Slashdot Mirror
Using a Password One Doesn't Consciously Remember
ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it.
It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000.
Not ready for practical use yet, but very interesting concept that can develop further."
My tinfoil hat protects me from the mind readers anyway!
I use the same root password for all of my test boxes. It's 15 characters and made up of random letters and numbers. What is it? I have no idea :-)
I can type my password, but if you asked for it I couldn't tell you what it is. The other day someone needed my password for one of the test boxes. I had to open vi, type in the password, and read it back to them.
The only problem with this is that it takes so long to remember such a password, so as soon as you learn it you can't change it often.
There is no reasonable defense against an idiot with an agenda
:wq
Simple. Don't have the user click on an image, but track their iris to see which image they're looking at. Kills eavesdropping dead, and lets you reuse images too. Drives cost way up, but maybe it can come down with mass production? Just a thought.
It struck me yesterday that the answer to making secure and difficult to guess passwords that are immune to dictionary attacks is staring us all in the face. Let's recap:
A good password is:
Greater than 6 letters long
Composed of numbers and letters
Easy to remember, easy to reremember when changed.
.
Now it struck me that ideally we needed to create a new language that was innovative and imaginative which people could talk in, and use as passwords. Then it struck me: we already have it: L33T SPEEK
Passwords such as OMGN00BSUXSROR! and ROFLGH3YB0ISTFU and almost impossible to guess, are immune to dictionary attacks, and are perfectly memorable. Perhaps L33T language classes could be started at major institutions, and a Creative Commons licenced dictionary created.
It's about time someone started talking sense - password security is a problem which needs innovative solutions.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
This should come in handy to all the other costumed crime fighters in the Slashdot community, too!
Yup. That's not secure in the least. 100,000 possible combinations is equivalent to having a password of only lowercase letters, exactly four letters in length, where the first letter has to be from "a" through "f" (6 * 26 * 26 * 26 = 105,456).
Definitely one of the worst password-type mechanisms proposed in recent history.
The only thing I have to remember is the password to get into Keypass and decrypt its database.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
in reality a truely random four-letter password is probably more secure than most people's password. Have you forgotten they'll likely Give it up for chocolate, anyway? If they don't really know it, they can't write it down and can't divulge it.
The specific implementation may need work, but the concept has very real possibility.
Best comment when I told someone their password expires every 90 days and they can't use the last two:
"That's OK, I have four grandchildren."
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
For reference an eight character password consisting of random upper-case, lower-case and numbers has about 200,000,000,000,000 combinations. A twelve character pronouncable password is about the same, and is what I use for all of my "important" passwords with about a 20% chance of typos. If one were to pick a random english word out of /usr/share/dict/words, that password would be twice as secure as this method, and we know easy a dictionary attach is.
Passfaces uses a similar idea; you can remember the faces that make up your password, but you cannot describe that password to anyone. It relies on your brains ability to recognise faces, and your brains inability to accurately describe the same faces.
Useless for the blind of course.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
Maybe this approach has its merits, but it would make entering passwords a bit complicated, strings are easier to handle.
I would find it much more important that knowledge about mnemonic techniques become more widespread. As far as I know, people who take part in memory contests, where they have to remember long numbers, use systems wehere each number stands for something (a letter in the alphabet, which in turn stands for certain words), and they quickly construct a kind of story around the numbers. Human beings are very bad at remembering raw data, but they are quite good at remembering semantically connected concept. As long as people conceive passwords as a kind of words, perhaps slightly altered and with numbers added, it will always be difficult - either it is still vulnerable (dictionary attacks or even if the word doesn't exist phonotactic attacks exploiting the rules sounds can combine in languages) or it is hard to remember, especially if the password has to change from time to time. It would be much easier of people conceived passwords as phrases or whole sentences and use the first, second, last or whatever letters that make up the words of these expressions (and still add numbers).
For instance, I think it would be relatively hard to remember a password like 'dl3w5pwthbtceth', but if it stands for 'During [the] last 3 weeks, 5 people went to [the] hairdresser because their cats eat their hair' (absurd, but not really devoid of semantic content and therefore possible to remember). Next time, the password might be '3ohtehfsocatioh2jgu' (3 of [the] hairdressers tried [to] extract [the] hair from [the] stomachs of [the] cats and to insert it on their heads, 2 just gave up). The style of the sentences that should not be too obvious can, of course, vary.
That is easier to remember than things conceived as nonsense-words and practically impossible to guess. The transition from one password to the next is easier - the next phrase or sentence can somehow be connected semantically or pragmatically to the previous in the mind of the owner of the password in a way that isn't accessible to anyone else.
With the ubiquity of passwords in today's everyday life, such methods deserve much more attention.
In some of the more oppressive legal environments, such as the United Kingdom, the police can demand that you hand over your passwords. Saying "I forgot", even if you did, is not considered a valid reason for not doing so. Check out the Regulation of Investigatory Powers Bill.
Using this technique, it would be possible to prove that you could not remember the password.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I use passwords from Nethack, e.g. #@d_..C# is me and my dog standing next to an altar with a centaur on the other side of the room. Not hackable by dictionary attack :-)
I believe posters are recognized by their sig. So I made one.