Forgot your password?
typodupeerror
Security

Pictorial Passwords 331

Posted by michael
from the no-pr0n-allowed dept.
Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.
This discussion has been archived. No new comments can be posted.

Pictorial Passwords

Comments Filter:
  • ATMs (Score:5, Insightful)

    by davidesh (316537) on Friday December 28, 2001 @09:52AM (#2758250)
    Looks like they are planning on using it for ATM Machine's which only have 4 digit numbers... seems like a better idea to me.
    • Re:ATMs (Score:5, Insightful)

      by webword (82711) on Friday December 28, 2001 @11:10AM (#2758532) Homepage
      ATM security is based on more than your PIN number. It has two foundations: PIN number and the card. Therefore, you need to have the card (physical media) and the PIN number.

      If you consider that a person would first need to steal your card and then figure out your PIN number, it becomes apparent that increasing the difficulty of the password is foolish. If your card is lost or stolen, you report it and you save yourself some pain. If your card is lost or stolen, you have a pretty reasonable barrier because the card is physical and needs to be taken to an ATM. Then, even if the card is used immediately, the thief needs to sift through 9999 combinations.

      Security is not meant to lock you in. It is meant to keep other people out. When you think about that, you'll see that you often just want very good security with excellent convenience. That is, you want optimum security, not maximum security. You do not really want maximum security because that would drammatically decrease convenience. For example, if you really wanted maximum security of your funds, you would put them in the bank physically and you would pull them out physically. You would not even use an ATM because the security is not maximum.

      ATMs are convenient and the security is reasonable. Most people can remember their cards and their 4-digit codes. If you start trying to increase the security, you are in for trouble in my opinion. If you really wanted to increase ATM security, forget about pictures. Instead, look into biometrics [ittoolbox.com], which are much more reasonable.
      • Re:ATMs (Score:3, Interesting)

        by monkeydo (173558)
        ATM security is based on more than your PIN number. It has two foundations: PIN number and the card. Therefore, you need to have the card (physical media) and the PIN number.

        What's more, to use an ATM you must physically key in the PIN, there is no way to automate a brute force attack against the keypad at an ATM. Additionally most ATMs will swallow your card after a certain number of wrong PINs (3 at my bank) so you aren't going to have much luck guessing.

        You'd be surprised how many people write their PIN on the back of the card, or somewhere else in their wallet, but it happens enough that the signature panel on my card bears the warning, "Do not write your PIN on your card" That's why banks impose daily limits on how much money can be withdrawn through ATMs.

      • > the thief needs to sift through 9999 combinations.

        More like 1234 combinations to get to the right one :)
        • even if the card is used immediately, the thief needs to sift through 9999 combinations

        Or, look on the back of the card to read the PIN written by the card holder who can't be bothered to memorize that pesky 4-digit number.

      • Re:ATMs (Score:3, Informative)

        by ryanr (30917)
        Typical ATM card theft scenario gives the thief both the physical card and the PIN.

        One way involves thieves putting up their own ATM machine in a mall or some such, and simply waiting for people to use it. After they enter their PIN, it eats their card. In another method, the thieves place tape in the atm card slot ("looping") and videotape anyone using the ATM. When the victim leaves, they retreive the card, which the tape prevented from coming out of the ATM machine.

        A variation of the fake ATM machine method returns the card, but records the card info, and the thieves program another card with that info, which is equivalent to having the physical card in their possesion.

        The point being that switching from a PIN to any kind of longer password entered by the customer doesn't hinder these attacks in the slightest.
  • Images? (Score:3, Funny)

    by Ace Rimmer (179561) on Friday December 28, 2001 @09:54AM (#2758262)
    Sure, why not? At least one penguin would be in any Linux user ;)
  • by Xzzy (111297) <sether&tru7h,org> on Friday December 28, 2001 @09:55AM (#2758266) Homepage
    > than the passwords most people choose (usually
    > their significant other's name)

    So does this mean that the harder a person's password is to crack, the less likely they are to have a sex life?
    • Nah, don't think so. If they have no sexlife they'll choose their mothers name.
    • This might actually be a decent idea.

      While working in technical support, I noticed that a disturbingly high amount of our users used theie own username as their password. Either that or the highly secure "password".

      Sadly, most customers would just be frustrated if we actually disallowed such stupid passwords.

      • Re:implications.. (Score:4, Insightful)

        by arkanes (521690) <(moc.liamg) (ta) (senakra)> on Friday December 28, 2001 @10:30AM (#2758385) Homepage
        It's thea great paradox of network security. You can force users to change them every 2 weeks, disallow "easy" passwords by forcing certain characters, mixture of numbers/characters/symbols, not allowing words in dictionary, etc, but the more you do that, the more likely your users are to just stick the password on the monitor with a post-it.
        • While working in technical support, I noticed
        Umm...how exactly did you notice this? Were your customer's passwords stored clear-text?

        Umm...by the way...where was it that you worked, again?

        This illustrates a larger problem: one password used in various settings. The password may be "23H&*sSie2@slo" but if you've used it in two places it's not secure. If you use this at, say, Wells Fargo and, say, Slashdot then CowboyNeal may be helping himself to a little X-Mas bonus...

        • Umm...how exactly did you notice this? Were your customer's passwords stored clear-text? Umm...by the way...where was it that you worked, again?

          the user calls you up, you ask them for their login, and instead they give you their password.

          the user calls you up and immediately starts telling you everything about themselves, including their dog's bladder problems and their password.

          the user has tried to login in and since they were having problems, they switched their login with their password... which is then recorded in the logfiles.

          Those are the first few ways which come to mind, all of which happen to me on a regular basis; the only time i store the password in clear text is when we send out the original account password.

          i think passwords should at least be used in a manner similar to firewall dmz's - that is, one set for the internal servers, one set for the borderline, and one set for external servers (or, servers you have sole root on, servers you share root on, servers you dont have root on). But preferably every acount you have that matters should have a different password than the last

          the last thing i want is for someone to be able to post on slashdot as me just because they cracked my credit card password! oh, the horrors!

      • Is your job as a sysadmin to ENFORCE password standards. What it comes down to is, WHO is gonna be held responsible if the system security is compromised ?? Joe (L)user or the sysadmin. I use a dictionary check and run John the ripper on the shadow file regularly. ANY passowrds I crack get locked out and the user gets a note. When I receive a note from their manager I reset the password to a random lower/upper alpha-numeric and unlock it for their use. Friends in the user group it does not net me, but a secure system and excellent audit results it DOES get me
    • >So does this mean that the harder a person's
      >password is to crack, the less likely they are
      >to have a sex life?

      Not if their significant other is known as "PC" ;)
  • by scott1853 (194884) on Friday December 28, 2001 @09:57AM (#2758271)
    Customer's have enough trouble understanding "click the button with the X in the upper right corner".

    I wouldn't know where to begin trying to describe what pictures to use for their password... "Ok, now choose the picture that looks like a moose being sucked into a vortex".
    • by malx (7723)

      I wouldn't know where to begin trying to describe what pictures to use for their password...



      That's the whole point. Because our mapping of language to art is so loosely coupled, it's hard to write down and/or describe to another person your password. Theoretically, this dramatically reduces a source of password insecurity.

      • What different does it make. The user's still going to write/draw it on a post-it and stick it to the monitor.
  • Jeebus! (Score:5, Insightful)

    by mrfiddlehead (129279) <<mrfiddlehead> <at> <yahoo.co.uk>> on Friday December 28, 2001 @10:04AM (#2758294) Homepage
    Why is this still an issue? Pick a phrase, stick a couple of numbers in it, perhaps a 'special character' or two and go.

    "Galadriel is one icy babe but Jackson got it right"

    Password: gi1ibbJgir

    And I'm sure this approach is nothing new to most /.'ers. And the cool thing is that just a couple of words from the password, say Galadriel and babe, is enough to bring the bloody password back long after one's finished with it.

    Feh!

    • Re:Jeebus! (Score:5, Informative)

      by Bonker (243350) on Friday December 28, 2001 @10:47AM (#2758444)
      This is a fairly standard practice. It's been used in at least two IT offices I've worked in. It even makes handing out passwords during 'change day' easier, because all the networking and development staff have come to expect a neumonic rather than the password itself:

      "All Your Base Are Belong To Us!"

      becomes

      "aybab2u!"

      Another useful password naming procedure is the use of 'l33t speak' inside passwords... especially long ones. On systems that support passphrases or long passwords instead of 8 char strings, this makes creating and remembering passwords quite a bit easier.

      "My Password Rocks" is probably not so good, but

      "MyP455w0rdR0X0r5" is a 16 character password with 7 numbers, upper and lower case characters, and no long strings of plain english text to get chewed up in a dictionary attack.
      • Re:Jeebus! (Score:2, Insightful)

        by emf (68407)
        The thing with "l33t speak" is that it isn't really hard to modify your password cracker to convert the words in your word lists to "l33t speak" and try.

        Actually, you probobly don't even have to modify your password cracker, just convert your word lists to l33t speak (i.e. 'a' becomes 4, 's' becoms 5, ... )

        I think the idea to use more characters than just 'a-z' is a good one, try to use characters from 'a-z', 'A-Z', '0-9', '!@#$%^&*()', and even the characters with accents. But, try not to make it predictable like "l33t speak".

        btw, your example "MyP455w0rdR0X0r5" might not be to bad since "R0X0r5" might not be a word in a word list, but "my" and "password" probobly would be in the list. Then again, I'm no expert in cracking passwords or "l33t speak" so maybe someone else would have it in their list.
      • Re:Jeebus! (Score:2, Funny)

        by Uberminky (122220)
        Actually here at IU where I go to school, they have a system that checks your password against all sorts of crazy things and rejects any sort of matches. It runs your choice backwards and forwards, 1337 speak, in many (MANY) different languages, etc, and if it finds *anything*, it makes you pick another one. Took me forever to come up with something that it didn't reject somehow. I started thinking "Geez, if there are THIS many passwords that I can't use, the search space is probably lower now than it would be brute forcing common words!"
        • Re:Jeebus! (Score:3, Funny)

          by PurpleBob (63566)
          There's a joke which involves that. A link to it on one of those lame joke sites: here [free4all.com]

          "...Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately."
    • Then you could use the whole phrase. No dictionary attack's going to be useful against that, especially if you fiddle with case and it'd take rather a long time to brute force it.
  • Similar to Passface (Score:5, Interesting)

    by rodbegbie (4449) on Friday December 28, 2001 @10:06AM (#2758303) Homepage
    A year or so ago, I found this little beauty: PassFace Technology [realuser.com] -- Give it a try. You click on people's faces to get in.

    What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

    There's definitely something to this technology!

    rOD.
    • by tswinzig (210999) on Friday December 28, 2001 @10:36AM (#2758403) Journal
      A year or so ago, I found this little beauty: PassFace Technology [realuser.com] -- Give it a try. You click on people's faces to get in.

      What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

      There's definitely something to this technology!


      Unless you're face blind [choisser.com].
  • Remembering passwords can be tough, granted, but I don't think pictures are the answer either. If you only had one or two "passwords" (Picwords? Passpics?) to worry about, but more than that, you'll just start to confuse pictures from one set to another.

    Also, what about the disabled? It would seem like a no-brainer to offer vision-impaired an alternative, text-based password, but if your rolling this out large scale (like ATM's or something), you might be looking at a number in the thousands of customers who can't use your picture-password system. Major admin headaches.
  • by awrc (12953) on Friday December 28, 2001 @10:09AM (#2758316)
    "Even high-ranking executives may act on naïve impulses when it comes to choosing a password"

    Even high-ranking executives? Make that especially.
  • by RFC959 (121594) on Friday December 28, 2001 @10:09AM (#2758319) Journal
    RealUser [realuser.com] has done almost exactly the same thing, except using faces, not abstract designs. It's worth checking out their site, since they seem to have thought it through reasonably well. (Read the whitepapers; they have the real meat...) One of the interesting things about these systems is that since you can't describe your password, the correct choices have to be displayed on screen along with some invalid choices, which opens up the system to some attacks unless you construct it very carefully.
  • The latest PocketPC OS have a nice way of avoiding bruteforcing of four-digit passcodes. There is simply a growing delay between each time you can enter a new passcode after entering a wrong one, so that after entering the wrong passcode seven times or so, there is an almost ten second wait before you enter in a new passcode.

    Wouldn't this be a good way to avoide bruteforcing of these pictorial passwords? :)
    • Well, for the web sites with faces, I imagine it'd be trivial to use a script to hit the login screen (but not attempt a login!) a couple hundred times, and then see which faces recur. I can think of ways around this, but the basic flaw is always there - you're showing the correct answer everytime you ask for a login.
  • Have you seen Safe House film? http://us.imdb.com/Title?0120051 [imdb.com]
    There's a intesting way to draw passwords.
  • by Brento (26177) <brento@NoSpAm.brentozar.com> on Friday December 28, 2001 @10:13AM (#2758330) Homepage
    I've found that most of the people I know tend to use the same password or pin for everything they have - their e-mail password is the same as their AOL password is the same as their bank PIN and so on.

    Using pictures would make this all but impossible, since every provider would (or at least, SHOULD) be using their own set of pictures.

    While that's all good for security, I can't believe that it would make remembering your password any easier. Since the story is touting that as the chief benefit, I think they're going to have a really hard sell.
    • > I've found that most of the people I know tend to use the same password or pin for everything they have - their e-mail password is the same as their AOL password is the same as their bank PIN and so on.

      YAAAAAAAAAAAAAGH!

      What the hell! Are most /.ers some kind of mutants? (Wait a minute, maybe I don't wanna know.)

      Reading that BBS article reminded me that I had over 40 passwords, each one different, for each BBS that I called, and none were guessable in a dictionary attack. It's been over fifteen years, and I can still remember two or three of these.

      Today, I'm down to about ten passwords I use frequently, all different, all randomly-generated. And apart from a one-day "learning curve" where I train my finger muscles to type them quickly and discreetly, I still don't have a problem with it.

      What the hell? Am I some kind of alien/human hybrid with a unique nervous system never before seen in evolutionary history? Or do I just have two functioning neurons to rub together?

      Sure, if you use a cookie to "remember" your settings and only type a password once every few months, you could fail to learn it, but the cure for that is to just use the password more often - enable it on your screen saver, check your stock portfolio daily, etc.

      I know I'm preaching to the choir here, but what the hell is so hard about using passwords? The more you use them, the harder they are to forget.

  • by NiftyNews (537829) on Friday December 28, 2001 @10:13AM (#2758331) Homepage
    Can you imagine having an emergency in our future-tech age?

    "No Bill, it's Black Guy, Asian Guy, Samoan Woman, Black Guy with the scar, White Guy with glasses! Hurry up before the Holodeck explodes!"
    • Good analogy, except that along with holodecks, they have scanners that can scan your DNA. Come to think of it, since this is the case, why to the y need the cheesy passwords to activate the self destruct mechanism on the ship, the ship could scan the captain, first officer etc. to verify their identity, oh except the other Will Riker could cause problems that way...
  • Do the math... (Score:2, Insightful)

    by Draxinusom (82930)
    A cursory reading of the article suggests that passwords aren't limited to permutations of 25 elements; 25 is just the number of images against which you have to verify. It's like being shown a list of 128 binary numbers and asked to choose the one that's yours; the numbers themselves can be more then 7 digits long. Of course, that still means that some mechanism is necessary to prevent brute-forcing, but that's a relatively trivial problem (especially in contexts like ATMs, where they already do that).
    • OK, and the math comes out the same...

      If I'm only shown 25 pictures, it doesn't matter how many I'm not show, the alphabet size is still only 25.

      And you can't ever show me a different 25, because my 5 have to be in there. If you show me my 5 + 20 others one time, and a different 20 + my 5 a different time, then the ones that came up both times obviously include my 5. Makes the shoulder-surfer's job a whole lot easier.
  • by crovira (10242) on Friday December 28, 2001 @10:19AM (#2758348) Homepage
    Passwords have never been more than a low level rung on the ladder of trust. If you want security, equip the ATM with a fingerprint pad and/or a camera and eye piece capable of taking retinal prints.

    The rest, as we can read, is just a bunch of jokes.
  • But I have done my work in the IT-support dept. and I think that many would agree that this system would be a lot better in many cases.
    I have seen to many times people doing all the "don't do's" like writing down the password and putting it on the desk, keyboard, monitor. and forcing them to change the password once in a while makes it even worse, like they use a name followed by a number and then they just increment the number when the have to change the password.
    The lack of a single signon [novell.com] often amplifies this problem.
    • Heh, I'm pretty apathetic with my password... When I have to change it, I change it to something like "1", and then immediately change it back to whatever it was. (Windows 2000, the way we have it set up, doesn't track older passwords, although, IIRC, you can make it...)
  • by Snowfox (34467) <snowfox@NoSPaM.snowfox.net> on Friday December 28, 2001 @10:23AM (#2758361) Homepage
    I'm not so sure how I feel about this...
    root@artschool-104:~ # which login
    /bin/login
    root@artschool-104:~ # du /bin/login
    363256 /bin/login
    root@artschool-1024~ #

    Not so sure at all.

  • Color blind (Score:5, Insightful)

    by Eimi Metamorphoumai (18738) on Friday December 28, 2001 @10:27AM (#2758377) Homepage
    Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.
    • not at all... you just make each image map to a keyboard character. You could even display the character in the corner of each image. That way, users could use either the keyboard or the images as they're comfortable with. Of course, it's just not enough images to map to all the possible keyboard combinations, but presumably keyboard-centric users aren't going to care that much about the pictures.

      If I want to use an underscore in my password I don't care that my password becomes Mona Lisa, Mona Lisa, Seurat's Lady Powdering, Dali's Eggs on a Plate Without a Plate, underscore, Van Gogh's Starry Night, Munch's The Scream.
    • Seems like you'd have to be really careful not to exclude the color blind. And the actually blind.

      And let's be very careful not to exclude the uncultured masses who can't tell the difference between an abstract Boyd and a minimalist Sultan.
    • img src=moose.jpg alt="Moose getting sucked into vortex"
  • ...if you leave info on your ex-roommate's computer and he loses his junk lawsuit against you and uses the info to steal all your accounts/nicks/webmailboxes/etc.

    What I find interesting is that most people have poor spatial reasoning and form recognition. In fact, tests of those two are used in IQ tests and the ASVAB (Armed Services Vocational Aptitude Battery) - specifically for military to guage your ability to avoid friendly-fire incidents, recognize enemy movements/formations/activities.

    Since it's obviously not a picture-puzzle to be assembled, I think a lot of people would have a hard time remembering.
  • Since they intend to use this as an ATM machine security system, its worth noting that since the beginning of ATM machines, generally three wrong PIN number entries in a row will cause it to eat your card. I suppose one could try a couple passwords, cancel the transaction and get the card back and repeat ad infinitum, but this seriously hampers the brute force effort.
  • Passphrase strength (Score:3, Interesting)

    by Kirruth (544020) on Friday December 28, 2001 @10:43AM (#2758428) Homepage
    The best article on passphrase strength I have seen is Randall Williams' document, Choosing a strong passphrase [stack.nl].

    This document contains a rough reckoner for calculating whether a passphrase is strong or weak. It makes the point that for a passphrase to be as strong as the encryption in PGP, it needs to be 30+ characters long. ! Remembering one or two paintings might not quite cut it.

    For most systems, you can safely use shorter passphrases if you are only permitted a limited number of attempts or have no access to the machine (like at a bank) or the passphrase is changed frequently, or if the phrase is truly random.

    Regardless, the strength of the passphrase is almost always the weakest link in any security system.

  • So where do I enter this password in my old, trustworthy 10" monochrom vt220 (or my PuTTY at work if you're reaction to the former is "yuck! those should've died thousands of years ago").
  • Shoulder surfing (Score:4, Insightful)

    by Anixamander (448308) on Friday December 28, 2001 @10:48AM (#2758452) Journal
    It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.
    • One way I've seen suggested is that although the choices appear on screen, you use the keypad to choose. (If you use a 3x3 grid of choices, it maps nicely to the numeric keypad.) Hopefully the screen does not indicate what you've chosen! These "visual password" systems seem to rely very heavily on a good implementation: a good one could be better than a text password system, and a bad one could be completely worthless.
      • Agreed, on-screen indication of your image choices would facilitate shoulder-surfing. Not Good.

        Compatibility with legacy ATMs. There's even more difficulties than just shoulder-surfing... what happens if your account uses a "visual password" and you find yourself at an "old-fashioned" ATM that requires a numeric PIN? Poof! So much for being able to access your account around the world! Unless, of course, you are also required to memorize a numeric PIN, which will likely be forgotten from disuse! Any additional security from the additional permutations offered by a "visual password" would be lost as a cracker could try and break the numeric PIN, instead.

        Physical posession of bank card not required. Further, with more and more banks offering on-line access, there is no longer a requirement that the physical card be present at the time of the transaction. Set up a shell account, use the on-line bill-pay feature to send some funds to it from the hijacked account, and the deal is done.

        Computing the number of passwords.Since I went through the work of figuring these for myself, I thought I might as well share it here to save others from the work. Also, there are other ways of viewing this which lead to a vastly larger number of choices, so I'll include those here, as well.

        Current practice #1. Many accounts require only a 4-digit PIN. Which offers the user a choice of any 4-digit number from "0000", "0001", "0002", ... "9999"; that works out to their being only 10, 000 choices.

        Current practice #2. Some accounts permit an 8-digit PIN. Which offers the user a choice of any 8-digit number from "00000000", "00000001", "00000002", ... "99999999"; that works out to their being 100,000,000 choices.

        Original posting: 53,130 possible choices. That seemed much smaller than I would have thought. For those who are interested, here is how that number was reached.
        The calculation resulted from determining the number of combinations of 5 objects taken from a pool of 25 where order is not significant.
        First, the calculations which produced this value, and other possible computations which produce a much-larger number of choices.
        The original 53,130 can be worked outas follows:

        (25!) / ( (25 - 5)! * 5! )

        = 25! / (20! * 5!)

        = (25 * 24 * 23 * 22 * 21 * 20!) / (20! * 5!)

        = (25 * 24 * 23 * 22 * 21) / (5 * 4 * 3 * 2 * 1)

        = (25 * 24 * 23 * 22 * 21) / (5 * 24)

        = (5 * 23 * 22 * 21)

        = 53,130


        The original posting suggested it might be more like 6 million choices. If, we assume that the order IS significant, AND, no re-use of a choice is permitted, then we can come up with the "six-million" choices:

        25 * 24 * 23 * 22 * 21 = 6,375,600


        If re-use of a previously selected image is permitted, then we have ALL 25 visuals available for EACH of the 5 choices:

        25 * 25 * 25 * 25 * 25 = 9,765,625


        Summary. In short, there are at best on the order of 10 million choices using the visual password technique, and it would require a tremendous amount of change to the existing ATM infrastructure. Simply using an 8-digit PIN permits 100 million choices, and does NOT require any major changes to existing ATMs. In light of these calculations and costs to implement, I doubt we'll see this new technique implemented any time soon, if at all.

  • DoD guidelines (Score:2, Informative)

    by Roast Beef (2298)
    The second article [nytimes.com] mentions the Department of Defense guidelines for passwords. They're an interesting read. [ncsc.mil]
  • PINs (Score:2, Insightful)

    by saint10 (248611)
    However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices

    What they dont mention is that pictoral passwords are intended to be used in an ATM enviornment, rather that on a LAN. The PIN for your ATM is only 4 numerics long, not even alpha-numeric. A brute forcer can do 2 million/sec on a 800mhz pc, it would brute the entire key space in a millisecond in ATMs.

    The reason why PINs are only 4 digits is the other compensating controls you have in the banking enviornment.

    1) There is an extremely limited interface to the ATM (just keypad and and a few multi-use keys).

    2) The physical security of an ATM, these suckers are actually safes that are resistant to bomb blasts, rednecks trying to tow them away with their 1/2 ton chevys, etc.

    3) The PINs are stored on a crypto device, not physically at the ATM, that destroys itself if it is pried open.

    So, this would be good for banking applications, but not good on your LAN... for obvious reasons.
  • apparent problems (Score:4, Interesting)

    by mrsbrisby (60242) on Friday December 28, 2001 @11:02AM (#2758501) Homepage
    one of the problems that many people have with "strong passwords" is *NOT* their lack of a strong kinesthetic memory- I can ``remember'' any password simply by typing it: sound familiar?

    Problem is that this has NOTHING AT ALL to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you ALWAYS use the same password... more on this later)

    What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.

    This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?

    Some "realistic solutions" to these problems include: BIOMETRICS - which don't require ANY memory, SINGLE LOGIN - which limit the number of cues needed, ASSYMETRIC-KEY - which relies on math, etc, etc.

    I say "realistic" because people have used them and they DO work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person :)

    Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.

    Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes WAY too much emphesis on only one cue.

    With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)

    I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies :D)

    My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of WHAT we remember is less important than changing the cues by which we DO remember.

    (There, I think that makes more sense now)
  • neat, but... (Score:5, Informative)

    by kevin lyda (4803) on Friday December 28, 2001 @11:22AM (#2758579) Homepage
    it's not new. i remember using an apple newton that had a picture based password option.
  • I once read about a hack which consisted of analyzing the "typing rythm" of a user : this way, the system could determine whether the user was hwo he claimed to be by analyzing the time he took to enter his passwd characters, as well as the period of inactivity between pressures on each of the keyboard keys.

    Of course applying it may require some learning session from the software...

    I however think it is high time we got pressure-sensitive keyboards so that we may finally derivate such idea in some kind of computer-graphology (BTW these keyboards would be great for musicians as well as hard core gamers who need enhanced versatility while fragging around).

    Until then, I presume it would still be be possible to use the mouse to write the password instead of typing it.

    An advantage of either concept is that the annoying 3 second waiting time we have after a wrong passwd entry could be avoided if the login daemon detects that the attempt is too long to be part of a brutal force/dictionary attack.
  • by passion (84900) on Friday December 28, 2001 @11:44AM (#2758759)

    Interestingly enough, this is something that I tried hacking out a few years ago (though not under the pleasure of being funded by an academic institution).

    I found that people like to click on distinct places, and not the whitespace between shapes/objects. Otherwise, they won't be able to remember exactly which spot they clicked on. This can be analogous to people using dictionary words for their alphanumeric passwords.

    Another annoyance that I found was that hitting the exact pixel that you wanted was nearly impossible. You're more likely to hit one adjacent, or 2 away... so increasing the area of error reduces the number of possibilities.

    Finally, when I want to get work done, I don't want to play a video game. Making someone hit their exact spot in a sequence of 5, or 10 images, whatever requires skill and accuracy. If you hit the first 9 right, and mess up by one pixel on the last, you have to start all over again. Imagine if you had to achieve a difficult feat - like slaying 20 characters in Quake on nightmare mode before you can log in... damn.

    In summary, I think this is a really cool idea (otherwise, I wouldn't have gone to the trouble of implementing it myself) - but the downsides outweigh the benefits.

  • by Syberghost (10557) <.syberghost. .at. .syberghost.com.> on Friday December 28, 2001 @11:47AM (#2758785) Homepage
    This just won't work for most applications.

    Oh, maybe for an ATM, where it's more secure than a four-digit PIN, it'd be secure enough, but it's still unworkable.

    Most ATMs use very low-res displays; in fact, many are text-only displays. (I believe a large number of them are actual Hercules monochrome cards, with the ATM running OS/2, for instance.)

    If you use a touch-screen, it'll become impossible to hide what you're typing, so you pretty much have to stick numbers up there and have people type the number of the correct picture. You'll have to swap the pictures around if you want to prevent people from just writing the numbers down, so you'll end up with it being harder to remember because the pictures are all on screen at once and in a different place every time.

    In the end, you'll have to keep the number of pictures low, and the length of the password low, or people won't be able to remember. Hell, people forget their 4-digit PINs now.

    At least with a PIN you can disguise it when writing it down; put it in your address book as Uncle Luigi, with the last four digits of his bullshit phone number being your PIN. What are you gonna do if you need a reminder for this, take a Polaroid of the screen and put it in your wallet?

    I'm sure there are applications where this technology will work, but I don't think ATMs are it, and I'm REALLY skeptical about using it for locking PCs.

    Biometrics are the future of easy-to-remember identification.
    • by jasonbw (326067)
      I completely missed the over-the-shoulder lack of security issue, so good point. But the best reason this is a bad idea is reason people use atm's in the first place.

      No, not because banks keep difficult hours...
      okay, fine, thats ANOTHER reason.

      Quickness of transaction. provided its available, i can step up, tap in my 4 digit code in less than what ? less than 2 seconds? and get money in less than a minute.

      Now, instead of 10 different buttons you're essentually offering people 25? and you even want to mix them around so you have to hunt for the right button (you could use some type of GUI for picture display and a touch screen, but that wouldn't speed it up any, especially if you mix the order).

      This just seems like another attempt to force people into a hardware upgrade in order to run some bloated software. Is M$ involved?

  • I can't see the point in using this for ATMs. Those things are never brute-forced, it's much simpler to just have a guy stand behind and watch you type. Assuming you still have to press some button to select the pictures, he can still watch. The best security improvement would be a cover over the keypad, or putting the ATM itself inside a one-person sized cubicle.

    Of course other systems are subject to brute force attacks on weak passwords...so this may be more approprate there. I can just see it in Windows 2004 - "Press ctrl-alt-del and pick the right 3 cats". Hmmm...business use??
  • The biggest security problem is people are vulnerable to social engineering. It is too easy to get someone to share alphanumeric passwords, pictures would make it much harder for people to share passwords. However it seems a little late for this to take off, as biometrics are coming down in price, and will mostly eliminate the problem.
  • by bodin (2097) on Friday December 28, 2001 @11:59AM (#2758879) Homepage
    for the project itself

    http://www.sims.berkeley.edu/~rachna/dejavu/ [berkeley.edu]

    Which always seems to be missing.
  • by lee1 (219161)

    can be found in one of the researchers' papers [berkeley.edu], where it can be seen that the poster, editor, and many of the commentators here make incorrect assumptions. The user of the system must simply recognize which subset of images from a presented set belong to a previously chosen portfolio. The number of images in the portfolio is larger than the number of portfolio images in the presented set; this makes shoulder surfing ineffective unless it is done repeatedly. Also, identification of the portfolio images can be done by pressing keys, and can be hidden just as are conventional passwords. Each image is equivalent to an eight-byte number, but from this large set they have hand-selected 10,000 images for the current implementation, still leading to a very large number of possible passwords.

    The weakest part of the system is what I would have thought was the obvious one: quoting from the paper,

    In general, a weakness of this system is that the server needs to store the seeds of the portfolio images of each user in cleartext. Tricks similar to the hashed passwords in the /etc/passwd file do not work in this case, because the server needs to present the portfolio to the user, hidden within the decoy images. For this reason, we assume the server to be secure and trusted
  • I thought of two problems with this system, maybe a more comprehensve article would answer these questions.
    Anyway, since humans are very good at remembering visual information, wouldnt it be fairly easy to watch someone login a few times and see which images are the same.
    Also, i see another problem, if someone was watching you they can determine what images you select. This would happen because of the speed at which you would select the images. since, the images are most likely randomly placed, you cant remember the position of the items, so you have to process the complete set of images and then select the proper images. Then if someone is looking at you, they can see the keys you press, and associate it with the image.
    Compare that to textual passwords. You know your password isn't going to change, and even if you type at 20wpm, it would only take 1 or 2 seconds to type the password. And I think, it is much harder to look at your fingers and determine which keys you hit at which time.
  • I've been thinking for some time that pictorial cues would make for better error messages than the current situation. Anyone who has spent time doing customer support has had a conversation something like this: "it's broken" "did it give any error message?" "yeah, something about error or something" "please put your head in the blender"

    Has anyone done any research into pictorial errors? I think the average end-user might actually remember 'blue puppy with a banana'. You don't need too many symbols before you can encode a fair number of error messages especially if you include a small number of colour variations, and the sort of thing used currently by people like MS is meaningless to everyone but the programmer anyway (long hex codes). Once you've accepted that the user is not in a position to fix the problem themselves, then the challenge becomes one of conveying the information to the support person without corruption or loss of detail.

    Obviously, having software that doesn't produce errors or allow the user into 'error' situations would be better still, but that seems to be too hard.
    • There is the neatest thing going on out there right - apparently a bunch of scientists have developed a vast array of interconnected networks. Apparently this has been named the "Internet".

      Seriously, software should automatically prompt you to send an error report to the vendor via electronic (email, fax, phone, internet, something) means. That way you can get all relevant details without resorting to making users tell you about the green monkey with a red hat.
  • If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name).

    I wish. A couple of years ago, I worked as a sysadmin for a large government institution (which will remain unnamed) where I determined that 89% of all passwords could be compromised in three tries by using

    1. the username
    2. "password"
    3. "secret"
    Given a fourth try, you could nail half of the remainder with "pass".

    And yes, I tried to get this changed, but end-user recalcitrance trumped common-sense. Until we have standardized biometric validation over secure channels, I don't think it's going to get any better.

  • Password Overload (Score:2, Insightful)

    by johnalex (147270)
    I'm not certain these techniques address the major problem most of us face: assuring unique identities on the systems with which we interact.

    Most /.'ers can probably empathize with me. I have a (password-protected, of course) password app on my Handspring Visor. I have nearly 30 passwords and user ID's in this app, including my /. ID and password and NYT ID and password. This does not include the systems with which I interact on a daily basis. Add those ID's and passwords, and I probably have nearly 40 identities to remember.

    Granted, the normal user doesn't have our problem. However, the normal user also has little inclination to merely accept this predicament. While I think nothing of whipping out my Visor for a password, most people lack the sense of urgency we feel to insure system security. Nor do they have the patience to commit 30+ identities and passwords to memory.

    Maybe we've run into the "Aunt Minnie" problem. Aunt Minnie knows who she is, she wants to be her everywhere, and she has no desire to create a unique identity on every system she sees. So we shouldn't be surprised to see Aunt Minnie use her AOL ID and password for Web sites and such.
  • ..about a year ago. I've become infatuated with PHP over the past few months, and as a personal project I created a web based authentication system that required the user to click on certain images in order to enter a restricted area. The only snag was that there was no obvious "enter your password" page. When you hit the site, it looked like your average web page with standardish looking graphics. The user had to click on certain images on the main page (in a certain order) and they would be led to the private zone. Think of it as logging into /. by clicking on the graphics already supplied on the homepage.

    The only flaw we found was that mouse clicks can be monitored remotely all to easily. Not necessarily through a network connection, but just by looking over someones shoulder, even if you're some distance away. It was like typeing in a password, but the stars don't come up to mask your characters.

    Eventually it all seemed nifty, but not very useful. We have since started looking into biometrics, particularly fingerprint ID systems [eyenetwatch.com]. Their cost is coming down quickly and they integrate well into Win2K. I'm now looking into how to get these things to work well with my Linux boxen.
  • I have 4 foreign license plates hanging on the wall right behind the monitor (well, foreign to me, they're US plates). Most people think of it as a nifty wall decoration, but little do they know. They hold the keys to my online identity. All of my password consist of a plate number, a combined plate number, the number backwards, etc. And most sites allow you to enter an own forgot-my-pass question. For me this is usually (Illinois+Washington) so i exactly know my passwort. And they're not special plates with dictionary words but alphanumerical ones. Unfortunately my fav isa little too obvious - it's from the State of Washington and reads "31337".
  • Logging into my account at Playboy.com, now let's see if I can remember....

    "Blonde frontal, Redhead reclining, Brunette upper body... oooohh, look at the zoomies on that new asian chick in the lower right corner, will ya?"

    "# Password rejected: try again".

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...