Microsoft Wants To Give You A Rorschach

Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."

Not sure this will help

[Qzukk]

view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password.

I got vavavapsva.

More seriously, if they're saving the word associations, doesn't that mean that they have the password you've just generated?

Re:Not sure this will help

[skeevy]

vulva vulva vulva penis vulva?

I'm not sure whether I should be afraid of your mind or the site...

Re:Not sure this will help

[gstoddart]

I got vavavapsva

You, sir, have a filthy mind! =)

Cheers

Re:Not sure this will help

[Tobenisstinky]

I got boobsboobsboobs. Almost the same as my current one!

Re:Not sure this will help

[BarryJacobsen]

vulva vulva vulva penis vulva? I'm not sure whether I should be afraid of your mind or the site... Really? I'm not sure whether I should be afraid of his mind or immediately go to the site...

Re:Not sure this will help

[Chapter80]

view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password.

I got ********.

Mine is h2h2h2h2.

Re:Not sure this will help

[Marc+Desrochers]

bbbbbbbbbb

That all look like butterflies.

Re:Not sure this will help

[Clandestine_Blaze]

I got vavavapsva. That's amazing! I've got the same combination on my luggage!

Re:Not sure this will help

[icepick72]

doesn't that mean that they have the password you've just generated?

No because the article says the user uses the first and last letters of the words for the password.

Re:Not sure this will help

[mithras+invictus]

Ballmers new password: dsdsdsdsds

Re:Not sure this will help

[ceoyoyo]

And how is that easier to remember than another password? It's also less secure... words in any particular language will preferentially start and end with certain letters.

Re:Not sure this will help

[DeepHurtn!]

A /.er, scared of genitalia...? I guess this proves the saying about people being scared of the unknown!

Re:Not sure this will help

[n+dot+l]

Ballmers new password: dsdsdsdsds Nah. More like "D!D!D!D!D!". With all those upper case D's and exclamation marks, his password isn't just loud, it's also more secure!

Re:Not sure this will help

[Random+Destruction]

Microsoft couldn't figure out the first and last letters of each word, given a series of words?

They're in worse shape than I thought...

Re:Not sure this will help

[Vulva+R.+Thompson,+P]

Feel free to pop in any time you like.

Re:Not sure this will help

[floki]

Greetings from Freud: http://www.pbfcomics.com/?cid=PBF233-Psychoanalyst.jpg

Re:Not sure this will help

[NoPantsJim]

I'd go immediately, 4 to 1 is the best ratio I've ever seen.

Re:Not sure this will help

[houghi]

I got vavavapsva.

I got the same. Do n ot blame us, we are not the ones who put thos dirty pictures on line. Come on, imagene that children see those pictures. Doesn't anyboy think of the children, I mean that what has been seen can not be unseen

Re:Not sure this will help

[Gordonjcp]

Mine had red dots surrounded by smaller pink dots. My password has a lot of G and X in it.

Re:Not sure this will help

[rtb61]

That still leaves the user with pretty much a jumble of letters to remember. Personally I have found that three nonsense words, combined together with out spaces to be sufficient, all the words should be of varying length with minimum of four characters which combined get a password of between 15 and 20 characters, relatively safe from dictionary attack and a lot easier to remember than 15 to twenty random characters.

Re:Not sure this will help

I wonder how many people actually got that?

Re:Not sure this will help

[rat10177sd]

After serious thought I got mine to come out as fuckumstto ... By and large, language is a tool for concealing the truth. -- George Carlin

Re:Not sure this will help

[hellocatfood]

not this one...

Re:Not sure this will help

[N+Monkey]

bbbbbbbbbb

That all look like butterflies.

I thought you were supposed to type the first and last character, but I do agree with your assessment of the pictures. They either didn't look like anything at all or were some kind of winged insect.

Can't see myself rushing to use something like this.

Besides, what's to stop another site (which is trying to hack another of your accounts) from showing the same set of images to trick you into getting your password?

I'm shocked!!!

[b17bmbr]

microsoft is collecting and storing the data. holy crap, batman, what next. the joker has plans to take over gotham city?

Re:I'm shocked!!!

[calebt3]

Even if MS said that they weren't keeping the data, I'm not sure anybody would believe them.

Re:I'm shocked!!!

microsoft is collecting and storing the data. holy crap, batman, what next. the joker has plans to take over gotham city?
OMFG! And they intend to do EEEEVIL things with it, right, "Clueless Parent"?!?!

What evil things, you might ask?

Um... I don't really know, but I read a web article on ASP.NET once, and I happen to *hate* (HATE!!!) neo-cons, so I'm guessing that they're going to use it (somehow) to create a machine that grinds up helpless homeless Democrats into dust and uses that dust to clog up the exhaust fans of Linux-based server machines to further their goal of creating a Global NeoConservative Microsoft Conglomerate Hate-ocracy!

(heh. The funny thing is that if this comment wasn't satiric, and only like one iota less ridiculous, it would get modded +5 Insightful.)

Re:I'm shocked!!!

[yali]

It's unlikely that they'll be able to learn anything "psychological" about their users in the sense most people would think about it. That's because the Rorschach isn't valid for inferring personality or other psychological states.

More likely it's for a technical analysis. My guess is they want to verify whether there's enough unpredictability in the passwords produced to mean this is a secure method.

Re:I'm shocked!!!

[ILuvRamen]

they're just trying to determine if you really, actually have to be crazy to use windows. Yes, I know, that's not what the inkblots really determine most of the time. Speaking of that, the point of them is that the majority of people come up with the same small set of answers. So this is idiotic for password generation

Re:I'm shocked!!!

[zaf]

Even if MS said that they weren't keeping the data, I'm not sure anybody would believe them. Well, since they say they're keeping it, that probably means they're just going to lose it

Re:I'm shocked!!!

[spun]

That's because the Rorschach isn't valid for inferring personality or other psychological states. That's debatable. Not that I'm saying the test is any good, just that the issue isn't settled, while you present it as a known fact based on a single study.

Re:I'm shocked!!!

[yali]

First of all, the article I linked is not a single study. It is a comprehensive, peer-reviewed synthesis of numerous previous studies. I'll take that over a wikipedia article any day.

Second, "debatable" doesn't really rebut anything, because in science everything is debatable. (If you want to get philosophical, nothing in science is ever 100% settled.) But as a useful summary of the expert consensus, I stand by what I said. There is very little independent, peer-reviewed evidence that supports the Rorschach, even the supposedly "objective" Exner scoring system; and there is a lot of evidence that challenges its reliability and validity.

Re:I'm shocked!!!

[CastrTroy]

But isn't the whole problem with using a Rorschach that it's interpretation is dependant on your mental state? If you come in on Monday morning all relaxed and type in your password, then you might not be able to remember it when it's 3 in the morning and you have to log in to fix a critical system problem.

Slight problem with this approach

[Enlarged+to+Show+Tex]

This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:

Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)

Every password I use has at least three, even for free-registration-required sites...

Re:Slight problem with this approach

[oahazmatt]

This method will not create passwords that are strong enough.

That's why I use the inkblot test, run it through a script that converts random letter combinations to MD5, convert 25% of that end result to l33t, and then randomly add a non-latin character at two locations within that result. I then write it down on my desk calendar.

Re:Slight problem with this approach

Present user with a randomized virtual keyboard that maps clicked letters to other letters/symbols/numbers. The keyboard functions as a one time key.

Re:Slight problem with this approach

[TubeSteak]

A truly strong password should have at least three of the following, if not all four: Only if there's a maximum character limit on the password.

Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?

I'm not suggesting everyone should use such a long pass, but what's so hard about implementing passphrases instead of passwords?

Re:Slight problem with this approach

[Rakishi]

A truly strong password should have at least three of the following, if not all four: Not really, you can just make you password longer and you are just as secure.

Re:Slight problem with this approach

[eldavojohn]

That's not the only problem. If you read the research paper[PDF Warning] from 2004 (pretty old stuff actually), they state:

In both experiments, users missed at most one association, even after having not used the system for one week. Thus it may be advisable to modify the system to allow for successful authentications when k out of a possible n associations are correct. Assuming that all blots produce an equal distribution on responses, this reduces the security of passwords to the level of the original system with only k blots. Therefore, it might be advantageous for users to have to enter associations for more blots. A disadvantage of this approach, however, is that authentication would take longer. As of interest may also be their conclusion:

Our preliminary data suggest that inkblot authentication offers a potentially significant improvement over existing widely-deployed user authentication mechanisms. In addition to gathering our quantitative results, we also asked users who had taken part in our experiments for their comments on the system. In almost all cases we received the same response: the users were happily shocked that they could remember such a "huge password." In fact, many users asked if there were any plans to allow the use of the system in their production environment. This kind of positive user experience is arguably as important to the eventual adoption, acceptance and scrupulous use of an alternative password system as any measure of security. More experiments would help confirm or discount our security and memorability results, and could answer such questions as: How many inkblots (that is, how much entropy) can be used before the resulting passwords are no longer memorable? What is the best way to help users retain their inkblot associations? What inkblot-to-character hash function generates the most entropy without sacrificing ease of use? And what inkblot generation algorithms create inkblots with the highest-entropy (or the fewest low-entropy) association spaces?
While inkblot authentication should be quite easy to deploy in a wide variety of settings, there exist some environments (such as devices with tiny screens) where it is unworkable, and alternatives are needed. Adapting the inkblot password scheme to other password-using contexts, such as those in which the user interface is under the control of a (possibly uncooperative or legacy) application, may also require some innovative thinking.

Re:Slight problem with this approach

[PresidentEnder]

26^10 > 95^5. Even if you restrict your password to only a few characters, you can get the same level of security as with many characters. You just need far more of them. Think about it: when we strip off all of our abstractions, everything is stored as 1s and 0s, right? (Note: Parent's point is good and right, if your password must be short, or you don't want to spend time doing the inkblot test, or you don't want to have to remember 90 characters.)

Re:Slight problem with this approach

[ChatHuant]

This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:
Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)

That's just not true. Admins request this kind of nonsense to force a bigger password space with shorter passwords. Informally, the security of your password is given by the number of random bits you have. With ASCII passwords using only lowercase letters, you're adding less than 5 bits of randomness per character. Even worse, most people use real words as passwords, so they can remember them easily. That reduces the randomness even more and makes dictionary attacks feasible. Adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character, but makes the password much more difficult to remember.

Microsoft's method works around the password memorization by using the inkblots. The security is given by the much larger size of the resulting password. They get a password of 20 lowercase characters, say about 100 bits of randomness (less than that, because not all letter combinations are equiprobable - very few words I know begin and end with a q for example). A totally random password consisting of a mix of 10 symbols, numbers and different cased letters only gives you a bit less than 70 bits of randomness.

Re:Slight problem with this approach

To expand on what another user said, your post is ignorant at best. Methinks you should buy and read Simon Singh's The Code Book. Pay particular attention to some of the reasons the Brits were able to break the daily encryption on the Enigma over and over.

Any restrictions on what can go in any "slot" (e.g. character number 3) in a password seriously weakens the password of that length, by extension saying that a password must have at least one character from a restricted set of normally allowed characters likewise weakens it, not strengthens.

Like another respondent said, if you want a stronger password, make it longer. Your approach, as common wisdom so often is, is flawed.

Re:Slight problem with this approach

[davidsyes]

Turn the entire, pulse-thumpin' body into the password.

Or, derive the password password from one of those machine kids dance to in malls. Lens overhead, objects move, then feet keep up. How you jiggle and wiggle structures your password. This might be safe for OLPC.

But, adult-oriented password/action access can be derived from thrust-n-strut gyrations, maybe in a chair. Sorta like responding to a lapdance (without touching the computer) to eventually gain access to the computer's ass sets. This might be safe for cubicle workers. But, not for musical-chairs workers in lobbies...

Now, anyone trying to break (or break dance to) someone else's password will have to grind away...), with the best passwords deriving for wholly unholy, undiginified umm ndignified origins.

OTOH, maybe mshaft can come up with "Poke-a-dot to access your computer"...

Re:Slight problem with this approach

[DoubleRing]

Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?

You know, now that you've said that, everyone is going to use it.

On another note, it would be entertaining wouldn't it. Kind of like making your password "OMFG, how did you guess my password!?"

Re:Slight problem with this approach

[ChrisMounce]

Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?

Well, no, now that you've publicly posted it as an example of a strong password.

Re:Slight problem with this approach

[zsouthboy]

I also highly suggest, right now, that everyone change your passwords to currentpassword x 3 or 4, or more:

For example, is passwordpasswordpassword any harder to remember than just password?

But it greatly expands the key space to be searched for anyone trying to brute force...

Re:Slight problem with this approach

[ceoyoyo]

Thank you, you've just weakened your password.

A truly strong password MAY have all of those. If you REQUIRE that it do so, then you weaken the password.

Re:Slight problem with this approach

[master5o1]

atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour ATR_ULYstrongpass_wordSHOULDha_veATleast3ofTHEfoll_owingifnotall4 Much better?

Re:Slight problem with this approach

And of course then you have to write down the password or store it somewhere on your computer to remember it, which is how a lot of passwords are stolen in the first place.

Re:Slight problem with this approach

[Asm-Coder]

Sometimes though, only the first 8 characters actually mean anything, which results in your password being very weak.
 
(Try it, it really works on some websites!)

Re:Slight problem with this approach

[jmdc]

I thought you were very funny, yet you bring up an important point. I need a record of my passwords outside my brain. Where should that record exist?

Re:Slight problem with this approach

[ImaLamer]

That's why I used song lyrics for a while.

"wecandanceifyouwanttowecanleaveyourfriendsbehind"

Then sweeten it up with leet stuff like:

"w3c4nd4nc31fy0uw4ntt0w3c4nl34v3y0urfr13ndsb3h1nd!"

It's not only strong, but catchy!

Re:Slight problem with this approach

[Frostalicious]

Wouldn't the strongest passwords be random, within the largest character set practical to type? Any further rule would reduce the search space.

Re:Slight problem with this approach

[ChatHuant]

I need a record of my passwords outside my brain. Where should that record exist?

For backup, on a piece of paper, maybe in your wallet. For quick access from your computer, get a password manager. PasswordSafe works great for me. Make sure you get a newer version, because some attacks have been found against older ones (but that's true about almost any security software).

Re:Slight problem with this approach

[AeroIllini]

Because many people have trouble typing their own names correctly without using the backspace key a few times, and typing a password in a box gives no visual feedback. Higher letter count gives a higher chance of typos, and a higher chance of getting locked out after typing "atrulystrongpasswordshouldhaveatleastthreeoftehfollowingifnotallfour" five times in a row.

Chances of a typo are even higher if someone routinely types in MS Word with AutoComplete turned on and is now physically incapable of typing "the", "from", or any number of words correctly the first time. Double bonus points if they work in a major corporation and hunt'n'peck.

Re:Slight problem with this approach

[Aazn]

I get the feeling that you haven't the slightest idea what you're saying about bits.

With ASCII passwords using only lowercase letters [...] adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character What? ASCII is the standard for which characters are converted to numbers and then converted into binary to be transmitted. ASCII covers all the letters a-Z with a jump between upper and lower case. Please explain what you are saying here.

Re:Slight problem with this approach

[whiskey6]

I agree, I was at a MS security (yeah, I know, it was a day off work) conference and the guy with the ghey ass flames on his shoes was carrying on about pass-phrases and how adding spaces into a password made it a lot harder.

something like: ! My first car was a Lada#&& that would be really tough to crack.

Re:Slight problem with this approach

[Actually,+I+do+RTFA]

Chances of a typo are even higher if someone routinely types in MS Word with AutoComplete turned on and is now physically incapable of typing "the", "from", or any number of words correctly the first time.

Actually, just so long as they are consistent, that's a GoodThing (TM). After all, "atrulystrongpasswordshouldhaveatleastthreeoftehfollowingifnotfour" is a more secure password than "atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotfour". Even more secure would be "atrulystrongpasswordsshouldhasatleastthreeoftehfollowingifnotfour" (also, you can feel presidental every time you type your password.)

Re:Slight problem with this approach

[jibjibjib]

It's about entropy. (http://en.wikipedia.org/wiki/Information_entropy)

Because there are only 26 lowercase letters, a sequence of lowercase letters has a little less than 5 bits per character. By doubling the number of possible characters, using a combination of uppercase and lowercase adds another bit of entropy to each character. The fact that it's all stored in ASCII with a constant number of bits per character is irrelevant to the actual amount of information entropy in the message.

Re:Slight problem with this approach

[zenkonami]

Or what about "There'snothingmoreuselessthanalockwithavoiceprint."

I'd like my geek card validated now. Thank you.


- (Destined to be modded into obscurity.)

Re:Slight problem with this approach

[pongo000]

A six-word passphrase selected from a list of random tokens (words) such as offered by diceware trumps even these paltry numbers in parent:

7776^6
221073919720733357899776
26^10
141167095653376
95^5
7737809375

Added bonus: You can actually remember a six-word passphrase. Throw in an extra random character for additional entropy, and you can *still* remember it. Tell me what your ten random-letter password is a year from now.

Re:Slight problem with this approach

[The+Raven]

This would absolutely be true, in a world where all passwords were unlimited in length. Unfortunately, many systems take shortcuts storing your password... this leaves you open to having your password trivially hacked using precomputed hashes.

Re:Slight problem with this approach

[CastrTroy]

I will also vouch for PasswordSafe. It also runs quite well under WINE. which is nice because I haven't been able to find a Linux program that can read the current database formats. Just ones that read some old database format.

Re:Slight problem with this approach

[PresidentEnder]

Oh, I quite agree. OP's point was that adding special characters increases the strength of passwords; my point was that the same type of strength increase can come from just adding more characters.

Re:Slight problem with this approach

[twifosp]

but what's so hard about implementing passphrases instead of passwords?

I agree with you, but the problem for the average user is that they are not touch typers. They are constantly looking at the keyboard and screen to confirm what they have typed. As the length of the password increases, the odds that a typing error is going to be made also goes up. As passwords are blocked out, it would be very frusterating to a person who has to look at the screen to confirm what they have typed and backspaces often. This gets worse if you are trying to login to a domain with strict policies, I.E. most large companies. If you make too many mistakes trying to login, your account is locked.

Re:Slight problem with this approach

[Alsee]

oahazmatt? Your wife was just checking her birthday on your calender, and would like to know why there's porn website password written on that page.

-

Re:Slight problem with this approach

[ChatHuant]

get the feeling that you haven't the slightest idea what you're saying about bits.

I will be really nice and explain it to you in even simpler terms; you'll get more detail here, but any introductory text on information theory should serve.

Let's say you have a very short password - only one letter, and you're limited to lowercase ASCII. You have a choice of one of 26 different symbols, and you pick a random one. An attacker trying to brute force your password will only need to try 26 different passwords (from 'a' through 'z').

Now, suppose your password is a random combination of bits; with 1 bit, you can get 2 different values for your password (0 or 1). With 2 bits, you could pick one of 00, 01, 10 or 11, for a total of 4 combinations, and so on. With 5 bits, you'd have 32 possible combinations. If an attacker would try to brute force your 5 bit password, he'd have to try a maximum of 32 combinations. Note that 5 random bits generate more possible combinations than a single lowercase ASCII letter, even though the ASCII symbol has 7 bits. That's because some of the bits in the ASCII code are known beforehand, so the attacker doesn't need to bother with them. Your actual randomness is somewhere between 4 and 5 bits (you can get the exact formula in the Wikipedia article in the link above).

Let's say now that we eliminate the restriction on using lowercase symbols: the attacker will have to try all printable ASCII symbols in order to guess your 1 symbol password. He doesn't need to bother with the non-printable ones, so he only needs to try 95 symbols of the 128 symbol ASCII set. By using a similar reasoning as above, we see that the randomness is somewhere between 6 and 7 bits (with 6 random bits you'd get a total of 64 possible combinations, and with 7 you'd get 128).

By using more symbols to your password, you add some randomness. This forces the attacker to try more and more combinations, until a brute force attack becomes operationally impossible. If each symbol is completely independent from the others, the "randomness" bits add up. A 2 letter printable ASCII password will have something like 12-14 bits of randomness. A 10 symbol password results in 95^10 combinations (about 65 bits of randomness); the chances of the attacker hitting on the correct combinations become very remote.

Re:Slight problem with this approach

[noidentity]

Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?

That's amazing! I've got the same password on my luggage!

Re:Slight problem with this approach

[AJWM]

I just use the serial number off a dollar bill in my wallet.

Mind, if I ever have to spend that I'm in trouble.

Re:Slight problem with this approach

[stamit]

... or it doesn't.

Re:Slight problem with this approach

[Tekgno]

1c4nhaztehs3curepasswerdznoaw?!?

Re:Slight problem with this approach

[stevie.f]

That is why one of the few things I like about lotus notes is the... I'm not sure what it's called. The image on the screen that changes as you enter your password, so when it is entered correctly you will have the same image every time. It's reassuring to have some form of visual feedback to help avoid typos

Re:Slight problem with this approach

[handsomepete]

You might want to try Keepass (http://keepass.info/) in the PC based password manager realm. It has ports to most operating systems you might want plus a slew of handheld devices. Not to mention that the interface is nice, it has a decent password generator, and is free as in beer / speech.

Re:Slight problem with this approach

[access.name]

It's very surprising the amount of websites and software that do not accept spaces in the password. For example, hotmail.

Re:Slight problem with this approach

Couple things:

1) the time to look-and-peck to enter your password is not mentioned (Grandma is gonna be constantly trying to look up and down to login),
2) the possibility that the blots selected are common enough that people can guess the password for someone else if they see them.

Re:Slight problem with this approach

[Sky+Cry]

For example, is passwordpasswordpassword any harder to remember than just password?

Harder to remember? No. Harder to type? Yes.

Re:Slight problem with this approach

[zsouthboy]

harder to type than hEl20!mxqrtT78as ?

No.

P**n

[EmbeddedJanitor]

It all looks like porn to me!

Re:P**n

[ShieldW0lf]

I usually suggest to people that they come up with a positive self talk phrase, take the first letter of each word, then replace a letter with a number that resembles it.

Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

You end up repeating it to yourself every time you log in, which serves double duty as both a mnemonic device and a way to preserve your positive attitude.

Re:P**n

[Chuqmystr]

Me too! Well, not quite. In fact they can't at all be called positive phrases and typically I don't give the luser the phrase. They might go off sniveling to somebody who matters as to how I made them say something nasty about themselves pertaining to how it's their 15th password change for that month and how they should be summarily flogged with a bundle of patch cables (cat-o-five tails? My bad...) anytime they intentionally get near anything more complicated than a throw away pocket calculator. Not helpful at all for them but very therapeutic for the ol' sysadmin and that's what truly matters now isn't it?

"Hold onto these wires for me..."

Re:P**n

[kayditty]

Actually, that word is not long (9 chars is not long at all), contains multiple dictionary words*, and has only one number.

* a, ah, , and la. I don't think that's majorly significant, though. :>

Re:P**n

[angryfirelord]

Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

Great, now I've got to change my password again.

Re:P**n

[flabbergasted]

I usually suggest to people that they come up with a positive self talk phrase, take the first letter of each word, then replace a letter with a number that resembles it.

Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

I use mnemonic devices also, but perhaps I should rethink my current "Nobody loves me, I wish I were dead" password. Oh, what's the use. It wouldn't matter anyway.

Re:P**n

[philntc]

I advise them to take a nursery rhyme that they like, take the first letter's as you mention, and capitalize proper names. Then leave it up to them to add a few numeric digits (or use 1 for "one" instead of "o"), or add a 2 digit special number at the beginning, middle or end (like a day of the month they know well).

Re:P**n

[Deanalator]

Why not just use "I am a happy person who loves their life." as your passphrase? Just as easy to remember, and probably harder to crack. I am not aware of any password cracking utilities that check for reasonable passphrases, but I would love to see the code for one :-)

Re:P**n

[RealGrouchy]

A self-motivational phrase whose initials double as a secure password? That's a great idea!

Here, let me try one:

People Always Say Something's Wrong Or Really Depressing.

Awesome! I'll use it on all my accounts!

- RG>

Re:P**n

[CastrTroy]

Many places don't allow passwords that long. My bank is one of them. Maximum number of characters is 8. There's plenty of other places that don't allow long passwords, or passwords with spaces, or a bunch of other things. I personally just use PasswordSafe to store all my passwords, and generate a new one for every account I have. I usually make it pretty strong, including symbols, letters, numbers, and around 12 characters. Except for the sites that require 8 character alphanumeric passwords.

Re:P**n

[Alsee]

Can I have your Slashdot account when you're dead?
Don't worry, I've already got the password.

-

Re:P**n

[mrjacques]

Thank you. For years, I've been making up these phrases for my passwords, too. "I often wonder how hard it would be to crack them" becomes "Iowhhiwb2ct." My passwords seem to my naive mind to be secure and easily remembered. Much as I consider a couple of my passwords to be mantras for how to live my life, I try not ever to say them out loud. :-)

Re:P**n

[StinkiePhish]

"I am not a lawyer." IANAL. I think I can manage that.

Re:P**n

[Zashi]

God, what are you, a manager?

Just kidding, but seriously, I have a manager who is a bit like that. Constantly spouting BS about vision and strategy and contractor well-being. I thought the movies like Office Space and shows like Dilbert were hyperbole, but cursed affliction, it's true. They exist. How soul crushing, no?

Hmmmm ....

[gstoddart]

From TFA:

"A century of psychological literature indicates that inkblot associations are intimately personal, and our own user studies verify that users almost always describe the same inkblots quite differently"

So, psyche 101 was a long time ago, and that's the extent of my exposure to it.

Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it? If there's drift over time, this wouldn't be such a good idea.

Anyone with a better schooling in human psychology care to chime in?

Cheers

Re:Hmmmm ....

[foobsr]

inkblot associations are intimately personal, and our own user studies verify that users almost always describe the same inkblots quite differently

Rohrschach = crap if considered as a psychological test (reliability, validity near to non-existent).

Do individual people respond to the same inkblots, the same way over time?

No (low retest reliability).

Only for those who practice psychology like a religion.

CC.

Re:Hmmmm ....

[dgatwood]

I don't know, but about three years ago, I recall suggesting the use of non-abstract images and measuring the brain's electrical response to determine a map of the user's response to a given stimulus. After the system was trained properly, you could use that to be a really, really solid passphrase; while your brain may react a bit differently to images over time, it isn't likely to react dramatically differently for the most part (except maybe after head trauma or something similarly extreme). This seems like a somewhat more practical way of doing the same basic thing.

I would expect your reactions to differ over time, but I would not expect them to change dramatically in a short period of time, and that's the key to such a system. As I said way back then, as long as you log in periodically, such a system can use a learning algorithm to conclude with a high degree of probability whether it is the same person and then adjust its notion of the password as it goes along. Whether Microsoft will do this or not remains to be seen.

Re:Hmmmm ....

[s.bots]

If it's straight, it's a penis. If there are curves, it's a vagina. If you see neither a penis nor a vagina, see a psychiatrist.

Re:Hmmmm ....

[hhr]

Your questions are their questions. This is a research project and not a production service. They are collecting data to find the answers.

Re:Hmmmm ....

[pluther]

Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it?

Yes, they change over time. It is common to use the same test several months apart to gauge the effectiveness of ongoing therapy.

In the actual Rorschach ink blot test, what you see is almost immaterial compared to how you see it. If this system uses its own inkblots it is likely that some of them are particularly evocative of specific images (even the "official" Rorschach blots have that problem, even after being specifically chosen not to). In that case, many users may come up with the same characters, which would further reduce the effectiveness.

Disclaimer: IANAP, either.

Re:Hmmmm ....

[Red+Flayer]

I recall suggesting the use of non-abstract images and measuring the brain's electrical response to determine a map of the user's response to a given stimulus.
[snip]
This seems like a somewhat more practical way of doing the same basic thing.

So much for having a few beers during lunch.

Unless, of course, the initial measurement is done when I'm already buzzed... in which case I'll need to have a bloody mary every morning in order to get started at work...

Idea intriguing, newsletter please.

Re:Hmmmm ....

[lahvak]

I would expect your reactions to differ over time, but I would not expect them to change dramatically in a short period of time

Hmm, when I tried it half an hour ago, they all looked like pizzas. Now all I see there are pillows.

Re:Hmmmm ....

[tedrlord]

I would expect your reactions to differ over time, but I would not expect them to change dramatically in a short period of time, and that's the key to such a system. Unless you started hanging out on 4chan all of a sudden. That really warps your brain's response to viewing images.

Re:Hmmmm ....

[dgatwood]

Well, Microsoft learning algorithm: was "pa" now "pw". 50% match. Match >= 50%? Yes. Access granted.

:-D

Re:Hmmmm ....

[jibjibjib]

If it's taller than it's wide, then it's phallic If it's taller than it's wide, then it's phallic If it's longer than it's wide, then you turn it on its side Then it's taller than it's wide, then it's phallic

Re:Hmmmm ....

[Mad_Rain]

Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it? If there's drift over time, this wouldn't be such a good idea. As someone who has administered the Rorschach a number of times, I think I might be able to shed some light on your questions. (Of course, there are some things I have some ethical concerns about revealing, but hopefully this will clear some of it up.) You can google about for validity and the Rorschach, and see that it has test-retest validity on par with commonly used intelligence tests, such as the Wechsler Adult Intelligence Scale (WAIS), and the interpretation stands up between test administrations over relatively long periods of time (1 to 3 years).

A "normal" person* will respond to the whole Rorschach test in a similar fashion over time, given that their personality hasn't undergone a lot of changes in between test administrations. Their answers to individual inkblots may change, but that's why they're given multiple inkblots to associate to. In this case, it's not the little parts, it's the whole thing.

Another example might be the SAT - if you take it at Time A, and later at Time B, you might respond to different questions in different ways, but both test scores should be relatively close to each other (barring having taken a test preparation course or being hit in the head by a crowbar between tests. ;) ).

* We could probably argue a lot about what a "normal" person is, which is why I put the word "normal" in quotes.

Re:Hmmmm ....

[Lunzo]

Although intended as a joke, I think it is a valid point. A number of things could change the response in your brain: e.g. emotional state, what you've just been doing, events/experiences.

Re:Hmmmm ....

[Autonomous+Crowhard]

This might only be useful if they don't plan to use those pictures to help you if you forget your password. People do not respond the same way every time they view the same inkblot. For example, today I an elephant with large boots while yesterday I saw 2 girls and 1 cup.

Re:Hmmmm ....

[tool462]

I didn't even manage to come up with the same description twice in a row to confirm the password. Forget about 3 months later...

Don't do it...

[daninspokane]

The blots are coded to shut your brain down if you don't have a valid regkey.

Re:Don't do it...

[sm62704]

Holy shit, you're right! They all look like women (or their private parts) to me!

-mcgrew

Re:Don't do it...

[Arcane_Rhino]

Yeah. But don't feel bad. They're the ones who are showing you all the dirty pictures.

I have actually always been more intrigued as to whether or not an amalgamation of responses would indicate a physiological predisposition in humans to see particular images, rather than indicating what any particular individual might see. Especially since, anecdotally, everyone but the crazies always see sexual images or butterflies.

I believe, however, that other research has already demonstrated this with more precision due to better factors of control. Describing the responses to ink-blot tests would likely be more for fun and interest than valid scientific evidence.

Re:Don't do it...

[Alsee]

Ha ha, Microsoft is teh evil. Very funn6?CjnKh@d_*CARRIER LOST

-

Re:Don't do it...

[stamit]

They will probably put it into `reduced functionality mode'...

And zees one?

[spun]

For those who haven't seen it, Perry Bible Fellowship's take on this.

Re:And zees one?

[sm62704]

You should have warned us that the cartoon linked, although funny and on-topic, is NSFW.

another spam submission from informationweak

why keep sending us to a crappy site like information-weak dot com its just a page of adverts and sales promotions information weak is certainly thats sites name

Hmm...

[graviplana]

"Get out of my mind!" I think that the association data is much more valuable, or at least informative, than the utility of the particular password scheme they are touting. I wonder to what extent they will implement this? One to watch, IMO.

random?

[clarkn0va]

Respond with "butterfly" and share your password with half the english-speaking planet.

db

Re:random?

[Archangel+Michael]

Resembles Butterfly ... No disassemble, Number 5 Alive

Re:random?

Yeah, my password came out bybybybybybybyby

So uh -

where's the easy to remember part of it? Inkblots are so freaking random I think of something different every time I see one - course maybe that saying something...

Ballmer's unencrypted file

[Eberlin]

Anyone wanna bet Ballmer's word list looks a bit like this:
chair
developers
chair
banana
ooohshiny
developers!
developers!
developers!

Microsoft wants to give you an Arseache?!?!?

ouch

Storing and insecure

[tkdtaylor]

It's a research project so of course it's storing the responses.
From the actual site:

Security and privacy of this service

InkblotPassword.com is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.

Wait...

[ucblockhead]

So they have created a method for creating hard to crack passwords while simultaneously collecting the data to more easily crack them?

Oblig Watchmen

[cthulu_mt]

MS wants to give me a cool mask and let me eat beans from a can? Do I have to keep the journal too?

Re:Oblig Watchmen

[Lurker2288]

It looks like a pretty butterfly. Or maybe some nice flowers. Or a dog with a cleaved brain, either way.

fubar

[normuser]

I went to the site and tryed it. but none of the images look like enything.
I just end up with frfrfr...

My slashdot password

[sm62704]

1a!A

Don't tell anybody, ok?

Re:My slashdot password

[zobier]

1a!A

Don't tell anybody, ok? ****
thats what I see

No way....

[Bobfrankly1]

Microsoft Wants To Give You A Rorschach

If this is anything like a wet willy, I don't want one, and you can't make me.
*runs away screaming*

use password agent to store all your password

[Max4400]

I recommend using password agent software to generate and store all your passwords. It also keep password file 256 bit encrypted so no one else will be able to see or know your passwords withouts master passwords. It also provides autofill option so no keyloger will be able to capture the password. Its the best program. btw, i generate my password by typing randome characters on keyboard.

Re:use password agent to store all your password

[sporkme]

I am reminded of an article involving the defeat of password theft via keylogger. The process involves cooking up an already strong password, but incorporating mouse clicks to relocate the cursor in the password as part of the deal... I.E....

"asdf$1234" is your chosen "strong" password, but after typing "asdf" you click the cursor after the second character, "s" and continue from there, leaving as$1234df. Since mouse clicks are not (typically) recorded by keyloggers, you would frustrate attempts to steal your data in that way. You could incorporate as many cursor moves as desired, should incorporate as many as practical, and it could all theoretically become part of the "muscle memory" discussed by other posts.

Same password for different sites == bad security

[adminstring]

From TFA:

Given that many Internet users employ the same password to gain access to dozens of Web sites, for everything from banking and shopping to socializing, it's more important than ever that they create passwords that are at once highly secure and easy to remember.

It's even more important that people not do this. If your password is the same for 15 different sites, and one of those sites gets hacked (or even phished, or someone keylogs your password) suddenly that hacker has access to your account at 15 different sites. This could ruin your whole day.

Reusing the password

[Culture20]

"Nothing prevents a user from learning a strong password on Inkblotpassword.com and then reusing it at other sites," Microsoft's researchers said.
Common sense might.

All I keep seeing...

[Cytlid]

...is penguins.

Re:All I keep seeing...

70% tits, 25% pussy, 5% ass.

Always has been, always will be.

Re:All I keep seeing...

[Larry+Lightbulb]

Have you seen a doctor?

HTTP Error 500: Too many slashdotters

IIS has performed an illegal operation and will be shut down.

Passwords tell you a lot

[DiceRoller]

I find it interesting when looking at passwords because it tells you a lot about the person. A computer person will have something like H2xkls23. Where as kid might have MyFavoritePony.

Re:Passwords tell you a lot

[Peyna]

I find it interesting when looking at passwords because it tells you a lot about the person.

Most passwords tell you one or two things, not "a lot." They tell you whether the person has a clue about security or not. If they have a clue, their password will either be unintelligible to you or pure nonsense. If they don't have a clue, their password will be a word or phrase that is familiar to them and likely reveal very little to you other than their dog's name.

Re:Passwords tell you a lot

That's just because you named your pony H2xkls23.

Captcha

[GreggBz]

That site has one of the best captcha's I've ever seen.

Please select all the cats. Pictures supplied (and sponsored) by petfinder.com. Brilliant. Even HAL-9000 might not be able to do that.

Re:Captcha

[RobBebop]

Identifying the cats was hands down the better half of the inkblot website game. Once I got to the password part, I decided it was too stupid to continue with.

Something that still needs working... okay, I passed the CAPTCHA once, but my request failed (in the case of this website, the username I typed had already been chosen). I then had to change my username choice and re-authenticate myself by finding more cats. Yet, as far as I could tell, I am still human.

A similar thing bugs me about Ticketmaster. I look for tickets, type in the CAPTCHA, then see that it can't find tickets. How frustrating to be forced repeatedly to re-authenticate my humanism (and yet, supposedly bots can read that CAPTCHA anyway... so it is all in vain).

Re:Captcha

[Odin_Tiger]

Yeah, the captcha was cool, but most of the pictures I couldn't see the top 1/5 or so of them. I guess 1024x768 is now considered so pathetically low it's no longer worth making your site work properly with it...

Re:Captcha

[penguinchris]

One of the pictures it gave me had a cat AND a dog, and I failed because I counted it as a cat.

Re:Captcha

[pongo000]

Unless, of course, you're visually disabled. Then I guess you are SOL. So much for accessibility from our friends at Microsoft.

Re:Captcha

[Alsee]

most of the pictures I couldn't see the top 1/5 or so of them. I guess 1024x768 is now considered so pathetically low it's no longer worth making your site work properly with it

No, I'm running 1280x1024 and I had the same issue.

I'm going to make a wild guess here and ask if you are also running Firefox?
Remember, we're talking about a Microsoft website here.

-

Re:Captcha

[linumax]

This website was designed for people who are not visually disabled, otherwise how the hell are they gonna see the inkblots? Save your Microsoft bashing for when they implement it on MSN or sth.

Re:Captcha

Had the same issue with Firefox on Windows at 1280x1024, so I tried again with IE and voila.. - erm, same problem..

Apparently the bigger images are placed a few pixels over the div containing the thumbnails. I the area above is higher (e.g. by increasing the font a few times) the pictures will display fully.

Re:Captcha

[Mazin07]

Inkblots.

Re:Captcha

It's cool, they identified each in the alt text.

Re:Captcha

[Faust]

Bet Hal-9000, maybe even Hal 9 1/2 can visit the adopt link where it lists the "type"

Re:Captcha

[DavidD_CA]

Neat idea, but I had a few issues:

1) About 20% of the photo was cut off on the top of the screen. Perhaps this is a technical issue, but it preventing me from seeing part of the picture and actually figuring out if it was a dog or a cat.

2) Many (about a third) of the photos were so poor I couldn't make out anything but a black furry blur.

3) Because I have my screen resolution set pretty high, the photos were too small to easily make out. Yes, I know I can hover my mouse over the photos for a larger one. But the larger photo was only about 2" wide.

Re:Captcha

[Fissure_FS2]

It's not quite as cool as this

Re:Captcha

[pongo000]

You missed my quite subtle point...this entire project is doomed from the start because it is not readily accessible to the visually impaired (yes, that means feline pictures and inkblots). Read up on the subject...you might find that the visually disabled are, in fact, a part of the Internet community.

Of course, subtlety around here is like cutting a diamond with a stick of butter sometimes, so silly me for just not cutting right to the chase...

Re:Captcha

The captcha is from a Microsoft Research project called Asirra. More info here. At a tech event last year these guys had a cage with cats and kittens that were up for adoption - needless to say their booth was very popular. They also ran out of cats a few times due to the animals being adopted by people at the event.

BEWARE the breasts of DOOM!

[spun]

It's not THAT unsafe. It shows cartoon breasts. Anyway, sorry if I got anyone fired.

This is just a beta test for the m$ psychological.

[Joe+The+Dragon]

This is just a beta test for the m$ psychological evaluation system.

Here I thought Microsoft were Watchmen fans

[Tragedy4u]

After reading the headline I got excited thinking Microsoft was helping to boost Watchmen popularity, damn.

Rorschach inkblot test

[Radon360]

(obligatory link for the uninformed)

Rorschach Inkblot Test

Character randomization

[courteaudotbiz]

I think it would have been a little more clever if Microsoft did it in respect of their own password strenght good practices... If at least their algorythm randomized characters, like sometimes using an "i", sometimes using a "1", sometimes using capital letters. It's a classic, but it would have been a little more secure to have "trA1nIng" as a password, than to have "tgfryrmd". Brute forcing is a lot easier with only one character class...

Insecure?

[Brit_in_the_USA]

I thought strong passwords avoided the use of words as they are subject to brute force dictionary attacks. An e.g. 8 character output of this method may be marginally more secure than one or two words that total 8 characters, but it is also very susceptible to a dictionary attack, maybe even more so as there is a good chance that animals and shapes would be the words chosen (not colours, names of people, verbs etc.).

rorschach?

[gEvil+(beta)]

Rorschach? Is that like a wedgie?

Vanillia? Viagra? Volousia? Pens? Va....oh wait

[StressGuy]

...you really need a girlfriend

Rorschach's Journal

Dog carcass in alley this morning, tire tread on burst stomach. This city is afraid of me. I have seen its true face.
The streets are extended gutters and the gutters are full of blood and when the drains finally scab over, all the vermin will drown.:
The accumulated filth of all their sex and murder will foam up about their waists and all the whores and politicians will look up and shout "Save Us!"...: ...and I'll look down, and whisper, "No".:

Re:BEWARE the breasts of DOOM!

[sm62704]

Lets hope nobody did. It doesn't "just show breasts" it shows graphic fucking. I'm sure some PHB somewhere will take offense. When in doubt, add a "NSFW"!

Several flaws immediately come to mind

[_Hellfire_]

The image associations are not only unique to the user, they're also "hard to forget," the researchers said. "After typing her password several times, a user develops 'muscle memory' and can log in quickly without referring to the inkblot images," they said.

No shit. Type any password enough times your fingers learn where the keys are, even if you're not consciously thinking about what you're typing.

So their aim is to have you look at the inkblots, work out your passwords, type the password until your fingers get it, and then you don't have to look at the inkblots any more No numbers, no mix of uppercase and lowercase, and no punctuation. Doesn't sound particularly

Running APG over a web interface and getting pronouncable, strong passwords which will develop into muscle memory just as easily sounds like a much better solution.

Not to mention the the whole "oh btw, we're storing your associations" bit. It should be painfully obvious that when it comes to security, Microsoft simply doesn't "get it".

dead site

[DangerousDriver]

Looks like it's been /.'d. Strange as I thought it was an MS site (although IP 72.44.41.236 goes to Amazon.com). Thought: why doesn't /. get /.'d?

Horseradish

[r0b!n]

First time i read the subject, my brain interpreted it as "Microsoft Wants To Give You A Horseradish" http://en.wikipedia.org/wiki/Horseradish "The horseradish root itself has hardly any aroma. When cut or grated, however, enzymes from the damaged plant cells break down sinigrin (a glucosinolate) to produce allyl isothiocyanate (mustard oil), which irritates the sinuses and eyes. Once grated, if not used immediately or mixed in vinegar, the root darkens and loses its pungency and becomes unpleasantly bitter when exposed to air and heat." Seems somehow appropriate...

That not Obligitory.....

[StressGuy]

That's a TV Guide description for the Made-for-TV movie version

Watchmen - 74 minutes

"Guy with black and white mask eats beans from a can"

Re:BEWARE the breasts of DOOM!

[spun]

Graphic fucking? Is that what you saw in that inkblot? You've got a dirty mind!

Enter the...

[davidsyes]

Dot Matrix...

Is this really new?

Eventually it'll be something done by Open Source from the future SeaCode employees...

But, also, hasn't this been show in Sci-Fi shows? (No, I'm not talking about "cheating" to make a result/action appear on screen). It would be ghastly if a patent is "awarded" for this...

Since Microsoft knows Rorschach what could be more

[deweycheetham]

secure?

An Ink Blot Test, brought to you by the folks who help protect and secure us of from the past, present, and future evil hackers. (The Ink Blot Test is obviously the best way to secure an operating system. Just see your physiotherapist today and "Poof" you are secure.)

Go figure...

Re:BEWARE the breasts of DOOM!

[sm62704]

No shit!

AKA Pain In the Ass

[curmudgeon99]

Oh great. I have to match my wild-ass guess of a past time with the precise values I chose in my WAG. Sounds like a nightmare.

I have the strangest picture in my head of....

[Hanging+By+A+Thread]

Bill Gates sitting in a wooden school desk with his arm raised yelling "OOhhhh, OOOOhhh, OOOOOhhh, Mista Kahttah, Mista Kahttah!".

I get it

[EmbeddedJanitor]

WIuVIftWGA2p0:"When I use Vista I feel the Windows Genuine Advantage 2 point 0"

You're right I feel better already! Wow everything feels faster! Any more exclamaitions and I'd be using Yahoo!!

I use a keyboard patern nemonic

[OldHawk777]

I use a keyboard pattern mnemonic for all my passwords that I change every six months (work-pattern, bank-pattern, overseas accounts pattern ...).

Any 12 characters (1a...!A...) I never repeat, but I always recall, because of the pattern matching I must always recall the first character to enter, then I follow the appropriate pattern-match.

When I take vacation and return to the office two weeks later ... I sometimes forget the pwd, but I always guess right by the third time (most on second try).

Example: c6b8g7j9C^B*J( [works everytime 4me]

!HAVEFUN!

Resistance is futile...

[fahrbot-bot]

The phrase "Microsoft Genuine Password Advantage" scrolled through my mind and I was afraid.

Possible Microsoft ink-blot results:

• A woman with large breasts
• A woman with small breasts
• Steve Ballmer with breasts
• Harry telling me I'm not good enough
• Harry telling me I can't marry his daughter

phishing

[clarkn0va]

Microsoft is collecting and storing users' word associations

So essentially this is a phishing site, and they're telling you that up front. Of course MS is aware that if you take a sample 1000 people who have fallen for a phishing scam in the past and send them to this inkblot password site with a disclosure that their password will be recorded, 1000 of these will go ahead and use it anyway. It's a great way to do as the criminals do, and through a simple legal disclosure it's no longer a crime.

db

Note:I use a keyboard patern nemonic

[OldHawk777]

I was told that I am not allowed to teach this method to my colleagues, but I think most know it already.

Re:Note:I use a keyboard patern nemonic

[RobDude]

I do something very similar - but I worry that sooner or later there will be dictionary attacks that follow basic paterns over a qwerty keyboard. I started with q1w2e3r4t5 and then went on to more complex patterns. Now I basically have one pattern that can be applied about any 'start key'.

Halfbaked Idea

[rgovostes]

Seems like an idea I came up with in May 2005: http://www.halfbakery.com/idea/Rorschach_27s_20Password I accept checks, Microsoft.

Re:Halfbaked Idea

You just might want to rush a patent/copyright/whatever's applicable out on that, if they haven't secured one first.

Obligatory Emo Philips

[LoverOfJoy]

"Emo, what does this inkblot look like to you?"

I said, "Oh, it's kind of embarrassing."

He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."

I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness." And he gets kind of depressed.

I said, "Okay, it's a butterfly." And he cheers up.

He said, "What does this inkblot look like?"

I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."

He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."

"Oh," I said, "was I far off?" He said, "No. That's the sad part."

Easy ways to get random pass-foo from books.

[BlueParrot]

Pin numbers:
Open a large book on random pages and note down the LAST digit. Repeat until the pin is long enough.

For passphrases:
Pick a book, open it on a random page and note down the first word on that page longer than 3 characters. Generate 2 pass phrases this way and insert the acronym of one of them into the other. Add some random special characters and numbers at random places (i.e chosen as for pin numbers ).

May well be vulnerabilities in there, but if you know enough about computer security to avoid exposing yourself to orders of magnitude greater ones, then chances are you are able to generate a good pass phrase.

Re:Easy ways to get random pass-foo from books.

[geekoid]

That's a horrible way to get a pin.
Think of somethings relevant to you.
ex:
I have the:
9th sign
31 st is the date of my favorite holiday
9 was how old I was win my dog was put down.

9319

use things that are common, but not something hyou would bother to talk about. Keep it in your wallet.

Re:Easy ways to get random pass-foo from books.

[BlueParrot]

It wasn't as much intended as a way to create an easy to remember pin, as an easy way to get a very random number using minimal equipment. Books are very good for this because they are readily available, you can easily extract random data from them, and it is very hard / impossible for somebody to spy on you generating the key.

Of course, if you are bad at remembering passwords then you may have to use a different method.

Another option to APG

[cheros]

Just had a similar discussion elsewhere:

http://supergenpass.com/

Ob. Schneier

"Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

Re:Same password for different sites == bad securi

[PitaBred]

If it's for a bunch of forums, whoop-de-fuck. If you're using the same password for banking as you do for blog posts, what in the hell is wrong with you? Even Bruce Schneier uses the same password for multiple low-priority sites, and uses different, better passwords for sites where it matters more.

That is stupid, hard passwords are easy.

[geekoid]

Example:
My brothers initals ar JaL and FdL
My Wifes Birthday and month 01/01
My first toby was 'Toby'
dd a letter to rotate

yb0T0101JaLFdLa

Bam, I just created personal and hard password. The bibbes argument against that is that 'everybody knows all about you'. In that case, this information is just noise in the data.

or
!5b00B_g1B
Easy to remember for a human.
No, none of the information given in the example is accurate.

Also, put the password in your wallet. You do not need to put what the password is to, you'll remember it.

Re:That is stupid, hard passwords are easy.

[geekoid]

My first toby was 'Toby'?
WTF?
How about:
My first dog was named Toby.

not much of a concern for me

[Tsiangkun]

Most of my passwords are for sites that made me register.
The data on the account is fake, and of no value to anyone.

Re:Same password for different sites == bad securi

[kayditty]

Not if that password is hashed with a properly complex, salted hash algorithm.

Hmmm. I see a Ballmer throwing a chair... n/t

[NoBozo99]

Duck!

What I find interesting

[Odin_Tiger]

is that although the directions clearly tell you to put in the first and last letters of the word the inkblot makes you think of, you can input numbers, common symbols, and even weird symbols ( and f are both considered valid inputs, for instance) and it doesn't even flinch. I suspect these researchers are going to have to sift through a LOT of bad data to get any kind of meaningful results.

Re:What I find interesting

[Odin_Tiger]

Bah. Knew I should've previewed. The odd characters (which slash stripped) were ALT+789 and ALT+159. It also accepts a space character.

WTF, I have to select a bunch of cat pictures?

[wsanders]

WTF? Yet another annoying captcha. Half the pictures are so shitty I can't tell if it's a dog or a cat.

I'm just leaving my password at "changeme" and getting on with my life.

Doesn't that defeat the purpose...

[BlueF]

"Microsoft is collecting and storing users' word associations." Doesn't that defeat much of the purpose in making a password harder to crack... If there is a database with the most common associations and someone unscrupulous gains access to that database, wouldn't that give them a big advantage to crack password generated with this system?

Re:Doesn't that defeat the purpose...

[greymond]

That's exactly what my first thought was too.

Re:Same password for different sites == bad securi

[kybred]

What about same password but different username?

Something like:
username: Exo5Aiqua0pa
password: mypassword

bah... already released!

[m2943]

With Windows Vista, I find myself frequently thinking: hmmm... this looks a little like a network configuration dialog box... no, wait... it's the network status box... no, actually it looks more like... etc.

What a bunch of perverts!

[Zero__Kelvin]

I'm not really sure VaginaVagina is all that secure of a password ....

Silly... try a leet password generator

[cenonce]

That is just silly... I spend too much time trying to think of what these inkblots look like, and some of them really don't look like anything.

Try a leet password generator... way easier to remember!

U.S. states

[Paul_Hindt]

No, this person is clearly referencing Virginia, Virginia, Virginia, Pennsylvania, Virgina. Duh. Get your mind out of the gutter!

Exactly: How I use a keyboard pattern mnemonic

[OldHawk777]

A dictionary attack is based on knowns (words in a specific language/dictionary).

A QWERTY-pattern mnemonic does not fit into any dictionary word pattern, whoever would need to use a brute force attack on the complete QWERTY-board, unless they knew your pattern. Also, I use the shift-key either alternately, 1st half or 2nd half, or maybe it is when I hit the 3rd key or maybe number a second time. The pattern, I recall, but the sequence is a little odd ... I suspect, that being able to change and maintain complex passwords not related to personal info for work/banks/hobbies... creates reasonably secure pwd and meets any OS/website requirement for pwd complexity.

So, yes, I think they are almost as secure as a random pwd, and far better than any pwd in use by boss/management personnel.

Re:BEWARE the breasts of DOOM!

[geekoid]

Wouldn't be the first time I got fired because of breasts.

I see...

"penguin"

"and this one?"

"penguin"

"this one? this one?"

"penguin penguin"

"what about this one?"

"Ubuntu logo... on a penguin"

storing users' word associations, eh?

"But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."
So we all should pick "fufufufufu".

Who Watches the Watchmen?

[jmoriarty]

Rorschach's Journal. December 5th, 2007:

OS carcass on a hard drive this morning, random characters across its boot sector. This internet is afraid of me. I have seen its logins in the clear.

The passwords are in dictionaries and the dictionaries are full of "password", and when the accounts finally are taken over all their mothers maiden names won't save them.

The accumulated malware from all their pr0n and Myspace visits will load up about their processors and all from Tron Guy to Chuck Norris will look up and shout "reset us!"...
 
...and I'll look down and whisper "NAK!"

R.

Opportunity

(1) random word list
(2) slashdot userbase
(3) ???
(4) profit!!!

OK, jokes aside, poison the cache. Because you can.

You forgot one ink-blot ...

[freaker_TuC]

• Clippy dying a horrible painful death

But....

[Thwomp]

can I make a mask with it?

In Soviet Russia...

...the password selects YOU

A Word of Warning...

[bratwiz]

"But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."

Well, that only makes sense. They can simply assign each association an index and store the index instead. A great space savings there.

To illustrate this principle, consider that they will now only need to store the assigned Id value (probably '1') to user's recorded association response "FUCK YOU" as one byte.

Then to further save on space, they'll use another compression technique, known as "Run Length Limiting" (or RLL) to save space by encoding the number of times that value has been recorded, which will be implemented in a bit of code along the lines of "For (Every_User) DO { ... }". So if they select prudent sizes for their integers, they can probably encode their entire response catalog in 5 bytes.

It look like spilled ink.

[fellip_nectar]

I don't think I pass the raw shock test

They all look like cats to me!

[argent]

No, that one's a dog...

IDGI. Why are they using cat captcha to front end this?

There's no way a screen scraper is going to be able to get past the password selection.

This is not a useful design.

[argent]

First, it doesn't matter that they're storing associations, what they're storing is the first and last letters of the association, for 10 associations.

Second, I don't think even Richard Feynman would be expected to get past the password selection process.

* The inkblots don't really remind me of anything. I guess I haven't done enough psych tests or something, but they all look like masks to me, and "mkmkmkmkmkmkmkmkmkmk" is probably not a good password.

* You have to come up with the *same* associations over and over again?

I fail this test, it would be easier to simply memorize a random string of letters.

Apache and Python?

[K.+S.+Kyosuke]

That must be a mistake in the response headers - surely they are using Apache.NET and IronPython. Or maybe...oh, wait...that must be a fake Microsoft? No way this can be the real thing!

It doesn't store the word associations

... You type your password in, but you don't type in the word association. It only stores the two letter sequence that you associate with each blot.