Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft Wants To Give You A Rorschach

Posted by ScuttleMonkey on Wed Dec 05, 2007 03:55 PM
from the sticky-note-to-put-on-your-monitor dept.
Security Microsoft
Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."
+ -
story

Related Stories

Submission: Microsoft Wants To Give You A Rorschach by Preedit (1073358)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft Wants To Give You A Rorschach 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Not sure this will help (Score:5, Funny)

    by Qzukk (229616) on Wednesday December 05 2007, @03:57PM (#21589781) Journal
    view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password.

    I got vavavapsva.

    More seriously, if they're saving the word associations, doesn't that mean that they have the password you've just generated?
    • It all looks like porn to me!

      • Re:P**n (Score:5, Interesting)

        by ShieldW0lf (601553) on Wednesday December 05 2007, @04:36PM (#21590263) Journal
        I usually suggest to people that they come up with a positive self talk phrase, take the first letter of each word, then replace a letter with a number that resembles it.

        Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

        You end up repeating it to yourself every time you log in, which serves double duty as both a mnemonic device and a way to preserve your positive attitude.

        • WIuVIftWGA2p0:"When I use Vista I feel the Windows Genuine Advantage 2 point 0"

          You're right I feel better already! Wow everything feels faster! Any more exclamaitions and I'd be using Yahoo!!

        • I usually suggest to people that they come up with a positive self talk phrase, take the first letter of each word, then replace a letter with a number that resembles it.

          Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

          I use mnemonic devices also, but perhaps I should rethink my current "Nobody loves me, I wish I were dead" password. Oh, what's the use. It wouldn't matter anyway.

        • A self-motivational phrase whose initials double as a secure password? That's a great idea!

          Here, let me try one:

          People Always Say Something's Wrong Or Really Depressing.

          Awesome! I'll use it on all my accounts!

          - RG>
    • vulva vulva vulva penis vulva?

      I'm not sure whether I should be afraid of your mind or the site...

    • I got vavavapsva

      You, sir, have a filthy mind! =)

      Cheers

    • view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password.

      I got ********.

      Mine is h2h2h2h2. [bash.org]
    • ...you really need a girlfriend

    • I got vavavapsva.
      That's amazing! I've got the same combination on my luggage!
    • Ballmers new password: dsdsdsdsds

    • Obligatory Emo Philips (Score:5, Funny)

      by LoverOfJoy (820058) on Wednesday December 05 2007, @05:09PM (#21590643) Homepage
      "Emo, what does this inkblot look like to you?"

      I said, "Oh, it's kind of embarrassing."

      He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."

      I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness." And he gets kind of depressed.

      I said, "Okay, it's a butterfly." And he cheers up.

      He said, "What does this inkblot look like?"

      I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."

      He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."

      "Oh," I said, "was I far off?" He said, "No. That's the sad part."

  • I'm shocked!!! (Score:5, Funny)

    by b17bmbr (608864) on Wednesday December 05 2007, @03:58PM (#21589785)
    microsoft is collecting and storing the data. holy crap, batman, what next. the joker has plans to take over gotham city?

  • Slight problem with this approach (Score:5, Insightful)

    by Enlarged to Show Tex (911413) on Wednesday December 05 2007, @03:59PM (#21589795)
    This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:

    Uppercase letters
    Lowercase letters
    Numbers
    Non-Latin characters (i.e. symbols)

    Every password I use has at least three, even for free-registration-required sites...
    • 1a!A

      Don't tell anybody, ok?

    • Re:Slight problem with this approach (Score:5, Funny)

      by oahazmatt (868057) on Wednesday December 05 2007, @04:12PM (#21589967) Journal

      This method will not create passwords that are strong enough.
      That's why I use the inkblot test, run it through a script that converts random letter combinations to MD5, convert 25% of that end result to l33t, and then randomly add a non-latin character at two locations within that result. I then write it down on my desk calendar.

    • Re:Slight problem with this approach (Score:5, Insightful)

      by TubeSteak (669689) on Wednesday December 05 2007, @04:14PM (#21589999) Journal

      A truly strong password should have at least three of the following, if not all four:
      Only if there's a maximum character limit on the password.

      Or are you going to tell me that
      "atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
      is not a strong password?

      I'm not suggesting everyone should use such a long pass, but what's so hard about implementing passphrases instead of passwords?

      • Re:Slight problem with this approach (Score:5, Interesting)

        by zsouthboy (1136757) on Wednesday December 05 2007, @04:59PM (#21590541)
        I also highly suggest, right now, that everyone change your passwords to currentpassword x 3 or 4, or more:

        For example, is passwordpasswordpassword any harder to remember than just password?

        But it greatly expands the key space to be searched for anyone trying to brute force...

      • Ob. Schneier (Score:3, Funny)

        by Anonymous Coward
        "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

      • Re: (Score:3, Insightful)

        by AeroIllini (726211)
        Because many people have trouble typing their own names correctly without using the backspace key a few times, and typing a password in a box gives no visual feedback. Higher letter count gives a higher chance of typos, and a higher chance of getting locked out after typing "atrulystrongpasswordshouldhaveatleastthreeoftehfollowingifnotallfour" five times in a row.

        Chances of a typo are even higher if someone routinely types in MS Word with AutoComplete turned on and is now physically incapable of typing "the

      • Re: (Score:3, Interesting)

        by twifosp (532320)

        but what's so hard about implementing passphrases instead of passwords?

        I agree with you, but the problem for the average user is that they are not touch typers. They are constantly looking at the keyboard and screen to confirm what they have typed. As the length of the password increases, the odds that a typing error is going to be made also goes up. As passwords are blocked out, it would be very frusterating to a person who has to look at the screen to confirm what they have typed and backspaces often.

    • Re: (Score:3, Insightful)

      by Rakishi (759894)

      A truly strong password should have at least three of the following, if not all four:
      Not really, you can just make you password longer and you are just as secure.

    • Re: (Score:3, Informative)

      by eldavojohn (898314) *
      That's not the only problem. If you read the research paper [microsoft.com][PDF Warning] from 2004 (pretty old stuff actually), they state:

      In both experiments, users missed at most one association, even after having not used the system for one week. Thus it may be advisable to modify the system to allow for successful authentications when k out of a possible n associations are correct. Assuming that all blots produce an equal distribution on responses, this reduces the security of passwords to the level of the original system with only k blots. Therefore, it might be advantageous for users to have to enter associations for more blots. A disadvantage of this approach, however, is that authentication would take longer.

      As of interest may also be their conclusion:

      Our preliminary data suggest that inkblot authentication offers a potentially significant improvement over existing widely-deployed user authentication mechanisms. In addition to gathering our quantitative results, we also asked users who had taken part in our experiments for their comments on the system. In almost all cases we received the same response: the users were happily shocked that they could remember such a "huge password." In fact, many users asked if there were any plans to allow the use of the system in their production environment. This kind of positive user experience is arguably as important to the eventual adoption, acceptance and scrupulous use of an alternative password system as any measure of security. More experiments would help confirm or discount our security and memorability results, and could answer such questions as: How many inkblots (that is, how much entropy) can be used before the resulting passwords are no longer memorable? What is the best way to help users retain their inkblot associations? What inkblot-to-character hash function generates the most entropy without sacrificing ease of use? And what inkblot generation algorithms create inkblots with the highest-entropy (or the fewest low-entropy) association spaces?
      While inkblot authentication should be quite easy to deploy in a wide variety of settings, there exist some environments (such as devices with tiny screens) where it is unworkable, and alternatives are needed. Adapting the inkblot password scheme to other password-using contexts, such as those in which the user interface is under the control of a (possibly uncooperative or legacy) application, may also require some innovative thinking.

    • 26^10 > 95^5. Even if you restrict your password to only a few characters, you can get the same level of security as with many characters. You just need far more of them. Think about it: when we strip off all of our abstractions, everything is stored as 1s and 0s, right? (Note: Parent's point is good and right, if your password must be short, or you don't want to spend time doing the inkblot test, or you don't want to have to remember 90 characters.)

    • Re:Slight problem with this approach (Score:4, Insightful)

      by ChatHuant (801522) on Wednesday December 05 2007, @04:34PM (#21590241)
      This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:
      Uppercase letters
      Lowercase letters
      Numbers
      Non-Latin characters (i.e. symbols)

      That's just not true. Admins request this kind of nonsense to force a bigger password space with shorter passwords. Informally, the security of your password is given by the number of random bits you have. With ASCII passwords using only lowercase letters, you're adding less than 5 bits of randomness per character. Even worse, most people use real words as passwords, so they can remember them easily. That reduces the randomness even more and makes dictionary attacks feasible. Adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character, but makes the password much more difficult to remember.

      Microsoft's method works around the password memorization by using the inkblots. The security is given by the much larger size of the resulting password. They get a password of 20 lowercase characters, say about 100 bits of randomness (less than that, because not all letter combinations are equiprobable - very few words I know begin and end with a q for example). A totally random password consisting of a mix of 10 symbols, numbers and different cased letters only gives you a bit less than 70 bits of randomness.

  • Hmmmm .... (Score:5, Interesting)

    by gstoddart (321705) on Wednesday December 05 2007, @04:00PM (#21589805) Homepage
    From TFA:

    "A century of psychological literature indicates that inkblot associations are intimately personal, and our own user studies verify that users almost always describe the same inkblots quite differently"

    So, psyche 101 was a long time ago, and that's the extent of my exposure to it.

    Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it? If there's drift over time, this wouldn't be such a good idea.

    Anyone with a better schooling in human psychology care to chime in?

    Cheers

    • Re: (Score:3, Interesting)

      by dgatwood (11270)

      I don't know, but about three years ago, I recall suggesting the use of non-abstract images and measuring the brain's electrical response to determine a map of the user's response to a given stimulus. After the system was trained properly, you could use that to be a really, really solid passphrase; while your brain may react a bit differently to images over time, it isn't likely to react dramatically differently for the most part (except maybe after head trauma or something similarly extreme). This seems

  • Don't do it... (Score:5, Funny)

    by daninspokane (1198749) on Wednesday December 05 2007, @04:01PM (#21589815)
    The blots are coded to shut your brain down if you don't have a valid regkey.
  • For those who haven't seen it, Perry Bible Fellowship's [pbfcomics.com] take on this. [pbfcomics.com]

  • random? (Score:3, Funny)

    by clarkn0va (807617) <apt...get@@@gmail...com> on Wednesday December 05 2007, @04:04PM (#21589873) Homepage
    Respond with "butterfly" and share your password with half the english-speaking planet.

    db

  • Ballmer's unencrypted file (Score:5, Funny)

    by Eberlin (570874) on Wednesday December 05 2007, @04:05PM (#21589885) Homepage
    Anyone wanna bet Ballmer's word list looks a bit like this:
    chair
    developers
    chair
    banana
    ooohshiny
    developers!
    developers!
    developers!

  • Storing and insecure (Score:5, Informative)

    by tkdtaylor (1039822) on Wednesday December 05 2007, @04:06PM (#21589891)
    It's a research project so of course it's storing the responses.
    From the actual site:

    Security and privacy of this service

    InkblotPassword.com is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.

  • Wait... (Score:5, Interesting)

    by ucblockhead (63650) on Wednesday December 05 2007, @04:06PM (#21589895) Homepage Journal
    So they have created a method for creating hard to crack passwords while simultaneously collecting the data to more easily crack them?

  • Microsoft Wants To Give You A Rorschach


    If this is anything like a wet willy, I don't want one, and you can't make me.
    *runs away screaming*
  • From TFA:

    Given that many Internet users employ the same password to gain access to dozens of Web sites, for everything from banking and shopping to socializing, it's more important than ever that they create passwords that are at once highly secure and easy to remember.

    It's even more important that people not do this. If your password is the same for 15 different sites, and one of those sites gets hacked (or even phished, or someone keylogs your password) suddenly that hacker has access to your account at

  • Reusing the password (Score:5, Insightful)

    by Culture20 (968837) on Wednesday December 05 2007, @04:11PM (#21589965)

    "Nothing prevents a user from learning a strong password on Inkblotpassword.com and then reusing it at other sites," Microsoft's researchers said.

    Common sense might.

  • All I keep seeing... (Score:5, Funny)

    by Cytlid (95255) on Wednesday December 05 2007, @04:13PM (#21589975) Homepage
    ...is penguins.

  • Captcha (Score:5, Interesting)

    by GreggBz (777373) on Wednesday December 05 2007, @04:16PM (#21590019) Homepage
    That site [inkblotpassword.com] has one of the best captcha's I've ever seen.

    Please select all the cats. Pictures supplied (and sponsored) by petfinder.com. Brilliant. Even HAL-9000 might not be able to do that.

      • Re: (Score:3, Informative)

        by linumax (910946)
        This website was designed for people who are not visually disabled, otherwise how the hell are they gonna see the inkblots? Save your Microsoft bashing for when they implement it on MSN or sth.
  • This is just a beta test for the m$ psychological evaluation system.

  • (obligatory link for the uninformed)

    Rorschach Inkblot Test [wikipedia.org]

  • Silly... try a leet password generator (Score:3, Informative)

    by cenonce (597067) <anthony_t.mac@com> on Wednesday December 05 2007, @07:36PM (#21591951)
    That is just silly... I spend too much time trying to think of what these inkblots look like, and some of them really don't look like anything.

    Try a leet password generator [goodpassword.com]... way easier to remember!
    • It looks like a pretty butterfly. Or maybe some nice flowers. Or a dog with a cleaved brain, either way.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.