Slashdot Mirror
Using a Password One Doesn't Consciously Remember
ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it.
It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000.
Not ready for practical use yet, but very interesting concept that can develop further."
My tinfoil hat protects me from the mind readers anyway!
At least it's a new use for my porn archive.
Do we get to use touch screens?
Compare to a normal password-- 90% chance of successful identification? 100,000 possible combinations? Ick.
It better not be used in any situation where a machine can attempt the password, and hopefully they've avoided storing the password itself on the disk, though it certainly could be found with brute CPU (see above).
Basically, it looks like this is a very unimpressive system.
I use the same root password for all of my test boxes. It's 15 characters and made up of random letters and numbers. What is it? I have no idea :-)
I can type my password, but if you asked for it I couldn't tell you what it is. The other day someone needed my password for one of the test boxes. I had to open vi, type in the password, and read it back to them.
The only problem with this is that it takes so long to remember such a password, so as soon as you learn it you can't change it often.
There is no reasonable defense against an idiot with an agenda
:wq
I'm sure there are many variations on this possible. Probably by linking mnemonics and visual cues you could come up with a code-entry system that works reliably, yet makes it nearly impossible for someone to simply write down their code -- hence, easily steal. Use the brain for crypto.
The beauty of string passwords is that I can recall and input it within 3 seconds. It would become quite a hassle to take the time to go through a series of images everytime I wanted to sign into an account.
Still, it's an interesting concept, though I can't forsee it ever becoming applicable to personal computing.
Simple. Don't have the user click on an image, but track their iris to see which image they're looking at. Kills eavesdropping dead, and lets you reuse images too. Drives cost way up, but maybe it can come down with mass production? Just a thought.
It struck me yesterday that the answer to making secure and difficult to guess passwords that are immune to dictionary attacks is staring us all in the face. Let's recap:
A good password is:
Greater than 6 letters long
Composed of numbers and letters
Easy to remember, easy to reremember when changed.
.
Now it struck me that ideally we needed to create a new language that was innovative and imaginative which people could talk in, and use as passwords. Then it struck me: we already have it: L33T SPEEK
Passwords such as OMGN00BSUXSROR! and ROFLGH3YB0ISTFU and almost impossible to guess, are immune to dictionary attacks, and are perfectly memorable. Perhaps L33T language classes could be started at major institutions, and a Creative Commons licenced dictionary created.
It's about time someone started talking sense - password security is a problem which needs innovative solutions.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
I cant really remember the PIN for my bank account, but when i'm standing in front of the cash automat i remember the moves i have to do with my fingers without problem. If i wanted to remember the PIN as a number i can close my eyes and pretend to type it though, so there is a way for me to know it consciously.
the most sexp i get is my paren-mode.
This should come in handy to all the other costumed crime fighters in the Slashdot community, too!
the best password is to have no password
along the same line.... what's the shortest distance between two points?
the shortest distance is to have NO distance at all. (Try the folding paper trick)
If you said a straight line, that'll do for now.
maybe someone could expand?
Keanu gets all the data locked in his head, and the password is a series of images...
"People" using "unnecessary" quotes should be "shot".
they should call it passphrase if you want people to use long passes
all the time websites/apps ask for a password it just re-enforces the insecurity of using a single word
8 character passwords/filenames should of died in the 70's
Finally we have something which is not vulnerable to the rubber-hose cryptanalysis. Now the attackers can brute-force me as hard and as long as they want and I will not be able to tell them my password even if I want to! Now I feel totally safe, because even in the case of the most inhumane torturing, I will take my password to my grave. It's like using fingerprints in ATMs so the thief has to cut my finger off instead of taking my ATM card in order to steal my money, except for the lack of gelatin exploit. This is great news. I can stop recommending Password Safe to my users now.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
That said, I do end up memorizing most things this way--I know pin numbers, telephone numbers, and even my password by the "feel" of typing them, and I usually can't remember what they are when I'm not using a keyboard or number pad.
Orationem pulchram non habens, scribo ista linea in lingua Latina.
My bank-card pin-number uses a different trick. I just used four consecutive digits of pi. The trick is that they're pretty far into the sequence. Oh, and I made a mistake when I set it, so it's actually wrong. Oops. Guess it's pretty random, then. ;)
The only thing I have to remember is the password to get into Keypass and decrypt its database.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
How long does it take a computer program to make 100,000 guesses? Not too long, I'd wager. I think the reason text passwords are so effective is that you can have different length passwords with uppercase, lowercase, numerical, and symbol characters, giving you some 100 characters to play with, in any combination, and in any length (within range), meaning that there are probably a lot more than 100,000 combinations.
If Hebrew University figures out a way to dramatically increase the number of possible combinations, while retaining one's ability to remember, but not describe, the password, that would be very useful in situations, for example, where your filesystem is encrypted with one of these passwords, and there is no way you can tell the CIA/FBI/NYPD/MPAA/RIAA/DEA/Microsoft/SEC what it is, in case one of these organizations seizes your equipment.
Passfaces uses a similar idea; you can remember the faces that make up your password, but you cannot describe that password to anyone. It relies on your brains ability to recognise faces, and your brains inability to accurately describe the same faces.
Useless for the blind of course.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
When you consider that the chance of randomly guessing a random 3-letter long case-sensitive password is 52^3 (1 in 140608), this really isn't that impressive.
This idea was shown in Johnny Mnemonic. When the 320 GB of data was shoved into Johnny's head, it was encrypted with three pictures. Those pictures needed to be reproduced in order to extract the data.
Colin Dean Go a year without DRM
Just pick a telephone number that you can remember well, but not your own. Practice typing it on the number pad a few times, until you get it through your subconcious and can type it w/o looking. Then select a random key on the keyboard as your starting point, and type in the phone number.
(i.g., 651-5984 = oiji09u ; [w/ oiu=456])
Secure, unquessable, and easy to remember.
I was thinking of converting to paganism, but where the hell can you find sacrificial virgins these days?
...this seems like a solution in search of a problem. Exactly what scenario requires a password that cannot be guessed by passers-by and cannot be extracted by interrogators but at the same time is unimportant enough that 90% accuracy is acceptable? Neat trick, but there are lots of things to work out before this is anywhere near practical.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Maybe this approach has its merits, but it would make entering passwords a bit complicated, strings are easier to handle.
I would find it much more important that knowledge about mnemonic techniques become more widespread. As far as I know, people who take part in memory contests, where they have to remember long numbers, use systems wehere each number stands for something (a letter in the alphabet, which in turn stands for certain words), and they quickly construct a kind of story around the numbers. Human beings are very bad at remembering raw data, but they are quite good at remembering semantically connected concept. As long as people conceive passwords as a kind of words, perhaps slightly altered and with numbers added, it will always be difficult - either it is still vulnerable (dictionary attacks or even if the word doesn't exist phonotactic attacks exploiting the rules sounds can combine in languages) or it is hard to remember, especially if the password has to change from time to time. It would be much easier of people conceived passwords as phrases or whole sentences and use the first, second, last or whatever letters that make up the words of these expressions (and still add numbers).
For instance, I think it would be relatively hard to remember a password like 'dl3w5pwthbtceth', but if it stands for 'During [the] last 3 weeks, 5 people went to [the] hairdresser because their cats eat their hair' (absurd, but not really devoid of semantic content and therefore possible to remember). Next time, the password might be '3ohtehfsocatioh2jgu' (3 of [the] hairdressers tried [to] extract [the] hair from [the] stomachs of [the] cats and to insert it on their heads, 2 just gave up). The style of the sentences that should not be too obvious can, of course, vary.
That is easier to remember than things conceived as nonsense-words and practically impossible to guess. The transition from one password to the next is easier - the next phrase or sentence can somehow be connected semantically or pragmatically to the previous in the mind of the owner of the password in a way that isn't accessible to anyone else.
With the ubiquity of passwords in today's everyday life, such methods deserve much more attention.
"I like the idea of developing computer-human interfaces in which the computer is a skeptic [and so] doesn't perform the actions of which it is capable until the human has convinced it that the need is genuine and the human is an appropriate person for whom to perform this action," he said. "This might lead to greater safety for all of us."
Ouch! I don't like this idea at ALL. Anyone else disturbed?
Dave. Open the pod bay doors, please, Hal...Open the pod bay doors, please, Hal...Hullo, Hal, do you read me?...Hullo, Hal, do you read me?...Do you read me, Hal?...Do you read me, Hal?...Hullo, Hal, do you read me?...Hullo, Hal, do you read me?...Do you read me, Hal?
Hal. Affirmative, Dave, I read you.
Dave. Open the pod bay doors, Hal.
Hal. I'm sorry, Dave, I'm afraid I can't do that.
Dave. What's the problem?
Hal. I think you know what the problem is just as well as I do.
In some of the more oppressive legal environments, such as the United Kingdom, the police can demand that you hand over your passwords. Saying "I forgot", even if you did, is not considered a valid reason for not doing so. Check out the Regulation of Investigatory Powers Bill.
Using this technique, it would be possible to prove that you could not remember the password.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Didn't Microsoft try something like this, with passwords? I'm trying to find the /. article on it, but I can't seem to find it. MS would develop a password that was developed from images the user saw, I can't remember the exact details (Damn, I need to find that article).
YOU'RE WINNER !
Another lame blog
Regarding the 90% rtention rate, that was within a 3-month period of having been issued the password. I'd say that at least for me, there's a far less than 90% chance that I'll remember a new password 3 months later if I don't use it regularly. So, this part of the new scheme doesn't seem so bad. Also, regarding the 1-in-100,000 chance of a false positive, consider that most bankcards are protected with a 4-digit numeric password, yielding only 10,000 combinations and they are considered secure for their inteded application. So, I guess my point is not every authentication scheme needs to meet the test of a Unix-like "one-way hash where you assume an intruder has access to the encrypted password." A scheme similar to what they've developed could very well be plenty acceptable in certain situations.
This reminds me of Japanese kanji - and anyone who's studied Japanese will know what I mean.
It's far easier to learn to read a word in kanji than to write it down accurately.
This sounds like a similar phenomenon.
If your comment title says 'Re: Foo', I'm not likely to read it.
Why not just train a chimpanzee to remember our passwords? Just carry them around, drop them in the "password monkey bucket", and then show them a series of pictures, followed by a keypad. I mean, it's been shown they can remember basic patterns and such, and it's not like they're going to give it up for anything stupid...like chocolate...
This won't work at all. If its based on images, every male password will be boobs.