Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using a Password One Doesn't Consciously Remember

Posted by CowboyNeal on from the almost-always-able-to-log-in dept.

ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it. It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000. Not ready for practical use yet, but very interesting concept that can develop further."

25 of 270 comments (clear)

  1. Their own metrics are so awful. by mlyle · · Score: 3, Interesting

    Compare to a normal password-- 90% chance of successful identification? 100,000 possible combinations? Ick.

    It better not be used in any situation where a machine can attempt the password, and hopefully they've avoided storing the password itself on the disk, though it certainly could be found with brute CPU (see above).

    Basically, it looks like this is a very unimpressive system.

    1. Re:Their own metrics are so awful. by jwe21 · · Score: 2, Interesting

      In most environments, the human factor is the weakest link, not the false positive probability. It doesn't matter if the probability of guessing the password is 1/100,000 or as they'd probably get with a bit better training algorithm and a bigger database 1/10,000,000 --- the point is that the user can't write their password down on a sticky note on their monitor.

      Think of it as sacrificing limited security against one unlikely technique (brute force attack) for perfect security against a more common one (human fallibility).

    2. Re:Their own metrics are so awful. by Oculus+Habent · · Score: 5, Interesting

      in reality a truely random four-letter password is probably more secure than most people's password. Have you forgotten they'll likely Give it up for chocolate, anyway? If they don't really know it, they can't write it down and can't divulge it.

      The specific implementation may need work, but the concept has very real possibility.

      Best comment when I told someone their password expires every 90 days and they can't use the last two:

      "That's OK, I have four grandchildren."

      --
      That what was all this school was for... to teach us how to solve our own problems. -- janeowit
    3. Re:Their own metrics are so awful. by hyphz · · Score: 2, Interesting

      The thing is, this already exists.

      There's a system called PassFace which issues passwords consisting of sets of pictures of faces. The idea is that faces are easy to remember but hard to describe, thus preventing passing on of the password.

      It was tested as part of a student project. The project found that PassFaces are *trivial* to sniff. In some cases it only took one "shoulder surfing" session for someone to sniff a password. So if a person wants to transfer their password to someone else, they might not be able to speak it aloud, but all they have to do is to allow the other person to watch them logging in once or twice and presto.

  2. Very interesting by bigberk · · Score: 3, Interesting

    I'm sure there are many variations on this possible. Probably by linking mnemonics and visual cues you could come up with a code-entry system that works reliably, yet makes it nearly impossible for someone to simply write down their code -- hence, easily steal. Use the brain for crypto.

  3. Time? by blike · · Score: 3, Interesting

    The beauty of string passwords is that I can recall and input it within 3 seconds. It would become quite a hassle to take the time to go through a series of images everytime I wanted to sign into an account.

    Still, it's an interesting concept, though I can't forsee it ever becoming applicable to personal computing.

  4. To prevent eavesdropping, use iris tracking by arvindn · · Score: 4, Interesting

    Simple. Don't have the user click on an image, but track their iris to see which image they're looking at. Kills eavesdropping dead, and lets you reuse images too. Drives cost way up, but maybe it can come down with mass production? Just a thought.

  5. Similar Experience by MoP030 · · Score: 3, Interesting

    I cant really remember the PIN for my bank account, but when i'm standing in front of the cash automat i remember the moves i have to do with my fingers without problem. If i wanted to remember the PIN as a number i can close my eyes and pretend to type it though, so there is a way for me to know it consciously.

    --
    the most sexp i get is my paren-mode.
  6. Sounds like that bit in "Johnny Mnemonic". by Samurai+Cat! · · Score: 3, Interesting

    Keanu gets all the data locked in his head, and the password is a series of images...

    --

    "People" using "unnecessary" quotes should be "shot".
  7. Keepass by DarkHelmet · · Score: 4, Interesting
    I keep a copy of Keepass with me on a USB keystick. It keeps all of my passwords in a secure place. Most of the passwords I have are 21 characters, generated randomly.

    The only thing I have to remember is the password to get into Keypass and decrypt its database.

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
  8. Sounds like Passfaces by Beautyon · · Score: 5, Interesting

    Passfaces uses a similar idea; you can remember the faces that make up your password, but you cannot describe that password to anyone. It relies on your brains ability to recognise faces, and your brains inability to accurately describe the same faces.

    Useless for the blind of course.

    --
    ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
  9. This idea by Rinisari · · Score: 2, Interesting

    This idea was shown in Johnny Mnemonic. When the 320 GB of data was shoved into Johnny's head, it was encrypted with three pictures. Those pictures needed to be reproduced in order to extract the data.

    --
    Colin Dean Go a year without DRM
  10. It' easy: by ivan1011001 · · Score: 2, Interesting

    Just pick a telephone number that you can remember well, but not your own. Practice typing it on the number pad a few times, until you get it through your subconcious and can type it w/o looking. Then select a random key on the keyboard as your starting point, and type in the phone number.

    (i.g., 651-5984 = oiji09u ; [w/ oiu=456])

    Secure, unquessable, and easy to remember.

    --

    I was thinking of converting to paganism, but where the hell can you find sacrificial virgins these days?
  11. Re:I do this now by Entropy+Unleashed · · Score: 5, Interesting

    Why not just use some primitive "keyboard art"? The main alphanumeric area can be considered a 4 by 10 area of pixels, with a possible 3 colors(normal, not typed, and with Shift key). This would offer the possibility of easy visual recognition/reconstruction with ~10^19 possible combinations. For example, we could use a drawing of a TIE Bomber as a password.

    ......0...0......
    .....0__0__0.....
    ......0...0......

    would become ridFGhIJkcm, which is judged to be a rather strong password by http://www.securitystats.com/tools/password.php .

    --

    "I would give my right hand to be ambidextrous."
  12. Re:Easy 24 or more letter-number combinations by Scarblac · · Score: 4, Interesting

    I use passwords from Nethack, e.g. #@d_..C# is me and my dog standing next to an altar with a centaur on the other side of the room. Not hackable by dictionary attack :-)

    --
    I believe posters are recognized by their sig. So I made one.
  13. Re:I do this now by CAIMLAS · · Score: 2, Interesting

    Same thing for me, to a large degree. I know all my passwords by heart, and I no longer think about the key combination. There's been a time or two when I've had to do remote phone admin, and I couldn't recall the passwords for the life of me until I closed my eyes and air-typed them out.

    Really, I don't see how this memory process is any different than remembering something like, "Right click on desktop, go to Properties. Click on the Display tab. Go to "Advanced"...." or such. Or for that matter, memorizing directions to a meeting place you've never been to before, and being able to recall the directions to get there. It doesn't seem too secure to me.

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  14. Not so bad by SuperDry · · Score: 2, Interesting

    Regarding the 90% rtention rate, that was within a 3-month period of having been issued the password. I'd say that at least for me, there's a far less than 90% chance that I'll remember a new password 3 months later if I don't use it regularly. So, this part of the new scheme doesn't seem so bad. Also, regarding the 1-in-100,000 chance of a false positive, consider that most bankcards are protected with a 4-digit numeric password, yielding only 10,000 combinations and they are considered secure for their inteded application. So, I guess my point is not every authentication scheme needs to meet the test of a Unix-like "one-way hash where you assume an intruder has access to the encrypted password." A scheme similar to what they've developed could very well be plenty acceptable in certain situations.

  15. Re:I do this now by simcop2387 · · Score: 2, Interesting

    i'm not sure how well i'd trust that password script, it told me that

    p455W0rD was a pretty strong password

  16. Re:I do this now by Matt · · Score: 3, Interesting
    I've always had the same "problem" with passwords and phone numbers. I can't remember my mother's phone number, but sit me down at a phone and I'll dial her up without thinking about it.
    I'm much the same. I think I "remember" phone numbers primarily by the pattern formed by entering the sequence on a keypad.

    To quote a phone number I almost have to watch myself dial it. Even worse is remembering my own phone number. I don't exactly call it often.

  17. Re:I do this now by E_elven · · Score: 2, Interesting
    I usually bring this up whenever there's a password discussion but looks like you're already on the ball. To recap:

    My users are given the task of creating an 8-12 character password. This is usually, for beginning users, achieved by selecting a letter, -the first letter of their name, for example. This letter is then 'drawn' on the keyboard using each key as one 'pixel' and alternating the shift key every other stroke. For example, for the letter 'E', we can create the following picture:
    ` 1 2 3 - - - 7 8 9 0 - = \
    q w e r | - u i o p [ ]
    a s d f | h j k l ; '
    z x c v | _ _ , . /
    This would produce, if starting from top with non-shift: 4RfV5^tBn. The user needs to remember one letter, one starting point and one shift mode.

    Advanced users usually find a variation of this scheme suitable for them since the password policy is to change every 30 days, but even completely computer-illiterate people pick this up very quickly and since it's easy people don't place post-its on their monitor or complain about having to change the password so often.
    --
    Marxist evolution is just N generations away!
  18. Re:I do this now by E_elven · · Score: 2, Interesting

    Ah -one more trick when talking about /completely/ computer-illiterate people (I do some work with the elderly): when teaching this method of password creation I always have slices of paper -red, but I assume anything works- cut very thin with slight variances in thickness. If anyone has a problem understanding the keyboard as etch-a-scetch concept, I simply ask the user to give the key and then place the paper slices on the keyboard so that the 'picture' is clearly visible. This usually gets even the worst cases.

    Of course, nothing is completely foolproof/infallible.

    --
    Marxist evolution is just N generations away!
  19. Re:This is too complicated - try this by Artifakt · · Score: 2, Interesting

    "I'd suspect that excentric/odd folks are vulnerable to such social engineering, as they're more likely to have a pattern of behavior that is predictable (I know a person or two like this)."

    Like SF oriented geeks who use alien names - Cthulhu, Gharlane, Nostromo?
    From only the social engineering standpoint, the most unguessable password might be as simple as GTO, if your co-workers think you don't pay any attention to cars, or sosa if you don't seem to follow baseball. Such passwords are lousy from other viewpoints, of course, which suggests there is a need to get away from passwords entirely.

    --
    Who is John Cabal?
  20. A Chimp Apart by Rie+Beam · · Score: 2, Interesting

    Why not just train a chimpanzee to remember our passwords? Just carry them around, drop them in the "password monkey bucket", and then show them a series of pictures, followed by a keypad. I mean, it's been shown they can remember basic patterns and such, and it's not like they're going to give it up for anything stupid...like chocolate...

  21. Re:Easy 24 or more letter-number combinations by solicit · · Score: 3, Interesting

    Or use a one-liner perl regex as your password, easy to remember if you know what it does, but also not breakable by dictionary attack. :)

  22. Re:Excellent! by GPLDAN · · Score: 1, Interesting

    You joke, but remember this technique was developed in Israel. You can bet that torture is one of the angles they have thought of. Why else would you develop such a technique.

    Now presenting... The Manchurian Password...