Using a Password One Doesn't Consciously Remember

ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it. It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000. Not ready for practical use yet, but very interesting concept that can develop further."

This is too complicated - try this

[SimianOverlord]

It struck me yesterday that the answer to making secure and difficult to guess passwords that are immune to dictionary attacks is staring us all in the face. Let's recap:

A good password is:

Greater than 6 letters long

Composed of numbers and letters

Easy to remember, easy to reremember when changed.

Now it struck me that ideally we needed to create a new language that was innovative and imaginative which people could talk in, and use as passwords. Then it struck me: we already have it: L33T SPEEK .

Passwords such as OMGN00BSUXSROR! and ROFLGH3YB0ISTFU and almost impossible to guess, are immune to dictionary attacks, and are perfectly memorable. Perhaps L33T language classes could be started at major institutions, and a Creative Commons licenced dictionary created.

It's about time someone started talking sense - password security is a problem which needs innovative solutions.

Excellent!

[Phurd+Phlegm]

Now even if I am tortured to death I can't reveal the password to my eBay account!

This should come in handy to all the other costumed crime fighters in the Slashdot community, too!

Re:Their own metrics are so awful.

Yup. That's not secure in the least. 100,000 possible combinations is equivalent to having a password of only lowercase letters, exactly four letters in length, where the first letter has to be from "a" through "f" (6 * 26 * 26 * 26 = 105,456).

Definitely one of the worst password-type mechanisms proposed in recent history.

Re:Their own metrics are so awful.

[Oculus+Habent]

in reality a truely random four-letter password is probably more secure than most people's password. Have you forgotten they'll likely Give it up for chocolate, anyway? If they don't really know it, they can't write it down and can't divulge it.

The specific implementation may need work, but the concept has very real possibility.

Best comment when I told someone their password expires every 90 days and they can't use the last two:

"That's OK, I have four grandchildren."

Sounds like Passfaces

[Beautyon]

Passfaces uses a similar idea; you can remember the faces that make up your password, but you cannot describe that password to anyone. It relies on your brains ability to recognise faces, and your brains inability to accurately describe the same faces.

Useless for the blind of course.

Re:I do this now

[Entropy+Unleashed]

Why not just use some primitive "keyboard art"? The main alphanumeric area can be considered a 4 by 10 area of pixels, with a possible 3 colors(normal, not typed, and with Shift key). This would offer the possibility of easy visual recognition/reconstruction with ~10^19 possible combinations. For example, we could use a drawing of a TIE Bomber as a password.

......0...0......
.....0__0__0.....
......0...0......

would become ridFGhIJkcm, which is judged to be a rather strong password by http://www.securitystats.com/tools/password.php .

Serious uses in oppressive regimes

[AmiMoJo]

In some of the more oppressive legal environments, such as the United Kingdom, the police can demand that you hand over your passwords. Saying "I forgot", even if you did, is not considered a valid reason for not doing so. Check out the Regulation of Investigatory Powers Bill.

Using this technique, it would be possible to prove that you could not remember the password.

Re:I do this now

the only thing worse than using the same root password for all of your boxes is telling everyone that.

i currently remember 24 16-random-character passwords which i generate by locking myself in the closet with a torch, pad, pencil and 3 dice. for each character of the password, i roll each die once and concatenate the 3 individual numbers to give me one of 216 codes which i map to the numbers 0 through 215. i then divide this number by 72 and take the remainder as an index into my character table. the table contains uppercase, lowercase, numerals, and shift+numerals, which of course adds up to 72 characters. i sometimes replace some of the characters at random with characters outside the set (plus, brace, comma, etc) when i am feeling paranoid. i repeat this process until i have my 16-character password, writing each character on my pad as i go. i then study the written password until i feel i have remembered it. then i immediately tear the paper up take it into the bathroom and burn it in the toilet. i throw the rest of the pad in the fire incase someone tries to get the imprints, and usually i break the pencil in half and throw it in too. then if i need to go to the toilet, i'll go before i flush everything down. it sometimes takes a while for the pencil to burn. i then wash my hands thoroughly, twice, and turn the light switch on and off 5 times before i leave the room. i then go and unplug my machine from the network, take it into the closet, boot single-user mode and change my password.