Slashdot Mirror

← Back to Stories (view on slashdot.org)

Map Based Passwords

Posted by samzenpus on from the getting-directions-to-your-password dept.

smitty777 writes "Discovery is running an article on passwords based on a very specific location on a map. Instead of showing UID and Password fields, the user would simply click on a very specific spot on Google Earth, for example. I wonder how you would make that secure? Also, if you forgot, would you get a message saying 'Your password is the third flamingo on the left on the lawn of Aunt Bessie's house'?"

21 of 169 comments (clear)

  1. Brilliant... by Anonymous Coward · · Score: 2, Insightful

    ... and when the internet link is down or God forbid, Google Earth is down, users login how?

    1. Re:Brilliant... by T+Murphy · · Score: 2, Funny

      But if Google Earth is down, google.com itself is probably down, in which case the user couldn't navigate to the website in the first place. I don't see the problem.

      --
      My webcomic
    2. Re:Brilliant... by Lumpy · · Score: 2, Funny

      Enter the Lattitude and longitude in by hand DUH.

      --
      Do not look at laser with remaining good eye.
  2. It works! by grub · · Score: 4, Funny


    I forgot my gmail password

    and here was my hint.

    (how I forgot "goatse" as a password is beyond me.)

    --
    Trolling is a art,
  3. Forget mouse trackers... by bieber · · Score: 4, Insightful

    ...this one is easy enough to crack just by shoulder-looking. And of course there's the issue of needing to load a ton of map data just for a simple password entry, and if the map provider is out you're screwed. Plus the hassle of zooming down from a world-map to some specific point every time you want to get into a site. Need I go on?

    1. Re:Forget mouse trackers... by T+Murphy · · Score: 4, Funny

      this one is easy enough to crack just by shoulder-looking

      So don't display the map plainly- replace it with asterisks. Problem solved.

      --
      My webcomic
    2. Re:Forget mouse trackers... by Zerth · · Score: 3, Funny

      So my password would be ore, ore, ore, ore, ore, ore, ore, ore

      I'd rather have tower-cap, quarry bush, pigtail, dwarf, elephant, corpse, corpse, corpse

  4. Find a point on a map? by bigredradio · · Score: 5, Funny

    Here is the US that would be very effective.

    REQUEST: Locate Belgium on a map

    RESPONSE: uh.....uh......connection timed out!

    --
    Flexible bare-metal recovery for Linux/UNIX
    1. Re:Find a point on a map? by Nadaka · · Score: 2, Interesting

      We don't use that kind of language around here mister!

  5. Re:slacker geo-hack by Intron · · Score: 5, Funny

    MEMO FROM IT DEPT.

    It has come to our attention that some users are selecting weak passwords. Henceforth, we have implemented measures to prevent selecting passwords based on well-known locations, major cities and major landmarks. When selecting a password we will not allow you to use a place that you, a relative or a friend have ever lived or visited. Please fill out the attached questionairre listing everywhere you have been since you were born.

    Thank you.
    IT - Department - help you can count on

    --
    Intron: the portion of DNA which expresses nothing useful.
  6. Re:That's great for me by RapmasterT · · Score: 4, Funny

    something tells me you don't need to worry about women.

  7. The third flamingo on the left on the lawn of Aunt by sakdoctor · · Score: 4, Funny

    That's amazing! I've got the same flamingo on my luggage.

  8. Fractal images a better bet? by Banichi · · Score: 2, Interesting

    Could you use the scalability of fractal images as a map in this manner?
    By my understanding, this would give you random numbers depending on your "depth" and x/y coordinates.

  9. Re:slacker geo-hack by Lumpy · · Score: 2, Funny

    I prefer the one we put on all the windows machines here at work.

    "your password must not contain any characters that can be typed on the keyboard."

    The CTO did not think that it was funny...

    --
    Do not look at laser with remaining good eye.
  10. Re:slacker geo-hack by badboy_tw2002 · · Score: 4, Funny

    Dang, my password was someone's backyard where they had spelled out "GOD" "SEX" and "LOVE" with their hedges. If I ask them to grow a "1" after it will we be all good?

  11. not dumb by Tom · · Score: 2, Insightful

    It's not half as dumb as the summary makes it sound.

    For security, what matters is the keyspace and the likelyhood of guessing correctly. The keyspace easily competes with alphanumeric passwords. It is dramatically reduced by the assumption that people will pick places with meaning to them, which means places they've been to. Nevertheless, it should measure up to passwords in security.

    Different from passwords, though, the human mind is pretty well equipped to recall specific places. Arbitrary alphanumeric combinations, on the other hand, are amongst the most difficult things to remember and recall.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:not dumb by guyminuslife · · Score: 2, Insightful

      I've gotta tell you, there's a lot of "empty" space out there.

      Take the world.
      Subtract the oceans.
      Subtract the areas without any human settlements.
      Subtract the areas without any features to distinguish them from surrounding areas. (Big, endless plains, random points in large forests, maybe even suburban rooftops)

      You've gotten rid of most of the world.

      Now, find the user's IP address.
      Search for interesting features locally. There aren't that many of them. Sure, you *could* try writing an advanced image-processing system to do this, but it's easier just to use Google Earth metadata.
      If you don't find it, search for interesting features regionally/nationally.
      Then, internationally.
      You can be less specific the more you spread your search out. I'm an American, I might choose Westminster Abbey as my password, but I'm not going to select a random flat in London.

      Chances are, you're going to find it.

      This rivals one of the worst-ever schemes security schemes I've seen. A credit union I used to use would let you select a "secret question" from a drop-down list. One of the questions was, "What is your favorite sports team?" This was a credit union that only did business in Dallas. So after you've guessed "Cowboys", "The Cowboys", "Dallas Cowboys", "The Dallas Cowboys"....you've probably gotten it right.

      --
      I don't believe in time. It's a grand conspiracy designed to sell watches.
    2. Re:not dumb by Tom · · Score: 2, Insightful

      Here's a vital difference: These things are different for each person.

      Sure, if you are attacking a specific individual, finding out his address, finding his house on Google maps and finding the front door is easy.

      But what you can't do is sweep through an entire University with a list of common passwords and look where you get lucky. You need to actually do some research on the particular person, and that drives costs up considerably. Mass-hacking would be over.

      --
      Assorted stuff I do sometimes: Lemuria.org
  12. pull over by Comboman · · Score: 4, Funny

    They pull over and ask a gas station attendant what their password is.

    --
    Support Right To Repair Legislation.
  13. 14 Digit Password by DaleSwanson · · Score: 2, Interesting

    Looking at Google Maps the area covered by the windshield of my car is about five places after the decimal point of precision in both lat and long. That is about one square meter and as precise as you could realistically expect users to be. That would mean each location would give you 2+5 digits for the lat and the long, a total of 14 digits for a password. That's 10^14 possibilities. For comparison a password made up of random characters (lower, upper, digits, special) for a total of 95 total possible choices would need to be seven characters long to have about the same entropy (67 trillion vs 100 trillion).

    Seven character random passwords are ok, but certainly not uncrackable. You could argue that letting the user choice several spots would greatly increase the entropy, but realistically the user is going to pick spots close together. Not to mention you could probably cut down on the possible locations with something similar to a dictionary attack, i.e., eliminating the vast expanses of nothingness that are unlikely to be chosen (like oceans, and deserts). Lastly, it relies too heavily on the mapping service. What happens when they update their images and your landmark disappears or moves slightly?

    1. Re:14 Digit Password by Eivind · · Score: 2, Interesting

      It's worse than that. A LOT worse than that.

      First, the 2 first digits are hardly random, instead they can be guesstimated very well from the users aproximate location, for example if the user is American, the latitude is somewhere in the 30-50 range, which is a much smaller searchspace than -90 to 90.

      Secondly, aproximately 99% of anywhere is NOTHING. Nobody is going to choose as their password points which have no map-features nearby. Third, one meter resolution, is unrealistic. You might select a building, and if we're pushing it, you might even choose some prominent spot on that building, such as the north-west corner or whatever. But even if everyone does that, you're still just talking ~5 potential points for each building, not hundreds as would be required for 1m resolution.

      More like 50M buildings in USA, for a keyspace around 25 bits, but that keyspace won't be anywhere near evenly used, you're going to have a lot more people select the statue of liberty, compared to some random farm-building in Utah. Entropy would thus be significantly lower, perhaps 15 bits.

      Forcing people to select multiple, say 5, would not help so much. It'd make it more of a hassle, thus people would, to avoid needing to spend an half-hour logging in, select either even more prominent features, or select 5 different points in the immediate viscinity of eachothers, which doesn't help so much.

      In short, not really a good strategy.

      Passwords, of any kind, are challenging. The problem being that the needed entropy is high, and there's few methods of easily, and quickly inputing high-entropy information that is at the same time easy to remember.

      Personally I think 2-factor is the way to go. My debit-card is protected only by a 4-digit pin, afterall. But that still works reasonably well, because you need posession of the physical card, thus it's 2-factor. 1: the card, and 2: the pin.

      Google already launched 2-factor authenthication, where they use your password + your mobile phone as the 2 factors.

      Yes, someone could steal the phone AND the password. But it's a lot more secure than the password alone.