Slashdot Mirror
Recognizing Your Own Handwriting As A Password
Gary writes "A new online authentication system called Dynahand could make logging in to websites a little easier. With Dynahand, users simply identify their own handwriting, instead of entering a cryptic password or buying a biometric device to scan their fingerprints. The user's handwriting samples contain only digits, since numerals are harder for an outside party to recognize than letters are. The digits displayed are random, so the handwriting is the only clue to the correct answer."
...who virtually cannot write by hand anymore? I can't even write a proper signature, haven't been using hand writing since I was playing RPGs 10+ years ago.
I'd say it would be pretty hard to determine how my digits would look like.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
This would make brute-forcing a password a little easier..
An attacker could simply select a hand writing at random till they get the right one.
TFA doesn't say anything about that.
This is the most stupid authentication mechanism I've ever heard of. Apart from people probably not recognising their own handwriting, there is nothing stopping others from analysing someone else's handwriting and gaining access to their accounts.
Slow news day, I guess.
Very cool and original idea... but I definitely wouldn't use it over passwords on anything important.
As novel as this whole handwriting angle is, doesn't this just amount to a multiple-choice test? There's always the off-chance of some random stranger getting in by sheer luck.
Additionally, that's not taking into account the massive amounts of ways someone could get samples of your handwriting. Besides the obvious garbage-picking, things like tax returns, property deeds, or other legal forms can often be public information, and there's a good chance you've written numbers on one at some point.
Slashdot Burying Stories About Slashdot Media Owned
I am not a cracker. I am not a phisher. I do not try to get into random people's accounts.
I can't help thinking that IF I ever did try to get into someone else's account, it would be to spy on or get revenge on someone I know. (Really, that isn't something I do. This is a big IF). In those cases, this would surely be so much easier. For example, I am sure I would recognise my family's handwriting.
I certainly remember, when I was a secondary school maths teacher, having to work out who had produces a certain piece of work by recognising the handwriting. Obviously, being maths work, this usually involved recognising digits.
Passwords actually strike me as quite a good security method. A good password is difficult to guess by a person or by a machine and is very simple to implement, leaving less margin for error in the technology.
I know, I know, people forget their passwords or choose the word "password" all the time. It still seems a little depressing that we have to use all this extra trickery to compensate for people being morons.
Peter
1. It's a shared secret. That's all. I was going to say "no better, no worse", but actually it's made significantly worse by being multiple choice.
2. Doesn't prevent MITM in any way whatsoever
Now the biometric of someone's typing rythm strikes me as a good thing, along with "PC fingerprinting" and trend analysis, but this suggestion is significantly worse than what we already have available on the market.
"3/10 - see me" would be my mark for this particular gem.
I've got a simpler idea, why don't we just ask people a simple true/false question. I've got the first:
A single html radio-button form-based multiple choice question is a reasonable security measure.
A) True
B) False
But I think there should be an option "C," though that would make this not a real t/f question:
C) WTF?!
Those who have telepathy have no need to RTFA.
how on earth did anyone ever think this was a good idea? Finding samples of someone having written down numbers is not hard by any stretch of the imagination. As someone already pointed out, simply asking someone to write down a phone number for you, not even necessarily theirs, would get you such a sample. Sometimes people can be pretty dumb.
What, now I have to bring a typewriter everytime I go to the restaurant - to fill in the tip and total?
I could quite easily recognize my own...But so could anyone else who has ever seen it. Then there are those people with bland, unmemorable handwriting...How would you pick your handwriting out of a crowd when your handwriting looks like handwriting is supposed to look.
Additionally, the number of samples would have to be constrained to what a normal person could be expected to go through, so the odds of someone being able to guess it are huge. I mean, I could set my password to the crappy "Guess,15" and it would take millions of brute force guesses to figure it out, as opposed to checking 20 something handwriting samples.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
They should instead be requiring the use of a graphics tablet or Tablet PC and requiring the user to write a given number sequence --- then they get the additional input of speed, pressure, stroke order / direction which makes things reasonably secure (even a person who can forge another's writing isn't likely to get all of the above as consistent as a person using their normal hand).
Doesn't even require much more from the user in the way of hardware (trades off a scanner for a graphics tablet).
William
Sphinx of black quartz, judge my vow.
You sound like me, I never sign the same way twice.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I can't even recognize my own handwriting half the time.
You see? You see? Your stupid minds! Stupid! Stupid!
Like some security expert has said: just write down your passwords onto a small piece of paper and keep them in your wallet/handbag.
If you lose your wallet/handbag, call up the banks to cancel your cards etc, call up the rest to cancel your passwords.
You're keeping it in a fairly secure place.
LOL @ nigorz!!!! The j00z pwn they black asses x1000000.
. . . that no two of my signatures are the same.
If this were really happening, what would you think?
Back in the late 80's, a UK bank did some R&D on this area and came up with a novel idea. It was signature recognition BUT rather than analysing the actual signature, it 'listened' to the pen on the paper as it moved. They found that anyone (well.. some people anyway) could do a fair replication of someone else's signature if they went slowly but it was almost impossible to recreate someone's signature at the same speed and with the same pressure/flourishes.
In case anyone reads this and copyrights the damn thing, there is prior art and it worked. They just didn't think the market was ready for it.
I want a list of atrocities done in your name - Recoil
... You get an injury that makes your hand writing change, like a bad break in the hand, or a stroke or something? I am sure you could answer the secret question or whatever, but you have to ask, how consistent is handwriting that a program could use it to authenticate a person?
Here's how you crack it:
1. generate a bunch of new sessions to the login page.
2. Identify samples that appear more often than others.
3. Recognize the handwriting style.
4. Log in.
My wife's been signing my name on checks and documents for years.(Yes, I know...)
I don't even think I can remember what my name is anymore anyway...
Your television will not tell you when to start the revolution.
wouldn't it be more effective to have the computer recognize my handwriting, i.e. I write something and the computer goes "yep, thats the guy"? That way, the computer would know it was me w/o a password, and it wouldn't just be multiple choice or whatever. Of course, handwriting recognition is really, really hard to do quickly and effectively enough to narrow down between thousands/millions of users compared with a password.
stuff |
For immediate release.
Slashdot, USA. A new online authentication system called Dynaface could make logging in to websites a little easier. With Dynaface, users simply identify their own face, instead of entering a cryptic password or buying a biometric device to scan their fingerprints. The user's sample photographs are made under a variety of hair styles and lighting conditions, since the shape and other characteristics of a person's face are harder for an outside party to recognize than hair and lighting is. The lighting and hairstyle used are random, so the shape of the face is the only clue to the correct answer."
There is no improvement here over biometrics or other credentials falling into the “something you are” category. How do you revoke this credential? How do you limit its scope? I would even argue this is worse than a password because it is not easily changed, and worse, your signature is very public. Consider how many documents you have floating around with your hand-written signature on it. You really want to use something that can be learned and easily reproduced as a secret? Nonsense. We need real solutions (OpenID is a start), not rehashes or regressions of old schemes.
Why bother.
Clearly, they have never seen my writing. No one is able to identify it, least of all me! Really..I never know how it will look. I can just imagine being trapped out of all my sites!
Half the replies so far assume that you have to supply a sample of your handwriting every time you log in. That's not what this system does!
This system just presents a few lines of handwriting, and invites you to choose the correct one. A useless system, basically reducing security to a 1-in-10 guess. This is supposed to be developed by a university?
you insensitive clods!
http://www.bmj.com/archive/7072ww3.htm
- A
This would be much simpler than the proposed scheme, as no real Internet user ever writes by hand, but most are expert at spouting loony political gibberish.
Reduce, reuse, cycle
My signature is worse than the worst doctor's handwriting that you can imagine. In 8th grade, when reports were still mostly handwritten, my teacher insisted I started printing because my cursive was atrocious. Printing wasn't much better. I'm very happy to do everything electronically now.
My signature is never the same twice because I just write too fast and too frantically. Handwriting analysts would have a conniption trying to determine if my signature was real or forged. A security program would do a core dump trying to verify my signature is correct.
Such a security program above would be impractical for someone like me.
"All great wisdom is contained in .signature files"
Someone already pointed the typing rhythm method of identifying an user. This method suffers from exactly the same problem : there is a large number of factors that can modify one's handwriting or typing rhythm. Drinking alcohol (even as little as in your average beer can) may completely bar you from accessing your typing-rhythm-protected account (read that somewhere a few years ago). I'm guessing even a minor hand or finger injury will probably change your handwriting as well.
This
Go to the site twice and look at the two sets of samples presented to you.
It should be pretty obvious which handwriting sample appears twice...
No sig today...
While I don't like this for security purposes, but if this is 100% accurate we are one huge step forward in the art of OCR. As a Project Gutenberg volunteer, I can't wait for the day when I can scan something and OCR will get it 100% correct. 1 l 0 O etc.
I just want to sign up, write something, and have the password security indicator tell me I provided weak handwriting.
--"It's Bradford Company, slash your last name, dot your first name"
How quaint. Seriously, I can't remember the last time I wrote by hand.
------ The best brain training is now totally free : )
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
Just make an institution that wants to verify you, send you cut-outs of faces of several hundreds of family pictures that you've taken over the years. The pictures should be analog and old, so that they won't have been on a facebook-like site. Also, have them make you write a random story, in pen, the individual sentennces of which will be presented back to you. Mix everything up with everything else, distort a little, and present back to the user when they want to log in. Postfix with user-chosen password and small-device based challenge-response. Separate actions with separate verifications. Should all in all take almost half an hour now, but verified you are !
Religion is what happens when nature strikes and groupthink goes wrong.
Well, I can't write. I did my degree before they had word processors (or at least before they were ubiquitous) and for that I learned to handwrite and then immediately forgot. When I want to write 'CAT' I have to think about how I'm going to make the A -- sometimes I make it an upside down U with a line, sometimes it's more like a capital delta. I know I'm not alone(*).
My wife has a much worse problem, though. She was taught to write according to an exact model, with iron-hard discipline and years of training. Every single person who learned to write in her town in that decade uses EXACTLY the same writing.
If only there were some way to authenticate based not on something which changes even when you don't want it to (like how you write), nor on something that can't be changed even when you need to (like your fingertips). If only we could use some kind of mental trace that the user is aware of but that nobody else can perceive -- maybe a word or other sequence of symbols stored in the actual brain itself.
That'd rock. But the technology is probably decades away.
(*)In terms of handwriting. Spiritually, I may well be alone... so very very alone... *bursts into tears at desk*
Whence? Hence. Whither? Thither.
Recognising personal pictures, writing or other personal data has been done many times before.
And it's crap, because the people you most need to guard against are the other people on the system. If I worked with you, how long would it be before I had a sample of some numbers in your handwriting? 10 mins? 20 mins? All I need to do is ask you to take down some phone numbers on a post-it!
Let's see, not content with excluding only the blind, they have also decided to exclude those who can't use their hands, those with a more or less random tremor, and those of us who never write anything quite the same way twice.
They should try MY new authentication scheme. It displays a randomly generated question and based on your answer chooses exactly which insulting message to return before refusing access. Nobody will ever break in! It excludes everyone equally so you don't face a discrimination suit. Finally, now that everyone is locked out, it saves the trouble of actually implementing anything else. I'll call it SuperUltraMegaWeb 3.0 That should get the vc rolling in!
Shouldn't the headline say "use handwriting as a authentication credential" instead of saying "use handwriting as a password"? A password is a credential, but a credential isn't always a password.
From the article's first paragraph:
...
You can't afford to be careless regarding the password coz you never know
And with that, I stopped reading. Why? Because I don't have enough time to read things that aren't written in at least passable English. If someone has a good idea, and are serious about it, they'll make the effort to communicate it well or have it communicated well for them.
Nothing to see in this article, and, by strong implication, a worthless idea.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
One of the things that buggers me about online security is that it's an "all or nothing" game. All it takes to defeat most security systems is a SINGLE compromise.
A single memory buffer problem can frequently lead to 100% system compromise. A single firewall penetration frequently means total access to the network. Can a security system be devised that requires multiple compromises to effect a system compromise?
Passwords actually strike me as quite a good security method. A good password is difficult to guess by a person or by a machine and is very simple to implement, leaving less margin for error in the technology.
I'd agree. It's an excellent example of the 80/20 rule: 20% of the effort satisfies 80% of the time. But the best is undisputed: public-key cryptography. Implementations are easy to come by. Why not combine the two into a three-stage authentication chain?
1) I'd carry what is basically a USB device that contains my public key. Think $10 flash drive.
2) I issue a request for some secured, hosted content, along with my public key, perhaps via the browser.
3) Public key contains within it the authentication server in question, and the private key is held by the authentication server.
4) Authentication server contacts me directly for the passphrase to include in encrypting the response, on another channel. (EG: SMS text message?)
With this schema, compromise of any single point does not result in a breach of security:
A) My USB widget only contains my PUBLIC key, which cannot be used to authenticate requests. If I use it on a compromised host, the attacker would only gain my public key.
B) The authentication server has only PRIVATE keys, and without the public key, it's useless.
C) The content host only ever has my public key. without the private key, the public key is useless.
D) My cell phone only has my passphrase. Even if compromised, only the passphrase is revealed, and without the private key / authentication server, this is worthless.
Can this schema be improved? Sure! Have at it! And, I'm certain that this schema has some inherent flaws. First off, it's more complicated to set up. But is it possible to have a good quality online security that can continue to function until there have been multiple compromises, not just one?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Now I have to change the combination on my luggage.
Thanks a heap.
I saw it on Slashdot, it must be true!
Not sure I would pass it. My job allows me to see handwriting samples from hundreds of different people, including myself, and it's not uncommon to find someone else who's handwriting is so similar to mine that I thought it was mine until I looked at the name on it.
...they get the additional input of speed, pressure, stroke order / direction...
Requiring kinesiometric data is always a bad idea because it leads to too many false denials. If the person injures their writing hand then they can't write the password the same way as before. It also assumes that the person always writes the character the same way all the time. For example, sometimes I write an upper case "E" by drawing the three horizontal lines followed by the vertical line. Sometimes I'll do the vertical line followed by the three horizontal lines. I may not even draw the horizontal lines in the same order. Heck, sometimes I'll even have four horizontal lines if I'm rushed, or distracted.
When our name is on the back of your car, we're behind you all the way!
Just sign using a stick figure. Most people probably won't even notice.
This really sounds like a rather useless toy solution, since its easily cracked by brute force or if they make it secure enough to not be crackable, it would be a hell of a lot more uncomfortable then a real password.
Anyway, I think the real solution is much easier and already half the way implemented: Email!
On almost each and every side where you login with a password, you have to register your email address. If you lose your password, you let yourself send a new one via email. So in reality there is only one password for everything and that is the one that protects your email account, all the other passwords are really just placeholder that can be changed and recovered at will once you have access to the email account. So why not automate that process? The server where you request a login, sends some magic-string to your email account and you then use that magic-string to authenticate to your server account. If normal email doesn't feel secure enough, use GPG and friends. While this might be not so perfect with a normal mail client, the whole process could be fully automated, all the magic-strings that you get by mail could automatically be fetched and then used by your webbrowser, so that you would just have to click 'login' on a webpage instead of typing a password. Your email hoster would become an authentication server.
The only downside I see is that you might not want to use your email account on an untrustworthy client, while some blogs comment system password would be invaluable enough to use it there, but that should be solvable by either using secondary less important email addresses then your primary one or by allowing restricted access to your email account via an alternative password.
The last bit ("something you I.D.") seems marginally useful for identifying the I.D. challenger, but for identifying the one being challenged, it seems a bit useless. For example, my bank shows me one pre-chosen image from a potentially infinite set (I could upload any arbitrary image) to "prove" I'm still talking to them. Even for that, it's only marginally useful as the man-in-the-middle attack it seeks to thwart could easily be foiled by a man-on-the-inside. Bottom line is it is at worst a 1:n chance if you haven't a clue who you're dealing with, but if it is a targeted attack, it quickly approaches 1:1, which is pretty danged weak.
A combination of tests is certainly a good thing, but when the test could equally be "do you know this person" as "are you this person," there's not much point in bothering unless an affirmative to the former is sufficient.
First, if this method has to work (even remotely), then (a) the number of choices have to be large or (b) the choices have to be a bit similar so that only a well trained eye could tell them apart. Problems: (a) I dont have the f***ing time to scroll down a huge list of choices to look for my numbers (b) IMHO, a good number of people will have trouble with telling apart numbers that look fairly similar to your own writing. Results: (a) anyone can get thru with a couple of guesses or (b) I need to spend a good 30 minutes searching for my numbers or retrying --- Too much research can be injurious to common sense. (I have my up-side-down writing pen to prove it)
Everyone has its own little perks, if I write too fast I have the same problems; I tend to forget letters and the entire handwritten thing is to put on the open fireplace. If I relax, take deep breaths and tend to do my own speed of writing, everything will be more right than whenever I put any speed on it.
;)
I even get a "doctors signature" whenever I write too fast rendering the entire text only readable by me and some other freaky goons who shouldn't be able to read that in the first place
Relax ? Take your time, your own rhythm, put letters thru your house, put them with tape or magnets against the wall, remember them, eventually write words on them like A from Alphabet, B from Beer, C from Cracker etc.. ? I use that system to remember getting my keys and even sometimes I write down a phonenumber or any other word I need to remember; seeing it daily sure refreshens the mind every time I -need- to remember what I've put ready for myself the previous days/weeks...
Hope this might work for you, if not, no offense intended with above post, if it might help you, the better; goodluck!
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Sir/madam, we regret to inform you that your account access is disabled due to 206 incomplete login attempts. Please visit your local bank to reactivate online banking and to give new handwriting samples to ensure continued service. Thank you for banking with us.
There's a minor problem with this idea: email is infamously insecure. On the protocol level, sending email almost never requires a password and, if it does, you can just use a different sending server. Forging emails is one of the easiest script kiddie tricks out there. Most of the security involved in email involves the receiving, not the sending.
Want proof? Send me two email addresses: one to send an email from and one to send an email to. I'll demonstrate how simple it really is.
I own itburns.net. What should I put there?
I see a few sarcastic and funny comments about /. geeks no longer knowing what handwriting is. But there is a phenomenon that I experienced, that I was always curious about.
I was an early Palm adopter, and learned Graffiti. I used it heavily for taking all my notes, appointements, and such. Found I didn't use paper much any more.
And when I did finally use paper on the odd occasion, I found my handwriting tended towards Graffiti-esque scribblings, than traditional handwriting... It wouldn't have been so bad if it wasn't such a moving target. With licensing issues, Graffiti changed, and Windows CE used a different variation, and so on. I feel like my writing has been pooched because of it.
Has anyone else experienced this? I do feel like the original Graffiti was an ingenious optimization of handwriting for the purposes of recognition. I almost wish it had become the "esperanto" of hand writing.
I'm curious as to whether or not others have experienced this...
Love many, trust a few, do harm to none.