Pictorial Passwords

Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.

ATMs

[davidesh]

Looks like they are planning on using it for ATM Machine's which only have 4 digit numbers... seems like a better idea to me.

Jeebus!

[mrfiddlehead]

Why is this still an issue? Pick a phrase, stick a couple of numbers in it, perhaps a 'special character' or two and go.

"Galadriel is one icy babe but Jackson got it right"

Password: gi1ibbJgir

And I'm sure this approach is nothing new to most /.'ers. And the cool thing is that just a couple of words from the password, say Galadriel and babe, is enough to bring the bloody password back long after one's finished with it.

Feh!

This probably won't help the situation

[TheGreenLantern]

Remembering passwords can be tough, granted, but I don't think pictures are the answer either. If you only had one or two "passwords" (Picwords? Passpics?) to worry about, but more than that, you'll just start to confuse pictures from one set to another.

Also, what about the disabled? It would seem like a no-brainer to offer vision-impaired an alternative, text-based password, but if your rolling this out large scale (like ATM's or something), you might be looking at a number in the thousands of customers who can't use your picture-password system. Major admin headaches.

HW Requirements

[Anonymous Coward]

...will become more demanding. There are lots of terminals around that are not capable of displaying graphics.

Done earlier/better by RealUser?

[RFC959]

RealUser [realuser.com] has done almost exactly the same thing, except using faces, not abstract designs. It's worth checking out their site, since they seem to have thought it through reasonably well. (Read the whitepapers; they have the real meat...) One of the interesting things about these systems is that since you can't describe your password, the correct choices have to be displayed on screen along with some invalid choices, which opens up the system to some attacks unless you construct it very carefully.

Eliminates repetitive password use!

[Brento]

I've found that most of the people I know tend to use the same password or pin for everything they have - their e-mail password is the same as their AOL password is the same as their bank PIN and so on.

Using pictures would make this all but impossible, since every provider would (or at least, SHOULD) be using their own set of pictures.

While that's all good for security, I can't believe that it would make remembering your password any easier. Since the story is touting that as the chief benefit, I think they're going to have a really hard sell.

Do the math...

[Draxinusom]

A cursory reading of the article suggests that passwords aren't limited to permutations of 25 elements; 25 is just the number of images against which you have to verify. It's like being shown a list of 128 binary numbers and asked to choose the one that's yours; the numbers themselves can be more then 7 digits long. Of course, that still means that some mechanism is necessary to prevent brute-forcing, but that's a relatively trivial problem (especially in contexts like ATMs, where they already do that).

Re:A film that shows drawing passwords instead typ

[TrollMan 5000]

Ummm...I'm a lousy artist and probably couldn't accurately duplicate the drawing.

And "being close" and getting through only defeats the purpose of a password in the first place.

Light on details.....

[Anonymous Coward]

OK, they've done a little feasibility study and it's interesting, but what about the details:

1) How do you mail a customer his PIN number/password? How does tech support tell a user that's locked out of his account that his password has been changed to squiggly line with blue background, orange ball, pink hearts, green clovers, yellow moons, etc.?

2) What will the blind do?

3) What about all the terminals in the world (ATM and otherwise) that aren't in color or don't support the needed graphics resolution?

4) How about a more comprehensive study to see if users tend to select the same images? Doesn't do much good to have 25 images if 70% of the population ends up picking the same 5 images every time. If users keep selecting common passwords, how do we know that they won't select common picture combinations?

Color blind

[Eimi Metamorphoumai]

Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.

Re:implications..

[arkanes]

It's thea great paradox of network security. You can force users to change them every 2 weeks, disallow "easy" passwords by forcing certain characters, mixture of numbers/characters/symbols, not allowing words in dictionary, etc, but the more you do that, the more likely your users are to just stick the password on the monitor with a post-it.

Re:Speaking of bruteforceing passwords.

[arkanes]

Well, for the web sites with faces, I imagine it'd be trivial to use a script to hit the login screen (but not attempt a login!) a couple hundred times, and then see which faces recur. I can think of ways around this, but the basic flaw is always there - you're showing the correct answer everytime you ask for a login.

Shoulder surfing

[Anixamander]

It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.

PINs

[saint10]

However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices

What they dont mention is that pictoral passwords are intended to be used in an ATM enviornment, rather that on a LAN. The PIN for your ATM is only 4 numerics long, not even alpha-numeric. A brute forcer can do 2 million/sec on a 800mhz pc, it would brute the entire key space in a millisecond in ATMs.

The reason why PINs are only 4 digits is the other compensating controls you have in the banking enviornment.

1) There is an extremely limited interface to the ATM (just keypad and and a few multi-use keys).

2) The physical security of an ATM, these suckers are actually safes that are resistant to bomb blasts, rednecks trying to tow them away with their 1/2 ton chevys, etc.

3) The PINs are stored on a crypto device, not physically at the ATM, that destroys itself if it is pried open.

So, this would be good for banking applications, but not good on your LAN... for obvious reasons.

Re:Alright

[RFC959]

how about we just stick to the good old "3 tries and you're locked out" system...

Because systems with built-in self-DOS capabilities aren't such a good idea, goofball. Got somebody you don't like? Try to log in as him, fail, and his account gets locked. Delay systems are better than lockouts. I admit to not being entirely sure how all this would or should apply to something like an ATM that can't be accessed remotely, though.

Re:ATMs

[webword]

ATM security is based on more than your PIN number. It has two foundations: PIN number and the card. Therefore, you need to have the card (physical media) and the PIN number.

If you consider that a person would first need to steal your card and then figure out your PIN number, it becomes apparent that increasing the difficulty of the password is foolish. If your card is lost or stolen, you report it and you save yourself some pain. If your card is lost or stolen, you have a pretty reasonable barrier because the card is physical and needs to be taken to an ATM. Then, even if the card is used immediately, the thief needs to sift through 9999 combinations.

Security is not meant to lock you in. It is meant to keep other people out. When you think about that, you'll see that you often just want very good security with excellent convenience. That is, you want optimum security, not maximum security. You do not really want maximum security because that would drammatically decrease convenience. For example, if you really wanted maximum security of your funds, you would put them in the bank physically and you would pull them out physically. You would not even use an ATM because the security is not maximum.

ATMs are convenient and the security is reasonable. Most people can remember their cards and their 4-digit codes. If you start trying to increase the security, you are in for trouble in my opinion. If you really wanted to increase ATM security, forget about pictures. Instead, look into biometrics [ittoolbox.com], which are much more reasonable.

Re:Jeebus!

[emf]

The thing with "l33t speak" is that it isn't really hard to modify your password cracker to convert the words in your word lists to "l33t speak" and try.

Actually, you probobly don't even have to modify your password cracker, just convert your word lists to l33t speak (i.e. 'a' becomes 4, 's' becoms 5, ... )

I think the idea to use more characters than just 'a-z' is a good one, try to use characters from 'a-z', 'A-Z', '0-9', '!@#$%^&*()', and even the characters with accents. But, try not to make it predictable like "l33t speak".

btw, your example "MyP455w0rdR0X0r5" might not be to bad since "R0X0r5" might not be a word in a word list, but "my" and "password" probobly would be in the list. Then again, I'm no expert in cracking passwords or "l33t speak" so maybe someone else would have it in their list.

need some psychology on this

[passion]

Interestingly enough, this is something that I tried hacking out a few years ago (though not under the pleasure of being funded by an academic institution).

I found that people like to click on distinct places, and not the whitespace between shapes/objects. Otherwise, they won't be able to remember exactly which spot they clicked on. This can be analogous to people using dictionary words for their alphanumeric passwords.

Another annoyance that I found was that hitting the exact pixel that you wanted was nearly impossible. You're more likely to hit one adjacent, or 2 away... so increasing the area of error reduces the number of possibilities.

Finally, when I want to get work done, I don't want to play a video game. Making someone hit their exact spot in a sequence of 5, or 10 images, whatever requires skill and accuracy. If you hit the first 9 right, and mess up by one pixel on the last, you have to start all over again. Imagine if you had to achieve a difficult feat - like slaying 20 characters in Quake on nightmare mode before you can log in... damn.

In summary, I think this is a really cool idea (otherwise, I wouldn't have gone to the trouble of implementing it myself) - but the downsides outweigh the benefits.

Limited application

[Syberghost]

This just won't work for most applications.

Oh, maybe for an ATM, where it's more secure than a four-digit PIN, it'd be secure enough, but it's still unworkable.

Most ATMs use very low-res displays; in fact, many are text-only displays. (I believe a large number of them are actual Hercules monochrome cards, with the ATM running OS/2, for instance.)

If you use a touch-screen, it'll become impossible to hide what you're typing, so you pretty much have to stick numbers up there and have people type the number of the correct picture. You'll have to swap the pictures around if you want to prevent people from just writing the numbers down, so you'll end up with it being harder to remember because the pictures are all on screen at once and in a different place every time.

In the end, you'll have to keep the number of pictures low, and the length of the password low, or people won't be able to remember. Hell, people forget their 4-digit PINs now.

At least with a PIN you can disguise it when writing it down; put it in your address book as Uncle Luigi, with the last four digits of his bullshit phone number being your PIN. What are you gonna do if you need a reminder for this, take a Polaroid of the screen and put it in your wallet?

I'm sure there are applications where this technology will work, but I don't think ATMs are it, and I'm REALLY skeptical about using it for locking PCs.

Biometrics are the future of easy-to-remember identification.

Or use an MD5 Hashed Password

[Greyfox]

Then you could use the whole phrase. No dictionary attack's going to be useful against that, especially if you fiddle with case and it'd take rather a long time to brute force it.

Re:Limited application

[jasonbw]

I completely missed the over-the-shoulder lack of security issue, so good point. But the best reason this is a bad idea is reason people use atm's in the first place.

No, not because banks keep difficult hours...
okay, fine, thats ANOTHER reason.

Quickness of transaction. provided its available, i can step up, tap in my 4 digit code in less than what ? less than 2 seconds? and get money in less than a minute.

Now, instead of 10 different buttons you're essentually offering people 25? and you even want to mix them around so you have to hunt for the right button (you could use some type of GUI for picture display and a touch screen, but that wouldn't speed it up any, especially if you mix the order).

This just seems like another attempt to force people into a hardware upgrade in order to run some bloated software. Is M$ involved?

Password Overload

[johnalex]

I'm not certain these techniques address the major problem most of us face: assuring unique identities on the systems with which we interact.

Most /.'ers can probably empathize with me. I have a (password-protected, of course) password app on my Handspring Visor. I have nearly 30 passwords and user ID's in this app, including my /. ID and password and NYT ID and password. This does not include the systems with which I interact on a daily basis. Add those ID's and passwords, and I probably have nearly 40 identities to remember.

Granted, the normal user doesn't have our problem. However, the normal user also has little inclination to merely accept this predicament. While I think nothing of whipping out my Visor for a password, most people lack the sense of urgency we feel to insure system security. Nor do they have the patience to commit 30+ identities and passwords to memory.

Maybe we've run into the "Aunt Minnie" problem. Aunt Minnie knows who she is, she wants to be her everywhere, and she has no desire to create a unique identity on every system she sees. So we shouldn't be surprised to see Aunt Minnie use her AOL ID and password for Web sites and such.

Re:Scrambled photos

[ichimunki]

Okay. So they got that part (and I've bothered to read the article now *grin*). And I'm impressed by their purported 90% success (to compare to 70% for alphanumeric passcodes).

However, I would have to see their test methodology to not instintively want to criticize this. I have to wonder if they tested peeople's ability to remember multiple passwords (especially mixing a frequent use one with a not-so-frequent one). I have to wonder how they plan to enable this system so that visually-impaired people, from the color-blind to people without eyeballs, can use the system. And I have to wonder how well they can test people's ability to remember *changed* passwords-- if the images from my last password show up on the selection grid, will this interfere with my visual memory?