Pictorial Passwords 331
Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.
Re:login required (Score:2, Informative)
The Link [nytimes.com]
er, and if that doesn't, simply take the linked url in the sotry and replace www.nytimes.com with archive.nytimes.com
A film that shows drawing passwords instead typing (Score:2, Informative)
There's a intesting way to draw passwords.
If it can't KNOW who I am, it's still spoof-able (Score:5, Informative)
The rest, as we can read, is just a bunch of jokes.
Re:Jeebus! (Score:5, Informative)
"All Your Base Are Belong To Us!"
becomes
"aybab2u!"
Another useful password naming procedure is the use of 'l33t speak' inside passwords... especially long ones. On systems that support passphrases or long passwords instead of 8 char strings, this makes creating and remembering passwords quite a bit easier.
"My Password Rocks" is probably not so good, but
"MyP455w0rdR0X0r5" is a 16 character password with 7 numbers, upper and lower case characters, and no long strings of plain english text to get chewed up in a dictionary attack.
DoD guidelines (Score:2, Informative)
neat, but... (Score:5, Informative)
And here is the interesting URL (Score:5, Informative)
http://www.sims.berkeley.edu/~rachna/dejavu/ [berkeley.edu]
Which always seems to be missing.
Implementation details (Score:2, Informative)
can be found in one of the researchers' papers [berkeley.edu], where it can be seen that the poster, editor, and many of the commentators here make incorrect assumptions. The user of the system must simply recognize which subset of images from a presented set belong to a previously chosen portfolio. The number of images in the portfolio is larger than the number of portfolio images in the presented set; this makes shoulder surfing ineffective unless it is done repeatedly. Also, identification of the portfolio images can be done by pressing keys, and can be hidden just as are conventional passwords. Each image is equivalent to an eight-byte number, but from this large set they have hand-selected 10,000 images for the current implementation, still leading to a very large number of possible passwords.
The weakest part of the system is what I would have thought was the obvious one: quoting from the paper,
Re:ATMs (Score:3, Informative)
One way involves thieves putting up their own ATM machine in a mall or some such, and simply waiting for people to use it. After they enter their PIN, it eats their card. In another method, the thieves place tape in the atm card slot ("looping") and videotape anyone using the ATM. When the victim leaves, they retreive the card, which the tape prevented from coming out of the ATM machine.
A variation of the fake ATM machine method returns the card, but records the card info, and the thieves program another card with that info, which is equivalent to having the physical card in their possesion.
The point being that switching from a PIN to any kind of longer password entered by the customer doesn't hinder these attacks in the slightest.