and your brains inability to accurately describe the same faces.

Useless for the blind of course.

Re:Sounds like Passfaces

[ghost+cat]

Also useless for the people suffering from prosopagnosia aka face blindness - it's a condition which makes it difficult or impossible to recognize faces. (http://www.faceblind.org/research)

In any case, I know that I'd just hate to rely on my subconsciousness to be able to access a computer. What if I'm too sleepy when trying to login; or drunk, or just "feeling not myself" and can't concentrate for any reason. What if a few tokens out of the random choices appear a few times during the past few weeks and I start to recognize them as well. Besides, in case of an error, with a regular password it's possible to retry and type it carefully next time - but it's hardly possible to "do it carefully" with the image recognition if one even doesn't know how exactly it works ! so each error would make me more and more nervous and lower the chances to succeed next time, which would most likely lock me out of the system after the 1st error.

Re:Sounds like Passfaces

> Useless for the blind of course.

Not just the blind. I have a severe learning disability which effects my ability to visualise and memorise complex objects, including face. Essentially, if one of my immediate family changes his or her hairstyle, I won't recognise them immediately, and have to look to them to react to me before I can guess who it is.

Such a system would be ineffective for those with my condition. (It doesn't have a name that I'm aware of, but according to the appropriate testing, I'm in the bottom 10% of the world.)

Odds?

[RonnyJ]

the chances of guessing it is 1/100,000

When you consider that the chance of randomly guessing a random 3-letter long case-sensitive password is 52^3 (1 in 140608), this really isn't that impressive.

Finally someone's come up with a way....

[gg3po]

...to counter this:
http://www.brainwavescience.com/counterterrorism.p hp

...apparently this technology could be used to 'brute force' someone's knowledge of anything (passwords), but if you don't know the password, there will be no way for it to work.

Here's the password solution I recomend...

[Saeed+al-Sahaf]

If it's good enough for the U.S. Government, it's good enough for me...

The World's Most Dangerous Password

Re:Here's the password solution I recomend...

[Performaman]

I'd add "POE" for better security.
Or "CAP-118."

not news. users do this all the time

As all sysadmins know well, the users do this all the time, i mean "use a password they can not remember later", and then ask the admin to recover their pretty password and you must explain "i only can give you a new password you could change later", and here again to begining, they change it and forget...

The Future

[n0d3]

I suppose in the future, not far from now, we'll have to rely on other means of authentication anyway. Passwords are good, but people really don't like remembering them, let alone a few of them. And then there's the chaning of them every few weeks.

No I belive things like handscans via your touchscreen enabled display for one. So then there's always the risc of someone beeing able to forge your handprint, well add an iris check to that. with the webcam you allready have standard installed in your monitor (video conferencing should be also quite normal around that time). Need stronger authentication than that? Voice pattern recognition.

Seems like it's really far away ... we have most of the technology allready available in our homes. Just those touch screens and it should become the normal way to handle things ...

Comment removed

[account_deleted]

Comment removed based on user account deletion

This idea

[Rinisari]

This idea was shown in Johnny Mnemonic. When the 320 GB of data was shoved into Johnny's head, it was encrypted with three pictures. Those pictures needed to be reproduced in order to extract the data.

Johnny Mnemonic

[Krondor]

Isn't this similar to how passwords were handled in Johnny Mnemonic? With the 3 random screen captures. I realize that this is different in that the user remembers which ones to pick, but isn't it the same principle?

Sci-Fi becomes reality once again.

Re:Johnny Mnemonic

[jcenters]

In the short story, the password in Johnny's boss's head was ASCII art, a swastika.

Gibson is definitely one of the most prophetic sci-fi writers of our time (The only other two I can think of that match him are Neal Stephenson or possibly Bruce Bethke.) He invented the term "cyberspace" for crying out loud!

Patiently waiting for my deck.

Kinda of interesting, but...

[sootman]

3 months to get to 90%? Doesn't sound too good. And 1 in 100,000 means there are 100,000 possibilities, I guess, (RTFA? what's an A?) which really isn't that much to use brute force against (for a machine, anyway.) And, to put that in perspective, 4 letters (26^4) has over 450,000 combinations. So why not go with a 4-letter acronym and get >99% success immediately?

I already can't really "remember" my passwords...

[dark-br]

... in a way that if you ask me for the correct sequence i can't really tell you for some weird reason i guess it's not my brains remembering the pass, it's my fingers :) I can type it while being shot at, in the middle of a fire or with FBI agents riding in but i cannot tell you the sequence even if you pull my nails off one by one.

It's that only with me?

This is not something new...

[Angelonio]

CMU is working on Secure Human Authentication (HUMANOIDs) for quite sometime now.
Their scheme is also more difficult to guess since it suggests that the user should make
a random mistake to confuse the guessing adversary!!!

Patterns on the keyboard.

[klevin]

I use random patterns on the keyboard. I have to consciously remember the password for a little while, but, within a week or so, I no longer even remember what the password is. I just type it without thinking. I found out that I was doing something similar with my GPG key's passphrase. One day, I went to type it in and realized that I couldn't remember it despite the fact that I had just used it a few hours previously. It took me over a week to remember what my passphrase is. I was just about at the point of putting my revocation certificate into ciruclation and generating a new key.

Kind of reminds me of back when I still played the piano. Then, I would practice a piece so much that, after a while, I found it easiest to play with my eyes closed and let my mind just cruise along. The bad thing was, that if something startled or interupted me, I often couldn't remember where in the song I was.

Re:Patterns on the keyboard.

[jpkunst]

Kind of reminds me of back when I still played the piano. Then, I would practice a piece so much that, after a while, I found it easiest to play with my eyes closed and let my mind just cruise along. The bad thing was, that if something startled or interupted me, I often couldn't remember where in the song I was.

Something similar happened to me when I was distracted by something when I was about to type in my PIN code to pay in the supermarket. Suddenly I couldn't remember my PIN anymore (that is to say, I still knew what the digits were and what the main pattern was, but I forgot which digit went where). And I had been using that PIN for something like ten years. A very strange experience.

JP

It' easy:

[ivan1011001]

Just pick a telephone number that you can remember well, but not your own. Practice typing it on the number pad a few times, until you get it through your subconcious and can type it w/o looking. Then select a random key on the keyboard as your starting point, and type in the phone number.

(i.g., 651-5984 = oiji09u ; [w/ oiu=456])

Secure, unquessable, and easy to remember.

Re:It' easy:

The number of combinations isn't great. There's only 10^7 phone numbers (and obviously much smaller for a known geographic area), and for the average number, only about 20 possible starting locations that don't fall off the edge of the keyboard. That's only 200 million password strings, about the equivalent of 6 lower-case letters.

Re:It' easy:

[ivan1011001]

Yes yes, I know this, but for my purposes it is secure enough. You can also add spaces, or enter it twice, just be creative and change it often. Besides, they don't know how you got your password, so they wouldnt know about the 20 only starting positions.

Re:It' easy:

[piffy]

not sure what phone you're using, but mine go 123/456/789/*0#, which means oiu=654 not vice versa.

Re:It' easy:

[ivan1011001]

i know i know, i didn't catch that when i previewed, but, i wasn't using a phone, if you were paying attention i was using the keypad, but your comment still stands

More than anything...

[sootman]

...this seems like a solution in search of a problem. Exactly what scenario requires a password that cannot be guessed by passers-by and cannot be extracted by interrogators but at the same time is unimportant enough that 90% accuracy is acceptable? Neat trick, but there are lots of things to work out before this is anywhere near practical.

it's been done before

[dekeji]

These kinds of passwords based on visual recall have been tried before. People have tried constructing scenes, using collections of natural photographs, and lots of other visual cues. All of them rely on the fact that "a picture is worth more than a thousand words", meaning that it would be hard for you to describe pictures in sufficient detail to disclose your password. There was a genuine bonanza of those kinds of attempts to make visual passwords in the late 1990's and some web sites tried using them, but they turned out not to be very useful in the end.

I do that currently.

[WindBourne]

That is how I enter my bank card pin. I have no clue what it is, just my finger does the walking.

Mnemonics

[Jadrano]

Maybe this approach has its merits, but it would make entering passwords a bit complicated, strings are easier to handle.

I would find it much more important that knowledge about mnemonic techniques become more widespread. As far as I know, people who take part in memory contests, where they have to remember long numbers, use systems wehere each number stands for something (a letter in the alphabet, which in turn stands for certain words), and they quickly construct a kind of story around the numbers. Human beings are very bad at remembering raw data, but they are quite good at remembering semantically connected concept. As long as people conceive passwords as a kind of words, perhaps slightly altered and with numbers added, it will always be difficult - either it is still vulnerable (dictionary attacks or even if the word doesn't exist phonotactic attacks exploiting the rules sounds can combine in languages) or it is hard to remember, especially if the password has to change from time to time. It would be much easier of people conceived passwords as phrases or whole sentences and use the first, second, last or whatever letters that make up the words of these expressions (and still add numbers).
For instance, I think it would be relatively hard to remember a password like 'dl3w5pwthbtceth', but if it stands for 'During [the] last 3 weeks, 5 people went to [the] hairdresser because their cats eat their hair' (absurd, but not really devoid of semantic content and therefore possible to remember). Next time, the password might be '3ohtehfsocatioh2jgu' (3 of [the] hairdressers tried [to] extract [the] hair from [the] stomachs of [the] cats and to insert it on their heads, 2 just gave up). The style of the sentences that should not be too obvious can, of course, vary.
That is easier to remember than things conceived as nonsense-words and practically impossible to guess. The transition from one password to the next is easier - the next phrase or sentence can somehow be connected semantically or pragmatically to the previous in the mind of the owner of the password in a way that isn't accessible to anyone else.

With the ubiquity of passwords in today's everyday life, such methods deserve much more attention.

Re:Mnemonics

[mericson]

The point of this method, I believe, is not that it has come up with a more secure password -- which it most definitely has not -- but rather that it has come up with a password that the user cannot reveal to anyone. Any password, even those that are 20 characters long and full of gibberesh, can be written down or told to someone else, compromising the password.

But if you are trained to recognize specific images, it's much harder to tell someone or write down exactly what the images look like. While you can tell someone that you saw a picture of a duck, when someone who is attacking your account is shown 10 pictures of ducks, they won't know exactly which one you saw.

So, you probably wouldn't want to use it as the only authentication method for your account, but in combination with a traditional password, it can provide an different type of security that is harder to compromise.

Re:Mnemonics

[Skeezix]

I wrote a paper on using mnemonics which you might find interesting

Comparisons

[JamesP]

Everybody is saying that they can type their password although they don't remember it.

It reminds me of playing the piano. I can always remember the moves, but never the notes.

And worse, sometimes I need to have the score before me, even though I don't connect what's written with the actual notes on the keyboard.

Maybe we need a musical password...

Re:Comparisons

[slothman32]

When I read that I first thought of Willy Wonka, the movie not the book. There are probably lots of methods but unless you can write them down in case you forget they won't work. And some people aren't good at the piano. I know my fingers are too fat to easily play. Instead of Bach as my password I'd probably play Mozart and get locked out.

Disturbing quote from article

[LincolnQ]

"I like the idea of developing computer-human interfaces in which the computer is a skeptic [and so] doesn't perform the actions of which it is capable until the human has convinced it that the need is genuine and the human is an appropriate person for whom to perform this action," he said. "This might lead to greater safety for all of us."

Ouch! I don't like this idea at ALL. Anyone else disturbed?

Dave. Open the pod bay doors, please, Hal...Open the pod bay doors, please, Hal...Hullo, Hal, do you read me?...Hullo, Hal, do you read me?...Do you read me, Hal?...Do you read me, Hal?...Hullo, Hal, do you read me?...Hullo, Hal, do you read me?...Do you read me, Hal?
Hal. Affirmative, Dave, I read you.
Dave. Open the pod bay doors, Hal.
Hal. I'm sorry, Dave, I'm afraid I can't do that.
Dave. What's the problem?
Hal. I think you know what the problem is just as well as I do.

Serious uses in oppressive regimes

[AmiMoJo]

In some of the more oppressive legal environments, such as the United Kingdom, the police can demand that you hand over your passwords. Saying "I forgot", even if you did, is not considered a valid reason for not doing so. Check out the Regulation of Investigatory Powers Bill.

Using this technique, it would be possible to prove that you could not remember the password.

Re:Serious uses in oppressive regimes

[headkase]

They would simply have you unlock the data for them by entering your "password", no matter the method used for entry.

Re:Serious uses in oppressive regimes

[Geoffreyerffoeg]

Hmn. If you set your machine to be able to use a Dvorak or French layout or some other keyboard layout where the letter caps are switched, your password could be an easy phrase in QWERTY typed while in Dvorak (or whatever) mode. If you didn't know the keyboard layout, you couldn't reveal the password without having a physical Dvorak keyboard in front of you.

If you're asked for the password, you can say "It's 'blurp', but typed while in Dvorak mode," to which the response is "How do you get your computer to Dvorak mode?" "I'm not required to tell you. It's not part of my password."

A h^Hcracker of course would have trouble breaking your password with a dictionary attack.

Re:Serious uses in oppressive regimes

Actually the UK law is a lot more sensible than it first appears. It is also to protect the subsequent owners and handlers of encrypted data from liability by firmly placing the ownership and responsibility for data in the hands of the encryptor. This is very e-commerce friendly, as the site you link to should realise.

Keyboard layouts...

I memorized the layout of the keys in my bank PIN, and eventually forgot the numbers themselves.

This got me in trouble when I went to Japan, where the layout of the keys is reversed top to bottom from the banks in NYC.

I entered the code incorrectly three times (didn't realize why at the time), and got locked out of my account for 48 hours with no cash on me in Tokyo.

So, I would expect this could be a problem with even just slightly different keyboards.

Not good enough...

[igrp]

The obvious weakness and insecurity of this aside, this just isn't a good idea. For starters, 90% is no where good enough. A password system like this would be a nightmare to setup and, more importantly, to maintain.

Imagine introducing something like this and being responsible for it during the rollout period. You'd have to have people on-call 24/7 just to reset passwords, check IDs and help people log on to their computers (which is the very thing they need to do to even start their work day).

Additionally, you'd have to allow more attempts to enter a password correctly before locking the account or nobody would be able to log in (at least while people got used to the system). And thereby you'd actually weaken security significantly.

We're not talking just about computers..

[Fr4ncis]

What if the password would be used to get cash from bank machines? In those cases the password is very short and it would be easy for a thief to get you to tell him the code in order to steal you money, or suppose you would be stupid enough to keep that code inside your wallet with the card.

This is a great idea IMO, a link between psychoanalysis and tech, really interesting!

Susceptible to dolphin crack?

[Stack_13]

Sure, image passwords are great - especially the ones you can't remember conciously.

But have they considered the possibility of someone cracking your password using telepathic ex-military dolphins?

DUPE

Not only that, but they posted a story about a similar technology in 2001!

Pig Latin

[Saeed+al-Sahaf]

How about recursive Pig Latin? Every time you need to change it, just keep running it through your Pig Latin algorithm.

Re:Pig Latin

[simcop2387]

the problem with this is that each time after the second you keep adding the say thing

haiku->aikuhay->aikuhayway->aikuhaywayway->a d infinitum

that is with proper piglatin anyway

I forgot.

An excellent strategy for getting around court ordering you to divulge a password without trying the "I forgot" excuse.

Oblig. Lost Ark quote

[Wheaty18]

"You'd be surprised what someone can remember... if properly 'motivated'..."

Remember Microsoft

[MikeDawg]

Didn't Microsoft try something like this, with passwords? I'm trying to find the /. article on it, but I can't seem to find it. MS would develop a password that was developed from images the user saw, I can't remember the exact details (Damn, I need to find that article).

Re:Remember Microsoft

[dettifoss]

Yep. MS Research published a study in which users were shown a bunch of Rorschach inkblot images. Since folks almost unfailingly put different interpretations on the same image, the same set of images can produce unique passwords of something like 20 chars in length by concatenating the first and last letters of what they see in each image. If they are shown the images again, they almost invariably come up with the same password, and after some time can enter it with little effort through tactile memory.

The paper is here: http://research.microsoft.com/displayArticle.aspx? id=417

I'm no fan of the "Evil Empire", but credit where it's due...

This proved to be the best by far...

[twoslice]

Once I was trying for about 15 minutes to get into a machine that a co-worker locked out. I knew he used really simple passwords and tried them all. secret...password...firstname...lastname...name of his pet... you name it and I got bubkiss, notta, zip, no joy, crappola

Then he just showed up and pressed the enter key. I said you have a blank password!!!! He just laughed and said - It fooled you didn't it? how long were you trying?

Remember a pasword is easy

Lots of people remember hundreds of phone numbers without any effort (I do). You dont have to make an effort to memorize them, after you use a number a few times you just know it. Lots of people know their social security, credit card numbers, etc. If I make a purchase online I by phone I never look at my credit cards , just say the numbers Remembering strings of numbers is much easier than memorizing other stuff, for example poems (remembering phone numbers is easy, remembering poetry is hard). Remembering passwords is the same, an alphanumeric string is easy to remember if it is not too long (say less than 15 characters). It you use a few passwords everyday after one week or so you just know them, dont have to write them down.

Already in use ... unconsciously?

[zonix]

In some way, I think a lot of us may unconsciously be using this method already.

I once knew my 4-digit PIN for my creditcard by the pattern I would press on a keypad. At the time I wasn't consciously aware of the fact that I didn't know the actual sequence of numbers. One day I had to memorize the PIN for my Mom's creditcard (yeah, I know, the PIN is personal!) as I was to run an errand for her - just once. That was enough for me to forget my own PIN when I was to use my own creditcard the next time.

Today I memorize my PIN by reference, so I won't forget it. I believe this will serve me better in the long run, on so many different levels. If I was mugged back when I didn't consciously know my PIN, I'm sure the muggers wouldn't believe me (*). Also, we're getting new creditcard terminals in my country where the keypad layout is reversed.

(*) Take your pick: a reorganized face or an empty bank account.

z

Sound effects

[CptNerd]

What about using comic book sound effects, like "Schreeoownk" or "Ptoioioinnngg", kind of like the sounds Don Martin made up for his Mad magazine strips? Run them through a "l33t" translator, or just stick an "@" or "+" where you feel like it, and surely you'd have something that took a while to crack.

If nothing else, it'd make logging in a bit more fun...

wow... bad bad.

[buttahead]

...and the chances of guessing it is 1/100,000.
yikes, so trying this brute force would take about 1 second. cool.

Remember this is on research-stage!

[ZiggyM]

Most comments complain that 1/100,000 is not secure blah blah blah. Use your imagination please, this is still in research, Im sure one could improve the system to make the odds harder. This is just an example of a new way to input passwords. And brute force does not necesarily help if you have a lockout policy, say lock the account for 1 hour after 3 failed password tries.

Also, remember that this scheme prevents the user from reusing the password somewhere else, writting it down or even giving it to someone for a bribe. It can have interesting uses.

Tight on Time

[Tedger]

I can see it now: Our newest greatest spy behind enmy lines must imput the code on the first try or the whole plan will be boched. Damn! 1/10 chance of missing it and of course he did! The free world is doomed!

Not so bad

[SuperDry]

Regarding the 90% rtention rate, that was within a 3-month period of having been issued the password. I'd say that at least for me, there's a far less than 90% chance that I'll remember a new password 3 months later if I don't use it regularly. So, this part of the new scheme doesn't seem so bad. Also, regarding the 1-in-100,000 chance of a false positive, consider that most bankcards are protected with a 4-digit numeric password, yielding only 10,000 combinations and they are considered secure for their inteded application. So, I guess my point is not every authentication scheme needs to meet the test of a Unix-like "one-way hash where you assume an intruder has access to the encrypted password." A scheme similar to what they've developed could very well be plenty acceptable in certain situations.

Kanji

[ThreeDayMonk]

This reminds me of Japanese kanji - and anyone who's studied Japanese will know what I mean.

It's far easier to learn to read a word in kanji than to write it down accurately.

This sounds like a similar phenomenon.

Just lock the account

[xswl0931]

Most systems already do this to prevent brute force attacks. Just lock the account after the third unsuccessful attempt. Now the user has to provide more data to prove they are who they are. In a secure environment, this may mean dna samples rather than just your pet's name.

Re:Upper case

[abscondment]

Don't forget to mix upper- and lowercase.

That's a total misnomer if you're running windows. The Lan Manager hash isn't case sensitive and has a length limit. It's still stored by default in XP, 2000, etc. Once that's cracked (which would take a month at the longest on my Athlon xp2100+), the number of possible case-sensitive solutions takes a matter of seconds to run through.

Still, the issue is gaining access to the password hashes.

Got that already

A few of my passwords are close to that. I use to learn my passwords by looking at them, and typing them out, without "reading" them to myself. Works great for remembering them, but the "downside" is that I have problems writing them down by hand or reading them out.

In fact I once spent the better part of an hour finding a public computer terminal (where are the bloody internet cafees when you need them?) so I could type the password out on a keyboard so I could tell it to a guy I worked with, because something had gone wrong while I was away on a course. In the end I still got it wrong because the keyboard had a layout I wasn't used to.

Remembering without Consciousness

To psychologists who study memory, this sort of thing is not new. There have been some great experiments with word fragment completion: when someone is given a word, and then sees a fragment (i.e., defenestrate and _e_en_st_at_) they will be able to correctly fill in the fragment with that word even months later with no practice in between. Plus, this will occur even if they do not recall seeing the actual word.

Of course, words are susceptible to dictionary attacks. Images are one solution to that. Another would be motoric tasks. A certain series of mouse movements could be required as a password--this would be almost impossible to crack, and memory for this type of task, once learned, is very robust. Also, there really would be less reason to change this sort of password because it would be so inherently difficult to crack.

To those who say that it would be hard to consistently get very precise movements down, think about how precise you are when playing Unreal Tournament and aiming.

How long would it take....

[CodeGorilla]

before the random images presented would imprint themselves onto the users' memory obfuscating the original password?

Microsoft Research

Microsoft Research released a whitepaper on using inkblots to this effect 2 years ago - In fact, the Win2k3 SDK supplies for prompting a user with a portfolio of database-sourced images when the user is challenged for their credentials so that third-parties can write plugins to do this.

I agree

1/100,000 ? HOW ABOUT 1 IN A MILLION?

Not even close

you need to have a password that can't be guessed as easily as 1 in 1x10^8

This reminds me of a really bad movie...

[ralf1]

from a pretty decent short story. Pictures as passwords? Johnny Mnemonic anyone?

Using a Password One Doesn't Consciously Remember?

[skinfitz]

It's called a biometric.

Here's the paper...

http://www.cs.huji.ac.il/~kirk/Imprint_CHI04_final .pdf

Muscle memory

[andrewagill]

I don't recall most of my passwords, anyway.

After about ten or twenty times, I just wind up entering them by muscle memory.

I can enter most of my passwords in under a second, without even looking at a keyboard.

Gattaca (was: Re:Great)

[Matt]

Speaking of movie references, that gelatin exploit sounds like something out of the movie Gattaca. Except IIRC his defeated a pinprick blood checker as well.

Images? Pfft.

[Feztaa]

I've been using the same password for everything for so long that I don't even remember what it is, I just type it in by muslce memory. ;)

Johnny Mnemonic

[HermesHuang]

This reminds me of the passkey system used in Johnny Mnemonic where a sequence of 3 random pictures unlocks the files.

A Chimp Apart

[Rie+Beam]

Why not just train a chimpanzee to remember our passwords? Just carry them around, drop them in the "password monkey bucket", and then show them a series of pictures, followed by a keypad. I mean, it's been shown they can remember basic patterns and such, and it's not like they're going to give it up for anything stupid...like chocolate...

not effective for men

[muckdog]

This won't work at all. If its based on images, every male password will be boobs.

Less obscure way to do it

[caryw]

I also use passwords that I do not consciously remember, but in a much less obscure manner.

Instead of basing a password on a word, I base passwords on keyboard finger patterns.

For example, one of my passwords might be "pqlsnv" or maybe "ju7ft6la"

Open notepad and type one of them out. Go on, try it.

Note the alternating finger pattern.

You can create very complex passwords with this method that are virtually impervious to dictionary based password crackers.

Definitely a novelty in having a password that my fingers know by heart but my mouth couldn't recite if my life depended on it.

- Cary
Fairfax Underground, where Fairfax County comes out to play

Shapes

[pr1000]

Sometimes I choose my password by making a shape on the keyboard. This works well with diagonal lines, since the keys on each row aren't lined up vertically with the keys below or above them. I tend to use this method most often for simple passwords, like pin codes. For example, let's say I decide on an "X" starting from the top left corner. That gives me 753951 using a keypad. Of course, I just remember the shape, not the numbers, which is handy for someone with a good visual memory, like me, since it's much harder to forget a simple shape, IMHO, than a string of numbers and/or letters.

Of course, there are drawbacks to this method. The first one is mentioned above. Another is you eventually learn the password by entering it a lot, unless you're conscientious at not looking at the keyboard. Of course, if you need to know the password, it's easy to retrieve it. Also, I doubt very complex shapes could consistently be entered reliably. For example, let's say I make a spiral starting at 5 (not on the keypad but on the key above r and t). This gives me 5rdcvgtf. But what if I forget that it curved left, not right, from r. Then I'd get 5rfvbhtg. Still a spiral and still starts from 5. Of course, I imagine it's also rather vulnerable to attack. If someone is watching you in the distance (or not so distance ;-) then can just reproduce your pattern and have your password. Of course, that's essentially a problem with any password that's based on characters. Another vulnerability, I would think, is that the characters are right next to each other. While not alphabetically close, these characters are close together, so a bruteforce attacker could easily narrow his search area by just knowing one of the keys. Using the spiral example, there are only four characters which could follow the leading 5: 4, r, t, 6.

Anyway, I find it's a good system for me.

My password from images on my computer

[burtonator]

OK...

This works really well actually.. .here's my password:

doggystylereversecowgirlmissionary

All one word...

It's easy to remember late at night by remembering the last 3 images I looked at.

I do it already

I have a password i use that i can never say right with out me typing it or pretending to type it. Its a real B*tch when your fingers forget lol

Two-factor authnetication? Multiple sites

[AndresFerraro]

Think of the number of sites and passwords you have. Now think of the number of traings you woul dhave to do, and the possibility of mental jumble increases rapidly. I'm sure people can remember the patterns much more easily since its the only such pattern they have associated to 'authentication' or 'weird scientific trial'. Try to keep the sequences straight once your mind groups everything into one 'authentication' or 'internet' bin and you have 20 passwords to remember. If authentication is so critical to justify a system such as this and the time expense of learning it, etc, I would suggest o go with two-factor authentication systems such as SecurID or similar systems.

Both methods don't have enough bits

[billstewart]

Passfaces were friendly, and gave you 4 sets of 9 faces to pick the right ones from. (I'm not sure if the current implementation is still that arrangement - it wants some plugin I'm not running.) That's cute, but it's no more secure than a 4-digit PIN, so it's useless against any automated attack. If this thing has 100,000 possible values, that's still just 5 digits.

It's ok as an add-on in addition to a password, for environments that can use it practically, since it balances out people's preferences for wimpy passwords, but it's not enough for most standalone use.

Key position

I have two passwords which I can't actually remember, however I can type them fast (if keyboard is standart).
It causes some trouble on laptops and such - I have to imagine typing slowly to remember sequence.
They are 13,15 symbols long, random letters/numbers/symbols.

Microsoft must use this...

[noidentity]

...to keep Windows users from realizing they're seeing the blue-screen-of-death for the nth time. "I don't know what it is about Windows, but I can tell it when I see it."

dictionary-proof passwords

[psyki]

Another way to remember yet not remember passwords is to have a word in mind, but shift your fingers one key to the left or right and type it out. I could figure out what my password actually is but I don't need to, and it will most likely never be in a dictionary.

Three Step Process

[intuit]

Step 1: Give password prompt. Step 2: ??? Step 3: Log in. I suppose it will also inevitably lead to profit.

keycards?

[mattyrobinson69]

how much are keycard and keycard readers (and a few keycard writers for the IT dept?

get yours in the morning using your simple ID card and give it in at night to prevent some smart arse taking it home, buying a writer and copying someone elses.

Interesting, but...

[bastardadmin]

...I wouldn't want to try to sell it as an authentication mechanism to my executive masters.

Granted it does make it harder for the creds to be acquired via social engineering, but... there are easier ways to protect authentication credentials using existing methods, IMO.

For instance, what about the use of passphrases vs. passwords?

I.E. choose a sentence, including some punctuation, a lot harder to defeat with a basic dictionary attack, will likely take a lot longer for a brute force crack and users should (in theory) be able to remember a phrase like, say "Highlander 2 was utter crap!" much more easily than, say, xXzQwtY@#153.

Not as glamourous as the method descibed, but a much easier sell to users.

Combine with a physical token (RSA ID, smart card, whatever) and things get a little harder to break technologically.

Anyway, that's my $0.02.

Keanu Reeves would be good at this...

[bev_tech_rob]

Remember Johnny Mnemonic? That was how they encrypted or locked the content in his brain....

Re:Keanu Reeves would be good at this...

[bev_tech_rob]

Crap! I shoulda read the posts above! Mod me 'Redundant' :p.

So what's the technologocal discovery here?

[startxxx]

http://fuckedcompany.com/ That's where you belong, heh.... what did you develop, an image viewer program that reads 3 digits?

One thing I WON'T do ...

[antispam_ben]

... is post on slashdot telling how I select my password(s) ... Sheesh, I can't believe what I'm reading here, of all places.

Been done? (sorta)

[attercoppe]

Didn't they do this in the movie version of Johnny Mnemonic?
He picked three images at random for a passcode which he would then not conciously know. Of course in the original short story, it was a spoken phrase...

re: conscious passwd recollection

[pugfantus]

Actually, a lot of my passwords I can't consciously recall. I use finger "gestures"/patterns for my passwords. I know the starting position of my hand, and then I just make the proper finger movements and my passwords is typed in. Change the position on the keyboard, keep the movements the same, and you've got a whole new password.

I already use this! Sort-of. Not really.

My work phone number is something I only know by dialing it. If I need to give it out, I have to simulate dialing it to get the digits.

Also, my home computer password is a set of randomly generated and capitalized alphanumerics. How I remember it is similar, except I know most of it by heart now but if I think about it while entering it I usually get it wrong.

But the pictures are a neat idea.

I play AD&D like that

i read the post, and i knew it reminded me of something

Strong huh?

[aussie_a]

Did the tool judge your password before or after you blurted it out on /. ;)

I too do this

[aussie_a]

Not the "same password for everything" part, but the type without thinking part. I currently will type a password depending on the login screen I'm shown. For example on the mud I play, I'll type type in the correct sequence without even thinking about it. I also do the same for my university account. I remember both with the username and password both being very different due to the fact the login screens look different.

You don't need to type in the same password for everything, you just need different login screens (although if you have 15 boxes of the same thing, not easy).

What About Those with Eidetic Memory?

[Cruxus]

Yes, most people won't be able to remember these visual images in detail, but that doesn't apply to that minuscule number of people who have eidetic memories. What do we do about them?

To those who think this is insecure

[TonyMeatballs]

While 1 in 100,000 chances of guessing seem like really bad odds: "OMG..we can brute force this, lolz!". In reality, this is a probably much stronger form of protection than it first sounds. The article stated that the images to be recognixed came from a library of over 200,000. This means that at each login attempt, you could have a different group of images come up that would still contain a legitimate password for the user to type in. Even if each attempt had a 1 in 100,000 chance of being guessed, 2 guesses wouldn't give you a 2 in 100,000 chance of being right and so on... ...But then I suppose you could just look for which pictures are common in each password attempt, and get in that way...Shit, I'll shut up now.

one good way....

[acidbass]

I have been thinking about the password problem for some time and i finally found a universally secure yet recallable method. I take 4 characters, any random 4 and use these always, say for example: erfg then think of a song that you know the lyrics to, like the chorus to "give peace a chance", all we are saying is give peace a chance. The first letter of each word is: awasigpac so i make my password: erfg&awasigpac if the password only allows 10 or 8 characters, then the password will only be the 1st 10 or 8 letters of the long password. And then when ever i need to change my password, i just think of another song, and then thats all i have to remember, the song's chorus. so summer breeze is my new song, my password is: erfg^sbmmffbttjimm the password can seem long, but its recallable and totally hard to remember in its given form. So obviously this works for quotes or sayings or any other memorable sayings.

nemories

[Doc+Ruby]

Another use for the human facility of "nemory": when something never happened, and you don't remember it. A nemorized password can not be extracted from a person, nor can the infosystem be analyzed in any way, even through complete physical access, to determine it. Roughly analogous to "dark matter" and "dark energy", nemories are our experience of "dark info", estimated as the overwhelming majority of information in the Universe. Nemory devices and techniques will revolutionize the Info Age, without anyone even noticing, or even happening at all.