Slashdot Log In
Microsoft Wants To Give You A Rorschach
Posted by
ScuttleMonkey
on Wednesday December 05, @03:55PM
from the sticky-note-to-put-on-your-monitor dept.
from the sticky-note-to-put-on-your-monitor dept.
Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."
Related Stories
Microsoft Wants To Give You A Rorschach
|
Log In/Create an Account
| Top
| 223 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Not sure this will help (Score:5, Funny)
I got vavavapsva.
More seriously, if they're saving the word associations, doesn't that mean that they have the password you've just generated?
Re:P**n (Score:5, Interesting)
Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.
You end up repeating it to yourself every time you log in, which serves double duty as both a mnemonic device and a way to preserve your positive attitude.
Re:Not sure this will help (Score:5, Funny)
(http://writings.barrettj.com/)
Obligatory Emo Philips (Score:5, Funny)
(http://www.happefrogmontage.com/)
I said, "Oh, it's kind of embarrassing."
He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."
I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness." And he gets kind of depressed.
I said, "Okay, it's a butterfly." And he cheers up.
He said, "What does this inkblot look like?"
I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."
He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."
"Oh," I said, "was I far off?" He said, "No. That's the sad part."
I'm shocked!!! (Score:5, Funny)
Slight problem with this approach (Score:5, Insightful)
Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)
Every password I use has at least three, even for free-registration-required sites...
Re:Slight problem with this approach (Score:5, Funny)
Re:Slight problem with this approach (Score:5, Insightful)
(Last Journal: Saturday February 25 2006, @11:02PM)
Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?
I'm not suggesting everyone should use such a long pass, but what's so hard about implementing passphrases instead of passwords?
Re:Slight problem with this approach (Score:5, Interesting)
For example, is passwordpasswordpassword any harder to remember than just password?
But it greatly expands the key space to be searched for anyone trying to brute force...
Re:Slight problem with this approach (Score:4, Insightful)
Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)
That's just not true. Admins request this kind of nonsense to force a bigger password space with shorter passwords. Informally, the security of your password is given by the number of random bits you have. With ASCII passwords using only lowercase letters, you're adding less than 5 bits of randomness per character. Even worse, most people use real words as passwords, so they can remember them easily. That reduces the randomness even more and makes dictionary attacks feasible. Adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character, but makes the password much more difficult to remember.
Microsoft's method works around the password memorization by using the inkblots. The security is given by the much larger size of the resulting password. They get a password of 20 lowercase characters, say about 100 bits of randomness (less than that, because not all letter combinations are equiprobable - very few words I know begin and end with a q for example). A totally random password consisting of a mix of 10 symbols, numbers and different cased letters only gives you a bit less than 70 bits of randomness.
Hmmmm .... (Score:5, Interesting)
(http://slashdot.org/)
So, psyche 101 was a long time ago, and that's the extent of my exposure to it.
Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it? If there's drift over time, this wouldn't be such a good idea.
Anyone with a better schooling in human psychology care to chime in?
Cheers
Don't do it... (Score:5, Funny)
And zees one? (Score:2)
(Last Journal: Monday December 03, @12:06AM)
random? (Score:3, Funny)
db
Ballmer's unencrypted file (Score:5, Funny)
chair
developers
chair
banana
ooohshiny
developers!
developers!
developers!
Storing and insecure (Score:5, Informative)
From the actual site:
InkblotPassword.com is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.
Wait... (Score:5, Interesting)
(http://www.ucblockhead.org/journal/ | Last Journal: Thursday November 14 2002, @03:24PM)
Oblig Watchmen (Score:1)
No way.... (Score:2, Funny)
If this is anything like a wet willy, I don't want one, and you can't make me.
*runs away screaming*
Same password for different sites == bad security (Score:2)
It's even more important that people not do this. If your password is the same for 15 different sites, and one of those sites gets hacked (or even phished, or someone keylogs your password) suddenly that hacker has access to your account at 15 different sites. This could ruin your whole day.
Reusing the password (Score:5, Insightful)
Common sense might.
All I keep seeing... (Score:5, Funny)
(http://geexology.org/ | Last Journal: Tuesday October 11 2005, @07:25PM)
Passwords tell you a lot (Score:1)
Captcha (Score:5, Interesting)
(http://www.outerspacecrew.net/)
Please select all the cats. Pictures supplied (and sponsored) by petfinder.com. Brilliant. Even HAL-9000 might not be able to do that.
This is just a beta test for the m$ psychological. (Score:2)
Here I thought Microsoft were Watchmen fans (Score:1)
Rorschach inkblot test (Score:2)
(obligatory link for the uninformed)
Rorschach Inkblot Test [wikipedia.org]
Character randomization (Score:1)
Insecure? (Score:2)
rorschach? (Score:2)
(http://evil.google.com/)
Several flaws immediately come to mind (Score:2)
(http://www.cr0n.net/)
No shit. Type any password enough times your fingers learn where the keys are, even if you're not consciously thinking about what you're typing.
So their aim is to have you look at the inkblots, work out your passwords, type the password until your fingers get it, and then you don't have to look at the inkblots any more No numbers, no mix of uppercase and lowercase, and no punctuation. Doesn't sound particularly
Running APG [nursat.kz] over a web interface and getting pronouncable, strong passwords which will develop into muscle memory just as easily sounds like a much better solution.
Not to mention the the whole "oh btw, we're storing your associations" bit. It should be painfully obvious that when it comes to security, Microsoft simply doesn't "get it".
dead site (Score:1)
Enter the... (Score:2)
(http://www.otanashide.com/ | Last Journal: Monday December 03, @03:27PM)
Is this really new?
Eventually it'll be something done by Open Source from the future SeaCode employees...
But, also, hasn't this been show in Sci-Fi shows? (No, I'm not talking about "cheating" to make a result/action appear on screen). It would be ghastly if a patent is "awarded" for this...
AKA Pain In the Ass (Score:1)
(http://freejavalectures.googlepages.com/)
I use a keyboard patern nemonic (Score:2)
(http://www.mygothicheart.com/oh10101 | Last Journal: Sunday October 28, @06:34PM)
Any 12 characters (1a...!A...) I never repeat, but I always recall, because of the pattern matching I must always recall the first character to enter, then I follow the appropriate pattern-match.
When I take vacation and return to the office two weeks later
Example: c6b8g7j9C^B*J( [works everytime 4me]
!HAVEFUN!
Resistance is futile... (Score:2)
Possible Microsoft ink-blot results:
phishing (Score:2)
db
Halfbaked Idea (Score:1)
(http://rgov.org/)
Easy ways to get random pass-foo from books. (Score:2)
Open a large book on random pages and note down the LAST digit. Repeat until the pin is long enough.
For passphrases:
Pick a book, open it on a random page and note down the first word on that page longer than 3 characters. Generate 2 pass phrases this way and insert the acronym of one of them into the other. Add some random special characters and numbers at random places (i.e chosen as for pin numbers ).
May well be vulnerabilities in there, but if you know enough about computer security to avoid exposing yourself to orders of magnitude greater ones, then chances are you are able to generate a good pass phrase.
That is stupid, hard passwords are easy. (Score:2)
(http://slashdot.org/ | Last Journal: Thursday February 21 2002, @04:37PM)
My brothers initals ar JaL and FdL
My Wifes Birthday and month 01/01
My first toby was 'Toby'
dd a letter to rotate
yb0T0101JaLFdLa
Bam, I just created personal and hard password. The bibbes argument against that is that 'everybody knows all about you'. In that case, this information is just noise in the data.
or
!5b00B_g1B
Easy to remember for a human.
No, none of the information given in the example is accurate.
Also, put the password in your wallet. You do not need to put what the password is to, you'll remember it.
Hmmm. I see a Ballmer throwing a chair... n/t (Score:1)
What I find interesting (Score:2)
(Last Journal: Friday January 20 2006, @11:57AM)
WTF, I have to select a bunch of cat pictures? (Score:2)
I'm just leaving my password at "changeme" and getting on with my life.
Doesn't that defeat the purpose... (Score:1)
bah... already released! (Score:2)
What a bunch of perverts! (Score:2)
(http://127.0.0.1/)
Silly... try a leet password generator (Score:3, Informative)
(http://www.yournameismybusiness.com/)
Try a leet password generator [goodpassword.com]... way easier to remember!
Who Watches the Watchmen? (Score:2)
OS carcass on a hard drive this morning, random characters across its boot sector. This internet is afraid of me. I have seen its logins in the clear.
The passwords are in dictionaries and the dictionaries are full of "password", and when the accounts finally are taken over all their mothers maiden names won't save them.
The accumulated malware from all their pr0n and Myspace visits will load up about their processors and all from Tron Guy to Chuck Norris will look up and shout "reset us!"...
R.
But.... (Score:1)
(Last Journal: Wednesday October 17, @07:57AM)
A Word of Warning... (Score:1)
Well, that only makes sense. They can simply assign each association an index and store the index instead. A great space savings there.
To illustrate this principle, consider that they will now only need to store the assigned Id value (probably '1') to user's recorded association response "FUCK YOU" as one byte.
Then to further save on space, they'll use another compression technique, known as "Run Length Limiting" (or RLL) to save space by encoding the number of times that value has been recorded, which will be implemented in a bit of code along the lines of "For (Every_User) DO {
It look like spilled ink. (Score:1)
They all look like cats to me! (Score:2)
(http://www.scarydevil.com/~peter/ | Last Journal: Monday September 26 2005, @06:53PM)
IDGI. Why are they using cat captcha to front end this?
There's no way a screen scraper is going to be able to get past the password selection.
This is not a useful design. (Score:2)
(http://www.scarydevil.com/~peter/ | Last Journal: Monday September 26 2005, @06:53PM)
Second, I don't think even Richard Feynman would be expected to get past the password selection process.
* The inkblots don't really remind me of anything. I guess I haven't done enough psych tests or something, but they all look like masks to me, and "mkmkmkmkmkmkmkmkmkmk" is probably not a good password.
* You have to come up with the *same* associations over and over again?
I fail this test, it would be easier to simply memorize a random string of letters.
Re:use password agent to store all your password (Score:2)
(http://www.imwithfred.com/)
"asdf$1234" is your chosen "strong" password, but after typing "asdf" you click the cursor after the second character, "s" and continue from there, leaving as$1234df. Since mouse clicks are not (typically) recorded by keyloggers, you would frustrate attempts to steal your data in that way. You could incorporate as many cursor moves as desired, should incorporate as many as practical, and it could all theoretically become part of the "muscle memory" discussed by other posts.