Slashdot Mirror
Using a Password One Doesn't Consciously Remember
ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it.
It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000.
Not ready for practical use yet, but very interesting concept that can develop further."
the best password is to have no password
along the same line.... what's the shortest distance between two points?
the shortest distance is to have NO distance at all. (Try the folding paper trick)
If you said a straight line, that'll do for now.
A good password is:
I don't think so. On a single machine it takes l0phtcrack a day or two to crack passwords with only letters and numbers.
It took my comp 36 days to crack the M$ generated ASPNET user account; it's generated from the full keyboard charset.
Password policies like this won't enhance security. Maybe disabling LM hashes would, but the vulnerability is still there.
For reference an eight character password consisting of random upper-case, lower-case and numbers has about 200,000,000,000,000 combinations. A twelve character pronouncable password is about the same, and is what I use for all of my "important" passwords with about a 20% chance of typos. If one were to pick a random english word out of /usr/share/dict/words, that password would be twice as secure as this method, and we know easy a dictionary attach is.
In some of the more oppressive legal environments, such as the United Kingdom, the police can demand that you hand over your passwords. Saying "I forgot", even if you did, is not considered a valid reason for not doing so. Check out the Regulation of Investigatory Powers Bill.
Using this technique, it would be possible to prove that you could not remember the password.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Lots of people remember hundreds of phone numbers without any effort (I do). You dont have to make an effort to memorize them, after you use a number a few times you just know it. Lots of people know their social security, credit card numbers, etc. If I make a purchase online I by phone I never look at my credit cards , just say the numbers Remembering strings of numbers is much easier than memorizing other stuff, for example poems (remembering phone numbers is easy, remembering poetry is hard). Remembering passwords is the same, an alphanumeric string is easy to remember if it is not too long (say less than 15 characters). It you use a few passwords everyday after one week or so you just know them, dont have to write them down.
"My bank-card pin-number uses a different trick. I just used four consecutive digits of pi. The trick is that they're pretty far into the sequence. Oh, and I made a mistake when I set it, so it's actually wrong. Oops. Guess it's pretty random, then. ;)"
I reckon it's probably still four consecutive digits of pi... (and indeed would be, no matter which 4 digits you chose!)
http://www.cs.huji.ac.il/~kirk/Imprint_CHI04_final .pdf
RTFA. In this system, once pictures are used, they are never used again. So much for *trivial* sniffing.
I wrote a paper on using mnemonics which you might find interesting
Celebrate the finer things in life