Pictorial Passwords 331
Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.
Similar to Passface (Score:5, Interesting)
What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.
There's definitely something to this technology!
rOD.
Speaking of bruteforceing passwords. (Score:2, Interesting)
Wouldn't this be a good way to avoide bruteforcing of these pictorial passwords?
Not so sure about this... (Score:3, Interesting)
Not so sure at all.
Re:Similar to Passface (Score:5, Interesting)
What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.
There's definitely something to this technology!
Unless you're face blind [choisser.com].
Passphrase strength (Score:3, Interesting)
This document contains a rough reckoner for calculating whether a passphrase is strong or weak. It makes the point that for a passphrase to be as strong as the encryption in PGP, it needs to be 30+ characters long. ! Remembering one or two paintings might not quite cut it.
For most systems, you can safely use shorter passphrases if you are only permitted a limited number of attempts or have no access to the machine (like at a bank) or the passphrase is changed frequently, or if the phrase is truly random.
Regardless, the strength of the passphrase is almost always the weakest link in any security system.
Re:From a Tech Support view (Score:2, Interesting)
I wouldn't know where to begin trying to describe what pictures to use for their password...
That's the whole point. Because our mapping of language to art is so loosely coupled, it's hard to write down and/or describe to another person your password. Theoretically, this dramatically reduces a source of password insecurity.
apparent problems (Score:4, Interesting)
Problem is that this has NOTHING AT ALL to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you ALWAYS use the same password... more on this later)
What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.
This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?
Some "realistic solutions" to these problems include: BIOMETRICS - which don't require ANY memory, SINGLE LOGIN - which limit the number of cues needed, ASSYMETRIC-KEY - which relies on math, etc, etc.
I say "realistic" because people have used them and they DO work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person
Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.
Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes WAY too much emphesis on only one cue.
With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)
I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies
My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of WHAT we remember is less important than changing the cues by which we DO remember.
(There, I think that makes more sense now)
Re:ATMs (Score:3, Interesting)
What's more, to use an ATM you must physically key in the PIN, there is no way to automate a brute force attack against the keypad at an ATM. Additionally most ATMs will swallow your card after a certain number of wrong PINs (3 at my bank) so you aren't going to have much luck guessing.
You'd be surprised how many people write their PIN on the back of the card, or somewhere else in their wallet, but it happens enough that the signature panel on my card bears the warning, "Do not write your PIN on your card" That's why banks impose daily limits on how much money can be withdrawn through ATMs.
Prevents "Password Sharing" (Score:2, Interesting)
Re:Work with people, not against them (Score:1, Interesting)
As it turns out, he had the right password, but the guy was so anal-rententive that he always intentionally mistyped his password once before entering it correctly, and the computer detected the change in pattern.
Re:Scrambled photos (Score:3, Interesting)