Slashdot Mirror

← Back to Stories (view on slashdot.org)

Map Based Passwords

Posted by samzenpus on from the getting-directions-to-your-password dept.

smitty777 writes "Discovery is running an article on passwords based on a very specific location on a map. Instead of showing UID and Password fields, the user would simply click on a very specific spot on Google Earth, for example. I wonder how you would make that secure? Also, if you forgot, would you get a message saying 'Your password is the third flamingo on the left on the lawn of Aunt Bessie's house'?"

5 of 169 comments (clear)

  1. Brilliant... by Anonymous Coward · · Score: 2, Insightful

    ... and when the internet link is down or God forbid, Google Earth is down, users login how?

  2. Forget mouse trackers... by bieber · · Score: 4, Insightful

    ...this one is easy enough to crack just by shoulder-looking. And of course there's the issue of needing to load a ton of map data just for a simple password entry, and if the map provider is out you're screwed. Plus the hassle of zooming down from a world-map to some specific point every time you want to get into a site. Need I go on?

  3. not dumb by Tom · · Score: 2, Insightful

    It's not half as dumb as the summary makes it sound.

    For security, what matters is the keyspace and the likelyhood of guessing correctly. The keyspace easily competes with alphanumeric passwords. It is dramatically reduced by the assumption that people will pick places with meaning to them, which means places they've been to. Nevertheless, it should measure up to passwords in security.

    Different from passwords, though, the human mind is pretty well equipped to recall specific places. Arbitrary alphanumeric combinations, on the other hand, are amongst the most difficult things to remember and recall.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:not dumb by guyminuslife · · Score: 2, Insightful

      I've gotta tell you, there's a lot of "empty" space out there.

      Take the world.
      Subtract the oceans.
      Subtract the areas without any human settlements.
      Subtract the areas without any features to distinguish them from surrounding areas. (Big, endless plains, random points in large forests, maybe even suburban rooftops)

      You've gotten rid of most of the world.

      Now, find the user's IP address.
      Search for interesting features locally. There aren't that many of them. Sure, you *could* try writing an advanced image-processing system to do this, but it's easier just to use Google Earth metadata.
      If you don't find it, search for interesting features regionally/nationally.
      Then, internationally.
      You can be less specific the more you spread your search out. I'm an American, I might choose Westminster Abbey as my password, but I'm not going to select a random flat in London.

      Chances are, you're going to find it.

      This rivals one of the worst-ever schemes security schemes I've seen. A credit union I used to use would let you select a "secret question" from a drop-down list. One of the questions was, "What is your favorite sports team?" This was a credit union that only did business in Dallas. So after you've guessed "Cowboys", "The Cowboys", "Dallas Cowboys", "The Dallas Cowboys"....you've probably gotten it right.

      --
      I don't believe in time. It's a grand conspiracy designed to sell watches.
    2. Re:not dumb by Tom · · Score: 2, Insightful

      Here's a vital difference: These things are different for each person.

      Sure, if you are attacking a specific individual, finding out his address, finding his house on Google maps and finding the front door is easy.

      But what you can't do is sweep through an entire University with a list of common passwords and look where you get lucky. You need to actually do some research on the particular person, and that drives costs up considerably. Mass-hacking would be over.

      --
      Assorted stuff I do sometimes: Lemuria.org