Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Recognizing Your Own Handwriting As A Password

Posted by CmdrTaco on Mon Jul 02, 2007 07:44 AM
from the sounds-suspiciously-like-reading dept.
Security
Gary writes "A new online authentication system called Dynahand could make logging in to websites a little easier. With Dynahand, users simply identify their own handwriting, instead of entering a cryptic password or buying a biometric device to scan their fingerprints. The user's handwriting samples contain only digits, since numerals are harder for an outside party to recognize than letters are. The digits displayed are random, so the handwriting is the only clue to the correct answer."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Recognizing Your Own Handwriting As A Password 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • ...who virtually cannot write by hand anymore? I can't even write a proper signature, haven't been using hand writing since I was playing RPGs 10+ years ago.

    I'd say it would be pretty hard to determine how my digits would look like.

  • Brute Force? (Score:3, Insightful)

    by micksam7 (1026240) on Monday July 02 2007, @07:48AM (#19715945) Homepage
    This would make brute-forcing a password a little easier..

    An attacker could simply select a hand writing at random till they get the right one.

    TFA doesn't say anything about that.

    • Re:Brute Force? (Score:5, Informative)

      by micksam7 (1026240) on Monday July 02 2007, @07:52AM (#19715985) Homepage
      To anwser my own question, I found a better article:

      http://www.technologyreview.com/Infotech/18986/ [technologyreview.com]

      • Re:Brute Force? (Score:5, Insightful)

        by necro81 (917438) on Monday July 02 2007, @08:19AM (#19716261) Journal
        From parent post's link:

        Renaud doesn't think Dynahand is secure enough for protecting sensitive information, such as bank accounts or health records. Rather, she believes it could be useful for social sites, where a user wants her account to be private but where nothing disastrous would happen if someone broke into it.
        The folks at Dynahand obviously don't know how bad hijacking someone's social network identity could be. While not as sensitive as banking or medical information, access to one's online profile is a pretty sensitive thing. A person pretending to be you on MySpace or Facebook could cause all kinds of damage to your reputation, lose you (real) friends, and leave an incriminating trail for any future employer to find. Even if you are able to regain control of your account via customer service, and could remove the offending material from your page, nothing is every really deleted from the Internet.
    • Why bother? My desk is covered with my clearly recognizable scrawl, and most of it is numeric just to add insult to injury.

      While the idea of a system that depends on recognition is interesting (though in my mind, not terribly secure for the exact reason you stated), handwriting is probably the poorest example because we leave handwriting samples everywhere. It'd be much more secure to have the system be "Recognize a picture of your own genitalia" because at least then you only have to worry about former significant others...And hell, for this crowd, you don't even have to worry about that.

      • Re:Brute Force? (Score:5, Funny)

        by Joebert (946227) on Monday July 02 2007, @08:03AM (#19716105) Homepage
        That's the greatest caught masturbating at work coverup I've ever heard.

      • Re:Brute Force? (Score:5, Funny)

        by Red Flayer (890720) on Monday July 02 2007, @08:12AM (#19716185) Journal

        It'd be much more secure to have the system be "Recognize a picture of your own genitalia" because at least then you only have to worry about former significant others...
        Why do you hate nudists and porn stars?

        ...And hell, for this crowd, you don't even have to worry about that.
        Speak for yourself, I'm quite positive that several hundred people have seen my genitalia. Though I'm not sure they got a good enough look to be able to identify me in the short time my trenchcoat was open.
        • I didn't say it was secure, I said it was more secure.

          An even better system would be to select a semi-random series of numbers, letters, and punctuation, that we could key in to uniquely identify ourselves...We could call it a "Secret Word" or a "Pass phrase" or something. "Password?" Nah. Not catchy enough.
        • I remember you!
      • I could recognize my parents' handwriting easily. (All that time practicing writing notes from them for the teacher to let me out of class early, you know.) But my dad's secretary would be even better at recognizing his. She's the only one who could reliably interpret it, after all. Sure, that'd be an advantage to this system if you're the sort who gives your secretary your passwords anyways, but what if just maybe the secretary isn't supposed to have access to your confidential personnel files?
      • That wouldn't be much different from "Site key" style two-factor authentication schemes. It's still just a matter of guessing to crack it, and you could program a computer to guess slower, or get a person to guess more quickly.

        I have distinctive handwriting, but it would still take me a few seconds (as long or longer than it takes me to type my average 10 character password) to identify my own handwriting out of a random selection of a dozen or two decoy samples.

        I just don't think "Picking the correct answe

  • Picking and choosing = bad (Score:4, Interesting)

    by Rob T Firefly (844560) on Monday July 02 2007, @07:52AM (#19715989) Homepage Journal
    As novel as this whole handwriting angle is, doesn't this just amount to a multiple-choice test? There's always the off-chance of some random stranger getting in by sheer luck.

    Additionally, that's not taking into account the massive amounts of ways someone could get samples of your handwriting. Besides the obvious garbage-picking, things like tax returns, property deeds, or other legal forms can often be public information, and there's a good chance you've written numbers on one at some point.
    • > There's always the off-chance of some random stranger getting in by sheer luck.

      Especially if the stranger is using proxied bots to guess ten times a second. Assuming a generously extravagant implementation, you might have to correctly choose from 100 handwriting samples to log in. An attacker appears to be you on average 1 time in 100. Assuming a very weak password system, six characters, all lower case, no numbers or special characters, then your password is 1 among 26^6 possible passwords. An a
  • I am not a cracker. I am not a phisher. I do not try to get into random people's accounts.

    I can't help thinking that IF I ever did try to get into someone else's account, it would be to spy on or get revenge on someone I know. (Really, that isn't something I do. This is a big IF). In those cases, this would surely be so much easier. For example, I am sure I would recognise my family's handwriting.

    I certainly remember, when I was a secondary school maths teacher, having to work out who had produces a certain piece of work by recognising the handwriting. Obviously, being maths work, this usually involved recognising digits.

  • Sometimes, simple is best (Score:5, Insightful)

    by pzs (857406) on Monday July 02 2007, @07:58AM (#19716037)
    Passwords actually strike me as quite a good security method. A good password is difficult to guess by a person or by a machine and is very simple to implement, leaving less margin for error in the technology.

    I know, I know, people forget their passwords or choose the word "password" all the time. It still seems a little depressing that we have to use all this extra trickery to compensate for people being morons.

    Peter

    • Re:Sometimes, simple is best (Score:4, Insightful)

      by Jah-Wren Ryel (80510) on Monday July 02 2007, @10:04AM (#19717579)

      I know, I know, people forget their passwords or choose the word "password" all the time. It still seems a little depressing that we have to use all this extra trickery to compensate for people being morons.
      Users aren't always just morons. I know a person who has to keep track of 9 unique passwords with at least 3 different usernames, most of which are used once a week or less. All the systems have minimum length and complexity requirements, 90-day expiration and permanent lock-out if an account gets just three failed logins in a row. In his case it is potentially a go to jail offense to write down these passwords ANYWHERE, even in some sort of encrypted form.

      In cases like that, the real morons are the people pushing their authentication complexity onto the users, not the users themselves.

  • Totally utterly useless on 2 counts (Score:3, Insightful)

    by chiark (36404) on Monday July 02 2007, @07:59AM (#19716045) Homepage Journal
    1. It's a shared secret. That's all. I was going to say "no better, no worse", but actually it's made significantly worse by being multiple choice.
    2. Doesn't prevent MITM in any way whatsoever

    Now the biometric of someone's typing rythm strikes me as a good thing, along with "PC fingerprinting" and trend analysis, but this suggestion is significantly worse than what we already have available on the market.

    "3/10 - see me" would be my mark for this particular gem.

  • WTF (Score:5, Funny)

    by egandalf (1051424) on Monday July 02 2007, @07:59AM (#19716049)
    I've got a simpler idea, why don't we just ask people a simple true/false question. I've got the first:

    A single html radio-button form-based multiple choice question is a reasonable security measure.
    A) True
    B) False

    But I think there should be an option "C," though that would make this not a real t/f question:
    C) WTF?!
  • how on earth did anyone ever think this was a good idea? Finding samples of someone having written down numbers is not hard by any stretch of the imagination. As someone already pointed out, simply asking someone to write down a phone number for you, not even necessarily theirs, would get you such a sample. Sometimes people can be pretty dumb.

    • Re:seriously... (Score:4, Interesting)

      by Alioth (221270) <no@spam> on Monday July 02 2007, @08:16AM (#19716231) Journal
      Because it wouldn't help them.

      Almost 15 years ago, I was working on a demo system for a more secure way of issuing benefit payments (at the time, the payee had a paper booklet, and there was quite a lot of trouble with stolen booklets). We investigated what we could practically put on a smart card (similar type of smart card as what is in modern credit cards). One of the things we investigated was signature recognition.

      We had a system that did it extremely well, well enough that we never managed to forge another person just signing with an "X". The system not only looked at the shape of the writing, but the way the person wrote - the speed, accelerations, stroke weight etc. The genuine user could be recognised even if they signed fairly scruffily (the system didn't return 'true' or 'false', but rather a confidence). However, another person even if they signed their X to LOOK as much as the original person's X looked would get a very low confidence score.

      This was almost 15 years ago - the technology was pretty damned good (but quite expensive) at the time. We managed to get the signature, the person's details and a photograph onto the smart cards of the day (I think they had 8K of storage). The signature took up 1K.

  • have to hide my hand writing? (Score:5, Insightful)

    by janneH (720747) on Monday July 02 2007, @08:00AM (#19716073)
    What, now I have to bring a typewriter everytime I go to the restaurant - to fill in the tip and total?
    • Nah, the waiter will just use the frequent patron system to sign it for you automaticly.
    • Nope. It'll take some practice, but you can use your left hand (assuming you're a righty) for scrawling totals. Alternatively, you can stave off dementia by doing the arithmetic in your head... (not a jab at you--but for me it's a non-trivial matter) 8)
    • Nope, do what I do - never leave a tip.
  • They should instead be requiring the use of a graphics tablet or Tablet PC and requiring the user to write a given number sequence --- then they get the additional input of speed, pressure, stroke order / direction which makes things reasonably secure (even a person who can forge another's writing isn't likely to get all of the above as consistent as a person using their normal hand).

    Doesn't even require much more from the user in the way of hardware (trades off a scanner for a graphics tablet).

    William
  • I can't even recognize my own handwriting half the time.
  • Like some security expert has said: just write down your passwords onto a small piece of paper and keep them in your wallet/handbag.

    If you lose your wallet/handbag, call up the banks to cancel your cards etc, call up the rest to cancel your passwords.

    You're keeping it in a fairly secure place.
  • Back in the late 80's, a UK bank did some R&D on this area and came up with a novel idea. It was signature recognition BUT rather than analysing the actual signature, it 'listened' to the pen on the paper as it moved. They found that anyone (well.. some people anyway) could do a fair replication of someone else's signature if they went slowly but it was almost impossible to recreate someone's signature at the same speed and with the same pressure/flourishes.
    In case anyone reads this and copyrights the damn thing, there is prior art and it worked. They just didn't think the market was ready for it.
  • ... You get an injury that makes your hand writing change, like a bad break in the hand, or a stroke or something? I am sure you could answer the secret question or whatever, but you have to ask, how consistent is handwriting that a program could use it to authenticate a person?

  • What a stupid concept (Score:5, Insightful)

    by Mock (29603) on Monday July 02 2007, @08:16AM (#19716229)
    Here's how you crack it:

    1. generate a bunch of new sessions to the login page.
    2. Identify samples that appear more often than others.
    3. Recognize the handwriting style.
    4. Log in.
  • wouldn't it be more effective to have the computer recognize my handwriting, i.e. I write something and the computer goes "yep, thats the guy"? That way, the computer would know it was me w/o a password, and it wouldn't just be multiple choice or whatever. Of course, handwriting recognition is really, really hard to do quickly and effectively enough to narrow down between thousands/millions of users compared with a password.
  • For immediate release.

    Slashdot, USA. A new online authentication system called Dynaface could make logging in to websites a little easier. With Dynaface, users simply identify their own face, instead of entering a cryptic password or buying a biometric device to scan their fingerprints. The user's sample photographs are made under a variety of hair styles and lighting conditions, since the shape and other characteristics of a person's face are harder for an outside party to recognize than hair and lighting

  • How about typical credential operations? (Score:3, Informative)

    by Lethyos (408045) on Monday July 02 2007, @08:21AM (#19716291) Journal

    There is no improvement here over biometrics or other credentials falling into the “something you are” category. How do you revoke this credential? How do you limit its scope? I would even argue this is worse than a password because it is not easily changed, and worse, your signature is very public. Consider how many documents you have floating around with your hand-written signature on it. You really want to use something that can be learned and easily reproduced as a secret? Nonsense. We need real solutions (OpenID [wikipedia.org] is a start), not rehashes or regressions of old schemes.

  • Half the replies so far assume that you have to supply a sample of your handwriting every time you log in. That's not what this system does!
    This system just presents a few lines of handwriting, and invites you to choose the correct one. A useless system, basically reducing security to a 1-in-10 guess. This is supposed to be developed by a university?
  • you insensitive clods!

  • Nothing to see here ... (Score:5, Insightful)

    by pz (113803) on Monday July 02 2007, @11:14AM (#19718541) Journal
    From the article's first paragraph:

    You can't afford to be careless regarding the password coz you never know ...

    And with that, I stopped reading. Why? Because I don't have enough time to read things that aren't written in at least passable English. If someone has a good idea, and are serious about it, they'll make the effort to communicate it well or have it communicated well for them.

    Nothing to see in this article, and, by strong implication, a worthless idea.

    • Re: (Score:3, Insightful)

      by SatanicPuppy (611928) *
      I could quite easily recognize my own...But so could anyone else who has ever seen it. Then there are those people with bland, unmemorable handwriting...How would you pick your handwriting out of a crowd when your handwriting looks like handwriting is supposed to look.

      Additionally, the number of samples would have to be constrained to what a normal person could be expected to go through, so the odds of someone being able to guess it are huge. I mean, I could set my password to the crappy "Guess,15" and it w
    • there is nothing stopping others from analysing someone else's handwriting and gaining access to their accounts


      From TFA; "Renaud doesn't think Dynahand is secure enough for protecting sensitive information, such as bank accounts or health records.

      " It's an interesting idea, but clearly needs further work.


      Apart from people probably not recognising their own handwriting


      Are there really people that dumb or unfamiliar with their own writing?

      • Apart from people probably not recognising their own handwriting

        Are there really people that dumb or unfamiliar with their own writing?

        I cannot. Or rather, I cannot to the degree of speed and reliability that I type. The only things I ever write by hand are checks. Heck, I tried to write in cursive recently and realized, with the exception of my signature, which is all muscle memory, I don't know any of the capitals.

        When's the last time you tried to record something on paper using a pen for

    • . . . that no two of my signatures are the same.

    • Re:Giving out your phone number is risky... (Score:4, Funny)

      by Glytch (4881) on Monday July 02 2007, @08:29AM (#19716379)
      Exactly. In the old days, someone would have to find the stickynote on one's monitor that specifically had one's password written on it. Under this scheme, any stickynote at all will do!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.