Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Wants To Give You A Rorschach

Posted by ryuzaki0 on from the sticky-note-to-put-on-your-monitor dept.

Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."

24 of 223 comments (clear)

  1. Not sure this will help by Qzukk · · Score: 5, Funny

    view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password.

    I got vavavapsva.

    More seriously, if they're saving the word associations, doesn't that mean that they have the password you've just generated?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
    1. Re:Not sure this will help by skeevy · · Score: 3, Funny

      vulva vulva vulva penis vulva?

      I'm not sure whether I should be afraid of your mind or the site...

    2. Re:Not sure this will help by BarryJacobsen · · Score: 5, Funny

      vulva vulva vulva penis vulva? I'm not sure whether I should be afraid of your mind or the site... Really? I'm not sure whether I should be afraid of his mind or immediately go to the site...
      --
      Track your TV Shows with your iPhone - FREE
    3. Re:Not sure this will help by Clandestine_Blaze · · Score: 3, Funny

      I got vavavapsva. That's amazing! I've got the same combination on my luggage!
      --
      Best "String" Ever!
    4. Re:Not sure this will help by mithras+invictus · · Score: 3, Funny

      Ballmers new password: dsdsdsdsds

  2. I'm shocked!!! by b17bmbr · · Score: 4, Funny

    microsoft is collecting and storing the data. holy crap, batman, what next. the joker has plans to take over gotham city?

    --
    My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
  3. Slight problem with this approach by Enlarged+to+Show+Tex · · Score: 4, Insightful

    This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:

    Uppercase letters
    Lowercase letters
    Numbers
    Non-Latin characters (i.e. symbols)

    Every password I use has at least three, even for free-registration-required sites...

    1. Re:Slight problem with this approach by oahazmatt · · Score: 5, Funny

      This method will not create passwords that are strong enough.
      That's why I use the inkblot test, run it through a script that converts random letter combinations to MD5, convert 25% of that end result to l33t, and then randomly add a non-latin character at two locations within that result. I then write it down on my desk calendar.
      --
      Those who believe the Internet is private,
      find their privates are on the Internet.
    2. Re:Slight problem with this approach by TubeSteak · · Score: 4, Insightful

      A truly strong password should have at least three of the following, if not all four: Only if there's a maximum character limit on the password.

      Or are you going to tell me that
      "atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
      is not a strong password?

      I'm not suggesting everyone should use such a long pass, but what's so hard about implementing passphrases instead of passwords?
      --
      [Fuck Beta]
      o0t!
    3. Re:Slight problem with this approach by ChatHuant · · Score: 3, Insightful

      This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:
      Uppercase letters
      Lowercase letters
      Numbers
      Non-Latin characters (i.e. symbols)

      That's just not true. Admins request this kind of nonsense to force a bigger password space with shorter passwords. Informally, the security of your password is given by the number of random bits you have. With ASCII passwords using only lowercase letters, you're adding less than 5 bits of randomness per character. Even worse, most people use real words as passwords, so they can remember them easily. That reduces the randomness even more and makes dictionary attacks feasible. Adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character, but makes the password much more difficult to remember.

      Microsoft's method works around the password memorization by using the inkblots. The security is given by the much larger size of the resulting password. They get a password of 20 lowercase characters, say about 100 bits of randomness (less than that, because not all letter combinations are equiprobable - very few words I know begin and end with a q for example). A totally random password consisting of a mix of 10 symbols, numbers and different cased letters only gives you a bit less than 70 bits of randomness.

    4. Re:Slight problem with this approach by zsouthboy · · Score: 5, Interesting

      I also highly suggest, right now, that everyone change your passwords to currentpassword x 3 or 4, or more:

      For example, is passwordpasswordpassword any harder to remember than just password?

      But it greatly expands the key space to be searched for anyone trying to brute force...

  4. Hmmmm .... by gstoddart · · Score: 4, Interesting
    From TFA:

    "A century of psychological literature indicates that inkblot associations are intimately personal, and our own user studies verify that users almost always describe the same inkblots quite differently"

    So, psyche 101 was a long time ago, and that's the extent of my exposure to it.

    Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it? If there's drift over time, this wouldn't be such a good idea.

    Anyone with a better schooling in human psychology care to chime in?

    Cheers

    --
    Lost at C:>. Found at C.
  5. Don't do it... by daninspokane · · Score: 5, Funny

    The blots are coded to shut your brain down if you don't have a valid regkey.

    --
    Slashdot is too nerdy for me.
  6. Ballmer's unencrypted file by Eberlin · · Score: 5, Funny

    Anyone wanna bet Ballmer's word list looks a bit like this:
    chair
    developers
    chair
    banana
    ooohshiny
    developers!
    developers!
    developers!

  7. Storing and insecure by tkdtaylor · · Score: 5, Informative
    It's a research project so of course it's storing the responses.
    From the actual site:

    Security and privacy of this service

    InkblotPassword.com is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.
  8. Wait... by ucblockhead · · Score: 4, Interesting

    So they have created a method for creating hard to crack passwords while simultaneously collecting the data to more easily crack them?

    --
    The cake is a pie
  9. Reusing the password by Culture20 · · Score: 4, Insightful

    "Nothing prevents a user from learning a strong password on Inkblotpassword.com and then reusing it at other sites," Microsoft's researchers said.
    Common sense might.
  10. All I keep seeing... by Cytlid · · Score: 4, Funny

    ...is penguins.

    --
    FLR
  11. Captcha by GreggBz · · Score: 4, Interesting

    That site has one of the best captcha's I've ever seen.

    Please select all the cats. Pictures supplied (and sponsored) by petfinder.com. Brilliant. Even HAL-9000 might not be able to do that.

  12. Re:P**n by ShieldW0lf · · Score: 5, Interesting

    I usually suggest to people that they come up with a positive self talk phrase, take the first letter of each word, then replace a letter with a number that resembles it.

    Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

    You end up repeating it to yourself every time you log in, which serves double duty as both a mnemonic device and a way to preserve your positive attitude.

    --
    -1 Uncomfortable Truth
  13. Obligatory Emo Philips by LoverOfJoy · · Score: 4, Funny

    "Emo, what does this inkblot look like to you?"

    I said, "Oh, it's kind of embarrassing."

    He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."

    I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness." And he gets kind of depressed.

    I said, "Okay, it's a butterfly." And he cheers up.

    He said, "What does this inkblot look like?"

    I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."

    He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."

    "Oh," I said, "was I far off?" He said, "No. That's the sad part."

  14. Ob. Schneier by Anonymous Coward · · Score: 3, Funny

    "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

  15. Re:P**n by flabbergasted · · Score: 3, Funny

    I usually suggest to people that they come up with a positive self talk phrase, take the first letter of each word, then replace a letter with a number that resembles it.

    Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

    I use mnemonic devices also, but perhaps I should rethink my current "Nobody loves me, I wish I were dead" password. Oh, what's the use. It wouldn't matter anyway.

  16. Re:P**n by RealGrouchy · · Score: 3, Funny

    A self-motivational phrase whose initials double as a secure password? That's a great idea!

    Here, let me try one:

    People Always Say Something's Wrong Or Really Depressing.

    Awesome! I'll use it on all my accounts!

    - RG>

    --
    Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!