Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recognizing Your Own Handwriting As A Password

Posted by CmdrTaco on from the sounds-suspiciously-like-reading dept.

Gary writes "A new online authentication system called Dynahand could make logging in to websites a little easier. With Dynahand, users simply identify their own handwriting, instead of entering a cryptic password or buying a biometric device to scan their fingerprints. The user's handwriting samples contain only digits, since numerals are harder for an outside party to recognize than letters are. The digits displayed are random, so the handwriting is the only clue to the correct answer."

30 of 151 comments (clear)

  1. How about poor geeks like me... by boaworm · · Score: 4, Interesting

    ...who virtually cannot write by hand anymore? I can't even write a proper signature, haven't been using hand writing since I was playing RPGs 10+ years ago.

    I'd say it would be pretty hard to determine how my digits would look like.

    --
    Probable impossibilities are to be preferred to improbable possibilities.
    Aristotele
    1. Re:How about poor geeks like me... by bumby · · Score: 5, Funny

      my digits looks like this:
      012345679 (bitstream vera sans)

      --
      Hey! That's my sig you're smoking there!
    2. Re:How about poor geeks like me... by tha_mink · · Score: 2, Interesting

      So, we're talking about multiple choice for passwords now? Sounds really secure.

      --
      You'll have that sometimes...
    3. Re:How about poor geeks like me... by jimstapleton · · Score: 2, Funny

      Yeah, I can see it now:

      "We only have a 10% break-in rate!"

      --
      34486853790
      Connection too slow for X forwarding? Try "ssh -CX user@host"
    4. Re:How about poor geeks like me... by Atraxen · · Score: 5, Interesting

      It's a bad call if it's the only authentication entry, but if it's in addition to something else it might be good. Many banks seem to be going for the 'something you know, and something you recognize' auth motif (banking as one example, where you recognize and identify a preselected word or graphic.) Maybe soon for really secure accounts, we'll have a fairly painless set of layers, ala: something you have - the random PIN cards, something you know - pword, something you i.d. - (handwriting/picture/word)?

      --
      Be careful of your thoughts; they could become words at any minute...
    5. Re:How about poor geeks like me... by Jaxoreth · · Score: 2, Interesting

      It's a bad call if it's the only authentication entry, but if it's in addition to something else it might be good. Many banks seem to be going for the 'something you know, and something you recognize' auth motif
      My bank does this, but it's not to authenticate me -- rather it's so I can authenticate them as really being my bank and not a phishing site. TFA is talking about asking you to recognize something to prove who *you* are.
      --
      In general, it is safe and legal to kill your children. -- POSIX Programmer's Guide
  2. Brute Force? by micksam7 · · Score: 3, Insightful

    This would make brute-forcing a password a little easier..

    An attacker could simply select a hand writing at random till they get the right one.

    TFA doesn't say anything about that.

    1. Re:Brute Force? by micksam7 · · Score: 5, Informative

      To anwser my own question, I found a better article:

      http://www.technologyreview.com/Infotech/18986/

    2. Re:Brute Force? by SatanicPuppy · · Score: 4, Insightful

      Why bother? My desk is covered with my clearly recognizable scrawl, and most of it is numeric just to add insult to injury.

      While the idea of a system that depends on recognition is interesting (though in my mind, not terribly secure for the exact reason you stated), handwriting is probably the poorest example because we leave handwriting samples everywhere. It'd be much more secure to have the system be "Recognize a picture of your own genitalia" because at least then you only have to worry about former significant others...And hell, for this crowd, you don't even have to worry about that.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    3. Re:Brute Force? by Joebert · · Score: 5, Funny

      That's the greatest caught masturbating at work coverup I've ever heard.

      --
      Wanna fight ? Bend over, stick your head up your ass, and fight for air.
    4. Re:Brute Force? by Red+Flayer · · Score: 4, Funny

      It'd be much more secure to have the system be "Recognize a picture of your own genitalia" because at least then you only have to worry about former significant others...
      Why do you hate nudists and porn stars?

      ...And hell, for this crowd, you don't even have to worry about that.
      Speak for yourself, I'm quite positive that several hundred people have seen my genitalia. Though I'm not sure they got a good enough look to be able to identify me in the short time my trenchcoat was open.
      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    5. Re:Brute Force? by necro81 · · Score: 4, Insightful
      From parent post's link:

      Renaud doesn't think Dynahand is secure enough for protecting sensitive information, such as bank accounts or health records. Rather, she believes it could be useful for social sites, where a user wants her account to be private but where nothing disastrous would happen if someone broke into it.
      The folks at Dynahand obviously don't know how bad hijacking someone's social network identity could be. While not as sensitive as banking or medical information, access to one's online profile is a pretty sensitive thing. A person pretending to be you on MySpace or Facebook could cause all kinds of damage to your reputation, lose you (real) friends, and leave an incriminating trail for any future employer to find. Even if you are able to regain control of your account via customer service, and could remove the offending material from your page, nothing is every really deleted from the Internet.
    6. Re:Brute Force? by Red+Flayer · · Score: 3, Funny

      Was entirely joking. Besides, wrt the genitalia of the slashdot multitudes, I thought we had all decided that security through obscurity was useless?

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    7. Re:Brute Force? by morgan_greywolf · · Score: 2, Insightful

      What's a password? 7 or 8 picks out of, at most, 52 letters, 10 digits, and 22 symbols, right? 7 or 8 picks out 84 possibles. If you want it as secure as a password, you just need 84 possibles, right?

      --
      My blog
  3. Picking and choosing = bad by Rob+T+Firefly · · Score: 3, Interesting

    As novel as this whole handwriting angle is, doesn't this just amount to a multiple-choice test? There's always the off-chance of some random stranger getting in by sheer luck.

    Additionally, that's not taking into account the massive amounts of ways someone could get samples of your handwriting. Besides the obvious garbage-picking, things like tax returns, property deeds, or other legal forms can often be public information, and there's a good chance you've written numbers on one at some point.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  4. If you know the person... by throup · · Score: 3, Interesting

    I am not a cracker. I am not a phisher. I do not try to get into random people's accounts.

    I can't help thinking that IF I ever did try to get into someone else's account, it would be to spy on or get revenge on someone I know. (Really, that isn't something I do. This is a big IF). In those cases, this would surely be so much easier. For example, I am sure I would recognise my family's handwriting.

    I certainly remember, when I was a secondary school maths teacher, having to work out who had produces a certain piece of work by recognising the handwriting. Obviously, being maths work, this usually involved recognising digits.

  5. Sometimes, simple is best by pzs · · Score: 4, Insightful

    Passwords actually strike me as quite a good security method. A good password is difficult to guess by a person or by a machine and is very simple to implement, leaving less margin for error in the technology.

    I know, I know, people forget their passwords or choose the word "password" all the time. It still seems a little depressing that we have to use all this extra trickery to compensate for people being morons.

    Peter

    1. Re:Sometimes, simple is best by Jah-Wren+Ryel · · Score: 3, Insightful

      I know, I know, people forget their passwords or choose the word "password" all the time. It still seems a little depressing that we have to use all this extra trickery to compensate for people being morons. Users aren't always just morons. I know a person who has to keep track of 9 unique passwords with at least 3 different usernames, most of which are used once a week or less. All the systems have minimum length and complexity requirements, 90-day expiration and permanent lock-out if an account gets just three failed logins in a row. In his case it is potentially a go to jail offense to write down these passwords ANYWHERE, even in some sort of encrypted form.

      In cases like that, the real morons are the people pushing their authentication complexity onto the users, not the users themselves.
      --
      When information is power, privacy is freedom.
  6. Totally utterly useless on 2 counts by chiark · · Score: 2, Insightful

    1. It's a shared secret. That's all. I was going to say "no better, no worse", but actually it's made significantly worse by being multiple choice.
    2. Doesn't prevent MITM in any way whatsoever

    Now the biometric of someone's typing rythm strikes me as a good thing, along with "PC fingerprinting" and trend analysis, but this suggestion is significantly worse than what we already have available on the market.

    "3/10 - see me" would be my mark for this particular gem.

    1. Re:Totally utterly useless on 2 counts by glwtta · · Score: 4, Funny

      biometric of someone's typing rythm strikes me as a good thing

      Haven't we been over this? That system assumes that you are always logging in at the same level of drunk - that's not feasible.

      --
      sic transit gloria mundi
  7. WTF by egandalf · · Score: 5, Funny

    I've got a simpler idea, why don't we just ask people a simple true/false question. I've got the first:

    A single html radio-button form-based multiple choice question is a reasonable security measure.
    A) True
    B) False

    But I think there should be an option "C," though that would make this not a real t/f question:
    C) WTF?!

    --
    Those who have telepathy have no need to RTFA.
  8. have to hide my hand writing? by janneH · · Score: 4, Insightful

    What, now I have to bring a typewriter everytime I go to the restaurant - to fill in the tip and total?

    1. Re:have to hide my hand writing? by CrazyTalk · · Score: 2, Funny

      Nope, do what I do - never leave a tip.

  9. Re:Bad idea by SatanicPuppy · · Score: 2, Insightful

    I could quite easily recognize my own...But so could anyone else who has ever seen it. Then there are those people with bland, unmemorable handwriting...How would you pick your handwriting out of a crowd when your handwriting looks like handwriting is supposed to look.

    Additionally, the number of samples would have to be constrained to what a normal person could be expected to go through, so the odds of someone being able to guess it are huge. I mean, I could set my password to the crappy "Guess,15" and it would take millions of brute force guesses to figure it out, as opposed to checking 20 something handwriting samples.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  10. Old idea and a badly implemented one at that by clickclickdrone · · Score: 2, Interesting

    Back in the late 80's, a UK bank did some R&D on this area and came up with a novel idea. It was signature recognition BUT rather than analysing the actual signature, it 'listened' to the pen on the paper as it moved. They found that anyone (well.. some people anyway) could do a fair replication of someone else's signature if they went slowly but it was almost impossible to recreate someone's signature at the same speed and with the same pressure/flourishes.
    In case anyone reads this and copyrights the damn thing, there is prior art and it worked. They just didn't think the market was ready for it.

    --
    I want a list of atrocities done in your name - Recoil
  11. What a stupid concept by Mock · · Score: 4, Insightful

    Here's how you crack it:

    1. generate a bunch of new sessions to the login page.
    2. Identify samples that appear more often than others.
    3. Recognize the handwriting style.
    4. Log in.

  12. Re:seriously... by Alioth · · Score: 3, Interesting

    Because it wouldn't help them.

    Almost 15 years ago, I was working on a demo system for a more secure way of issuing benefit payments (at the time, the payee had a paper booklet, and there was quite a lot of trouble with stolen booklets). We investigated what we could practically put on a smart card (similar type of smart card as what is in modern credit cards). One of the things we investigated was signature recognition.

    We had a system that did it extremely well, well enough that we never managed to forge another person just signing with an "X". The system not only looked at the shape of the writing, but the way the person wrote - the speed, accelerations, stroke weight etc. The genuine user could be recognised even if they signed fairly scruffily (the system didn't return 'true' or 'false', but rather a confidence). However, another person even if they signed their X to LOOK as much as the original person's X looked would get a very low confidence score.

    This was almost 15 years ago - the technology was pretty damned good (but quite expensive) at the time. We managed to get the signature, the person's details and a photograph onto the smart cards of the day (I think they had 8K of storage). The signature took up 1K.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  13. How about typical credential operations? by Lethyos · · Score: 2, Informative

    There is no improvement here over biometrics or other credentials falling into the “something you are” category. How do you revoke this credential? How do you limit its scope? I would even argue this is worse than a password because it is not easily changed, and worse, your signature is very public. Consider how many documents you have floating around with your hand-written signature on it. You really want to use something that can be learned and easily reproduced as a secret? Nonsense. We need real solutions (OpenID is a start), not rehashes or regressions of old schemes.

    --
    Why bother.
  14. Re:Giving out your phone number is risky... by Glytch · · Score: 4, Funny

    Exactly. In the old days, someone would have to find the stickynote on one's monitor that specifically had one's password written on it. Under this scheme, any stickynote at all will do!

  15. Nothing to see here ... by pz · · Score: 5, Insightful

    From the article's first paragraph:

    You can't afford to be careless regarding the password coz you never know ...

    And with that, I stopped reading. Why? Because I don't have enough time to read things that aren't written in at least passable English. If someone has a good idea, and are serious about it, they'll make the effort to communicate it well or have it communicated well for them.

    Nothing to see in this article, and, by strong implication, a worthless idea.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.