Using a Password One Doesn't Consciously Remember

ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it. It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000. Not ready for practical use yet, but very interesting concept that can develop further."

My tinfoil hat

[Zegnar]

My tinfoil hat protects me from the mind readers anyway!

Re:My tinfoil hat

[Baron Eekman]

How's this going to help?

I'm not remebering my passwords all the time already

Re:My tinfoil hat

[pavon]

Don't you know? Thats an added feature of the tinfoil hat! It keeps you brainwaves in your head, where they belong instead of out in the world where they can be probed. This has the amazing effect of increasing memory, mental accuity and the ability to connect seemly unrelated things.

Well

[Anonymous Coward]

At least it's a new use for my porn archive.

Do we get to use touch screens?

Rock, Paper, or Scissors

[xmas2003]

You should have no problem if you pick one of the above passwords ... but remember, no dynamite! ;-)

Read more about RoShamBo here [komar.org]

Here's the password solution I recomend...

[Saeed al-Sahaf]

If it's good enough for the U.S. Government, it's good enough for me...

The World's Most Dangerous Password [slashdot.org]

Re:Rock, Paper, or Scissors

[irokitt]

Yeah, well you try to do that via webcam.

Their own metrics are so awful.

[mlyle]

Compare to a normal password-- 90% chance of successful identification? 100,000 possible combinations? Ick.

It better not be used in any situation where a machine can attempt the password, and hopefully they've avoided storing the password itself on the disk, though it certainly could be found with brute CPU (see above).

Basically, it looks like this is a very unimpressive system.

Re:Their own metrics are so awful.

[Anonymous Coward]

Yup. That's not secure in the least. 100,000 possible combinations is equivalent to having a password of only lowercase letters, exactly four letters in length, where the first letter has to be from "a" through "f" (6 * 26 * 26 * 26 = 105,456).

Definitely one of the worst password-type mechanisms proposed in recent history.

Re:Their own metrics are so awful.

[Oculus Habent]

in reality a truely random four-letter password is probably more secure than most people's password. Have you forgotten they'll likely Give it up for chocolate [slashdot.org], anyway? If they don't really know it, they can't write it down and can't divulge it.

The specific implementation may need work, but the concept has very real possibility.

Best comment when I told someone their password expires every 90 days and they can't use the last two:

"That's OK, I have four grandchildren."

Re:Their own metrics are so awful.

[pavon]

There is an easy solution to that. Don't ask them to make a password. Give them one of a appropriate security (random sylabols or random passphrases work well), and don't change it for 6 months to a year. This has worked fine in all the work environments that I have been in. If people still have problems remembering their password you should revaluate wheter you are giving them the best possible length password. But humans are horrible random number generators, so don't base you security on expecting them to create secure passwords. I wouldn't trust myself to create a secure password without a good random method.

Oh and I would lie to some for chocolate as well :)

Re:Their own metrics are so awful.

[John Starks]

I would be willing to bet that most of your users write their passwords down and put them in their desk drawer. This is the problem of the average user and the complicated password.

Re:Their own metrics are so awful.

[Mycroft_VIII]

7 characters would probably be ideal from a memory standpoint as most peoples short term memory is approx 7 items and thus one of the easiest lengths to memorize.
I strongly suspect this is why phone numbers in the usa are the length they are, 7 digits for the most part and then 3 digits for area code, but the structure makes 'area codes' a seperate item cognitively. that is you don't think of someones number as 5554324321 but as 4324321 in the 555 area code, which you usualy associate with an area whe

Re:Their own metrics are so awful.

[hyphz]

The thing is, this already exists.

There's a system called PassFace which issues passwords consisting of sets of pictures of faces. The idea is that faces are easy to remember but hard to describe, thus preventing passing on of the password.

It was tested as part of a student project. The project found that PassFaces are *trivial* to sniff. In some cases it only took one "shoulder surfing" session for someone to sniff a password. So if a person wants to transfer their password to someone else, they migh

Re:Their own metrics are so awful.

[John Starks]

RTFA. In this system, once pictures are used, they are never used again. So much for *trivial* sniffing.

Re:Their own metrics are so awful.

[gnu-generation-one]

"If they don't really know [their password], they can't write it down and can't divulge it."

Unchangeable embarassing passwords are good for that too...

Re:Their own metrics are so awful.

[jwe21]

In most environments, the human factor is the weakest link, not the false positive probability. It doesn't matter if the probability of guessing the password is 1/100,000 or as they'd probably get with a bit better training algorithm and a bigger database 1/10,000,000 --- the point is that the user can't write their password down on a sticky note on their monitor.

Think of it as sacrificing limited security against one unlikely technique (brute force attack) for perfect security against a more common one (h

Re:Their own metrics are so awful.

[pavon]

For reference an eight character password consisting of random upper-case, lower-case and numbers has about 200,000,000,000,000 combinations. A twelve character pronouncable password is about the same, and is what I use for all of my "important" passwords with about a 20% chance of typos. If one were to pick a random english word out of /usr/share/dict/words, that password would be twice as secure as this method, and we know easy a dictionary attach is.

Re:Their own metrics are so awful.

[gotr00t]

I notice that with my passwords, which are random alphanumeric sequences, I don't really memorize them either. If I need to write it down or say it out loud, I just can't do it becuase I don't really memorize the password itself, but rather, the movements needed to type it out.

Though this is probably not based on the same principle, as I consciouslly know my passwords, just not in plaintext form, it has the same effect, to where in both cases, I am prevented from revealing the password under everyday circ

I do this now

[Lxy]

I use the same root password for all of my test boxes. It's 15 characters and made up of random letters and numbers. What is it? I have no idea :-)

I can type my password, but if you asked for it I couldn't tell you what it is. The other day someone needed my password for one of the test boxes. I had to open vi, type in the password, and read it back to them.

The only problem with this is that it takes so long to remember such a password, so as soon as you learn it you can't change it often.

Re:I do this now

[Servo]

I've always had the same "problem" with passwords and phone numbers. I can't remember my mother's phone number, but sit me down at a phone and I'll dial her up without thinking about it.

Re:I do this now

[Wordsmith]

Don't worry. I've got your mother's phone number right here ...

Re:I do this now

[Matt]

I've always had the same "problem" with passwords and phone numbers. I can't remember my mother's phone number, but sit me down at a phone and I'll dial her up without thinking about it.

I'm much the same. I think I "remember" phone numbers primarily by the pattern formed by entering the sequence on a keypad.

To quote a phone number I almost have to watch myself dial it. Even worse is remembering my own phone number. I don't exactly call it often.

the best password is......

[Steve_Jobs_HNIC]

the best password is to have no password [zdnet.co.uk]

along the same line.... what's the shortest distance between two points?


the shortest distance is to have NO distance at all. (Try the folding paper trick)
If you said a straight line, that'll do for now.

Re:the best password is......

[Geoffreyerffoeg]

I had no password this year in Computer Science. My programs were subconsciously obfuscated enough that none would be insane enough to steal my code and pass it as his own, and I didn't care if the other students looked in there (the teacher can open my home directory anyway). It made it a few milliseconds faster to log in.

Re:I do this now

[Entropy Unleashed]

Why not just use some primitive "keyboard art"? The main alphanumeric area can be considered a 4 by 10 area of pixels, with a possible 3 colors(normal, not typed, and with Shift key). This would offer the possibility of easy visual recognition/reconstruction with ~10^19 possible combinations. For example, we could use a drawing of a TIE Bomber as a password.

......0...0......
.....0__0__0.....
......0...0......

would become ridFGhIJkcm, which is judged to be a rather strong password by http://www.securitystats.com/tools/password.php .

Re:I do this now

[simcop2387]

i'm not sure how well i'd trust that password script, it told me that

p455W0rD was a pretty strong password

Re:I do this now

[E_elven]

I usually bring this up whenever there's a password discussion but looks like you're already on the ball. To recap:

My users are given the task of creating an 8-12 character password. This is usually, for beginning users, achieved by selecting a letter, -the first letter of their name, for example. This letter is then 'drawn' on the keyboard using each key as one 'pixel' and alternating the shift key every other stroke. For example, for the letter 'E', we can create the following picture:

` 1 2 3 - - - 7 8

Re:I do this now

[E_elven]

Ah -one more trick when talking about /completely/ computer-illiterate people (I do some work with the elderly): when teaching this method of password creation I always have slices of paper -red, but I assume anything works- cut very thin with slight variances in thickness. If anyone has a problem understanding the keyboard as etch-a-scetch concept, I simply ask the user to give the key and then place the paper slices on the keyboard so that the 'picture' is clearly visible. This usually gets even the wors

Re:I do this now

[sporty]

The only problem with this is that it takes so long to remember such a password, so as soon as you learn it you can't change it often.

You learned it because you practiced it in a real life setting.

I'm sure if you typed it 100 times in a row, your muscle memory would kick in and push it to long term memory.

Re:I do this now

[CAIMLAS]

Same thing for me, to a large degree. I know all my passwords by heart, and I no longer think about the key combination. There's been a time or two when I've had to do remote phone admin, and I couldn't recall the passwords for the life of me until I closed my eyes and air-typed them out.

Really, I don't see how this memory process is any different than remembering something like, "Right click on desktop, go to Properties. Click on the Display tab. Go to "Advanced"...." or such. Or for that matter, memorizi

Re:I do this now

[Mycroft_VIII]

I've found even though I KNOW how to fix many problems, I don't know the exact steps unless I'm following them.
I often can't tell someone the exact sequence over the phone unless I can see it in front of me.
It's very frustrating sometimes when someone new comes along and has trouble believing I know what I'm doing when I can't easily walk them through a fix. Fourtuneately thats rare, I usually goto them and just fix it on the spot.
I've fixed a few problems in seconds a few of my more tech savy f

Re:I do this now

[Anonymous Coward]

the only thing worse than using the same root password for all of your boxes is telling everyone that.

i currently remember 24 16-random-character passwords which i generate by locking myself in the closet with a torch, pad, pencil and 3 dice. for each character of the password, i roll each die once and concatenate the 3 individual numbers to give me one of 216 codes which i map to the numbers 0 through 215. i then divide this number by 72 and take the remainder as an index into my character table. the table contains uppercase, lowercase, numerals, and shift+numerals, which of course adds up to 72 characters. i sometimes replace some of the characters at random with characters outside the set (plus, brace, comma, etc) when i am feeling paranoid. i repeat this process until i have my 16-character password, writing each character on my pad as i go. i then study the written password until i feel i have remembered it. then i immediately tear the paper up take it into the bathroom and burn it in the toilet. i throw the rest of the pad in the fire incase someone tries to get the imprints, and usually i break the pencil in half and throw it in too. then if i need to go to the toilet, i'll go before i flush everything down. it sometimes takes a while for the pencil to burn. i then wash my hands thoroughly, twice, and turn the light switch on and off 5 times before i leave the room. i then go and unplug my machine from the network, take it into the closet, boot single-user mode and change my password.

Re:I do this now

[Mycroft_VIII]

hmm, seems a bit insecure at that last step, unless your closet is tempest shielded AND your running on battery power. otherwise they could get the data from powerline fluctuations.

Mycroft

Re:I do this now

[timmi]

That's largely the same system I use, (Except I go for phrases from songs that I like to "Sing along" with)

Re:I do this now

[God! Awful 2]

Why (#include "NumYearsAdminingBoxes.h")? That doesn't make sense. It should be just NUMYEARSADMININGBOXES or $NUMYEARSADMININGBOXES.

-a

Very interesting

[bigberk]

I'm sure there are many variations on this possible. Probably by linking mnemonics [wikipedia.org] and visual cues you could come up with a code-entry system that works reliably, yet makes it nearly impossible for someone to simply write down their code -- hence, easily steal. Use the brain for crypto.

Time?

[blike]

The beauty of string passwords is that I can recall and input it within 3 seconds. It would become quite a hassle to take the time to go through a series of images everytime I wanted to sign into an account.

Still, it's an interesting concept, though I can't forsee it ever becoming applicable to personal computing.

To prevent eavesdropping, use iris tracking

[arvindn]

Simple. Don't have the user click on an image, but track their iris to see which image they're looking at. Kills eavesdropping dead, and lets you reuse images too. Drives cost way up, but maybe it can come down with mass production? Just a thought.

Re:To prevent eavesdropping, use iris tracking

[djcapelis]

Mmmmm... intellegent software and webcams... sounds like a hacking attempt to me...

Now just by taking pictures of a person looking at their computer you can authenticate as them. Although I suppose you'd also have to see which ones were on the screen.

Re:To prevent eavesdropping, use iris tracking

[Basje]

It depends on the number of images of course, but selecting could be done another way.

eg: with 3 images at a time, you could use left-middle-right mousebutton. For up to 10 the number keys are usable.

Re:To prevent eavesdropping, use iris tracking

[ion++]

there is a difference between eye tracking and iris scanning and recognition.
Scanning is quite easy, but recognition is harder, so it isnt just as simple as you say it is, and it is not any particularly more secure.
You seem to forget the 3. possible forgery, namely creating a fake eye. To create this fake eye, you just need a pretty detailed picture of the persons eye, and then you create the fake eye. Possibly using a normal technology as contactlinses. Thinking about it, i can not imagien that CIA and al

This is too complicated - try this

[SimianOverlord]

It struck me yesterday that the answer to making secure and difficult to guess passwords that are immune to dictionary attacks is staring us all in the face. Let's recap:

A good password is:

Greater than 6 letters long

Composed of numbers and letters

Easy to remember, easy to reremember when changed.

Now it struck me that ideally we needed to create a new language that was innovative and imaginative which people could talk in, and use as passwords. Then it struck me: we already have it: L33T SPEEK .

Passwords such as OMGN00BSUXSROR! and ROFLGH3YB0ISTFU and almost impossible to guess, are immune to dictionary attacks, and are perfectly memorable. Perhaps L33T language classes could be started at major institutions, and a Creative Commons licenced dictionary created.

It's about time someone started talking sense - password security is a problem which needs innovative solutions.

Re:This is too complicated - try this

[ffsnjb]

are immune to dictionary attacks,...and a Creative Commons licenced dictionary created.

Uh, heh. Yeah, that's it! :)

Re:This is too complicated - try this

[abscondment]

A good password is:

• Greater than 6 letters long
• Composed of numbers and letters
• Easy to remember, easy to reremember when changed.

I don't think so. On a single machine it takes l0phtcrack [atstake.com] a day or two to crack passwords with only letters and numbers.

It took my comp 36 days to crack the M$ generated ASPNET user account; it's generated from the full keyboard charset.

Password policies like this won't enhance security. Maybe disabling LM hashes would, but the vulnerability is still there.

Re:This is too complicated - try this

[CAIMLAS]

Cracking passwords requires access to the system's password file.

If someone has gotten that far into your system, you're already fucked. Your security measures have failed.

No, the more important thing is that someone never gets into the system in the first place. Thus, this password scheme would work, as the word of the day is guessable - such passwords are not guessable unless you know the person well, and know their password naming scheme (everyone has one) - and even then it would take some time.

I enc

Re:This is too complicated - try this

[Artifakt]

"I'd suspect that excentric/odd folks are vulnerable to such social engineering, as they're more likely to have a pattern of behavior that is predictable (I know a person or two like this)."

Like SF oriented geeks who use alien names - Cthulhu, Gharlane, Nostromo?
From only the social engineering standpoint, the most unguessable password might be as simple as GTO, if your co-workers think you don't pay any attention to cars, or sosa if you don't seem to follow baseball. Such passwords are lousy from other vi

Re:This is too complicated - try this

[way2trivial]

My work,
we have a password I have to occasionally give over the phone to an employee fix an account. every time, I change the password the next day.

they all more or less rhyme,
i.e. fish, dish, kiss, phish, miss,

no matter what, I'll rerember it eventually..

Re:This is too complicated - try this

[Geoffreyerffoeg]

My strongest password is a l33t-ized version of a former password (two words in plain English...well, not English, a proper noun from a French novel). It contains about half numbers and symbols, enough that I don't think it'll be cracked too easily.

Don't forget to mix upper- and lowercase.

Pig Latin

[Saeed al-Sahaf]

How about recursive Pig Latin? Every time you need to change it, just keep running it through your Pig Latin algorithm.

Re:This is too complicated - try this

[cap'n foolsy]

truth be told, i already do this using odd dictionary words that i translate into l33t. for example: defenestrate - > d3f3n3str4t3. what does it mean? i dont know! and it's pretty easy to type, as well.

Re:This is too complicated - try this

[Metaldsa]

My password for my computer science computer in college was M3talM4n. Just like my online nick, metalman. So I would tell people my password but unless they spent a while to think and guess for it they would fail.

Similar Experience

[MoP030]

I cant really remember the PIN for my bank account, but when i'm standing in front of the cash automat i remember the moves i have to do with my fingers without problem. If i wanted to remember the PIN as a number i can close my eyes and pretend to type it though, so there is a way for me to know it consciously.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Similar Experience

[Artifakt]

One reason not-so-many people are this way is that the numeric keypads on an ATM, a phone, a calculator or a keyboard are all often laid out differently. Standardize the layout more and more people would rely on visual or audio for the actual numbers, rather than kenetic memory.

Excellent!

[Phurd Phlegm]

Now even if I am tortured to death I can't reveal the password to my eBay account!

This should come in handy to all the other costumed crime fighters in the Slashdot community, too!

Easy 24 or more letter-number combinations

[Prince Vegeta SSJ4]

I use a password of a phrase or group of words that I easily remeber, then translate to l33t. That way I can easily have a strong password well over 20 characters. I am assuming of course that it is harder to break 5la5|-|d0t as opposed to slashdot.

maybe someone could expand?

Re:Easy 24 or more letter-number combinations

[Scarblac]

I use passwords from Nethack, e.g. #@d_..C# is me and my dog standing next to an altar with a centaur on the other side of the room. Not hackable by dictionary attack :-)

Re:Easy 24 or more letter-number combinations

[solicit]

Or use a one-liner perl regex as your password, easy to remember if you know what it does, but also not breakable by dictionary attack. :)

Sounds like that bit in "Johnny Mnemonic".

[Samurai Cat!]

Keanu gets all the data locked in his head, and the password is a series of images...

Password is the wrong word

[Anonymous Coward]

they should call it passphrase if you want people to use long passes

all the time websites/apps ask for a password it just re-enforces the insecurity of using a single word

8 character passwords/filenames should of died in the 70's

Better editing, please

[ChuckleBug]

Yeesh, what a horribly written intro:

[...]to assign a password to a user in a way that prevents the user from conciously remember or describe it[...]

cant

Come on. The next sentence is really wretched. Not only is there a verb-subject agreement problem, is doesn't even parse:

Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000.

Re:Better editing, please

[ChuckleBug]

is doesn't even parse:

Sigh. OK, I typoed. But my comments still stand.

Great

[Pan T. Hose]

Finally we have something which is not vulnerable to the rubber-hose cryptanalysis. Now the attackers can brute-force me as hard and as long as they want and I will not be able to tell them my password even if I want to! Now I feel totally safe, because even in the case of the most inhumane torturing, I will take my password to my grave. It's like using fingerprints in ATMs so the thief has to cut my finger off instead of taking my ATM card in order to steal my money, except for the lack of gelatin exploit [slashdot.org]. This is great news. I can stop recommending Password Safe [schneier.com] to my users now.

This actually makes a lot of sense

[darkest_light]

When I was taking Spanish in high school, my teacher always told me that recognition was a much lower mental skill than composition. This is true--years later I can still *understand* spanish, but I can't speak it myself. Having a password system that relies on this lower-order mental process is a great idea. Recognizing the correct password would be much easier than remembering it, but the process for cracking it would be just as hard as cracking an alphanumeric password if enough pictures were used.

That said, I do end up memorizing most things this way--I know pin numbers, telephone numbers, and even my password by the "feel" of typing them, and I usually can't remember what they are when I'm not using a keyboard or number pad.

been there, done that

[menscher]

About 10 years ago I had a password where I typed an easy-to-remember non-word with my hands shifted on the keyboard. I actually went over a year without knowing what my password was, until one day I accidentally typed it at a login prompt.

My bank-card pin-number uses a different trick. I just used four consecutive digits of pi. The trick is that they're pretty far into the sequence. Oh, and I made a mistake when I set it, so it's actually wrong. Oops. Guess it's pretty random, then. ;)

Re:been there, done that

[droleary]

About 10 years ago I had a password where I typed an easy-to-remember non-word with my hands shifted on the keyboard. I actually went over a year without knowing what my password was, until one day I accidentally typed it at a login prompt.

Is that when you found out that all along you were using "password"? I hate it when that happens!

Re:been there, done that

[gnu-generation-one]

"My bank-card pin-number uses a different trick. I just used four consecutive digits of pi. The trick is that they're pretty far into the sequence. Oh, and I made a mistake when I set it, so it's actually wrong. Oops. Guess it's pretty random, then. ;)"

I reckon it's probably still four consecutive digits of pi... (and indeed would be, no matter which 4 digits you chose!)

Keepass

[DarkHelmet]

I keep a copy of Keepass [sourceforge.net] with me on a USB keystick. It keeps all of my passwords in a secure place. Most of the passwords I have are 21 characters, generated randomly.

The only thing I have to remember is the password to get into Keypass and decrypt its database.

This is natural...

[222]

I use this a lot when im trying to navigate my way through a new 3d enviornment or backtrack to find an old website link.
You simply go with your instinct, and more often than not it ends up being the path previously traveled. An interesting approach to idiot proof security ;).

1/100,000?

[prof187]

i know it says it's "not ready yet"
but even an 8 character, lower-case letter only password has 208827064576 possibilities...
it might take a while for that to catch up

Tell me your password or you're dead!!!

[rice_burners_suck]

and the chances of guessing it is 1 [in] 100,000

How long does it take a computer program to make 100,000 guesses? Not too long, I'd wager. I think the reason text passwords are so effective is that you can have different length passwords with uppercase, lowercase, numerical, and symbol characters, giving you some 100 characters to play with, in any combination, and in any length (within range), meaning that there are probably a lot more than 100,000 combinations.

If Hebrew University figures out a way to dramatically increase the number of possible combinations, while retaining one's ability to remember, but not describe, the password, that would be very useful in situations, for example, where your filesystem is encrypted with one of these passwords, and there is no way you can tell the CIA/FBI/NYPD/MPAA/RIAA/DEA/Microsoft/SEC what it is, in case one of these organizations seizes your equipment.

Just lock the account

[xswl0931]

Most systems already do this to prevent brute force attacks. Just lock the account after the third unsuccessful attempt. Now the user has to provide more data to prove they are who they are. In a secure environment, this may mean dna samples rather than just your pet's name.

Sounds like Passfaces

[Beautyon]

Passfaces [realuser.com] uses a similar idea; you can remember the faces that make up your password, but you cannot describe that password to anyone. It relies on your brains ability to recognise faces, and your brains inability to accurately describe the same faces.

Useless for the blind of course.

Odds?

[RonnyJ]

the chances of guessing it is 1/100,000

When you consider that the chance of randomly guessing a random 3-letter long case-sensitive password is 52^3 (1 in 140608), this really isn't that impressive.

This idea

[Rinisari]

This idea was shown in Johnny Mnemonic. When the 320 GB of data was shoved into Johnny's head, it was encrypted with three pictures. Those pictures needed to be reproduced in order to extract the data.

Johnny Mnemonic

[Krondor]

Isn't this similar to how passwords were handled in Johnny Mnemonic? With the 3 random screen captures. I realize that this is different in that the user remembers which ones to pick, but isn't it the same principle?

Sci-Fi becomes reality once again.

Re:Johnny Mnemonic

[jcenters]

In the short story, the password in Johnny's boss's head was ASCII art, a swastika.

Gibson is definitely one of the most prophetic sci-fi writers of our time (The only other two I can think of that match him are Neal Stephenson or possibly Bruce Bethke.) He invented the term "cyberspace" for crying out loud!

Patiently waiting for my deck.

Kinda of interesting, but...

[sootman]

3 months to get to 90%? Doesn't sound too good. And 1 in 100,000 means there are 100,000 possibilities, I guess, (RTFA? what's an A?) which really isn't that much to use brute force against (for a machine, anyway.) And, to put that in perspective, 4 letters (26^4) has over 450,000 combinations. So why not go with a 4-letter acronym and get >99% success immediately?

I already can't really "remember" my passwords...

[dark-br]

... in a way that if you ask me for the correct sequence i can't really tell you for some weird reason i guess it's not my brains remembering the pass, it's my fingers :) I can type it while being shot at, in the middle of a fire or with FBI agents riding in but i cannot tell you the sequence even if you pull my nails off one by one.

It's that only with me?

Patterns on the keyboard.

[klevin]

I use random patterns on the keyboard. I have to consciously remember the password for a little while, but, within a week or so, I no longer even remember what the password is. I just type it without thinking. I found out that I was doing something similar with my GPG key's passphrase. One day, I went to type it in and realized that I couldn't remember it despite the fact that I had just used it a few hours previously. It took me over a week to remember what my passphrase is. I was just about at the point o

It' easy:

[ivan1011001]

Just pick a telephone number that you can remember well, but not your own. Practice typing it on the number pad a few times, until you get it through your subconcious and can type it w/o looking. Then select a random key on the keyboard as your starting point, and type in the phone number.

(i.g., 651-5984 = oiji09u ; [w/ oiu=456])

Secure, unquessable, and easy to remember.

More than anything...

[sootman]

...this seems like a solution in search of a problem. Exactly what scenario requires a password that cannot be guessed by passers-by and cannot be extracted by interrogators but at the same time is unimportant enough that 90% accuracy is acceptable? Neat trick, but there are lots of things to work out before this is anywhere near practical.

it's been done before

[dekeji]

These kinds of passwords based on visual recall have been tried before. People have tried constructing scenes, using collections of natural photographs, and lots of other visual cues. All of them rely on the fact that "a picture is worth more than a thousand words", meaning that it would be hard for you to describe pictures in sufficient detail to disclose your password. There was a genuine bonanza of those kinds of attempts to make visual passwords in the late 1990's and some web sites tried using them,

I do that currently.

[WindBourne]

That is how I enter my bank card pin. I have no clue what it is, just my finger does the walking.

Mnemonics

[Jadrano]

Maybe this approach has its merits, but it would make entering passwords a bit complicated, strings are easier to handle.

I would find it much more important that knowledge about mnemonic techniques become more widespread. As far as I know, people who take part in memory contests, where they have to remember long numbers, use systems wehere each number stands for something (a letter in the alphabet, which in turn stands for certain words), and they quickly construct a kind of story around the numbers. Human beings are very bad at remembering raw data, but they are quite good at remembering semantically connected concept. As long as people conceive passwords as a kind of words, perhaps slightly altered and with numbers added, it will always be difficult - either it is still vulnerable (dictionary attacks or even if the word doesn't exist phonotactic attacks exploiting the rules sounds can combine in languages) or it is hard to remember, especially if the password has to change from time to time. It would be much easier of people conceived passwords as phrases or whole sentences and use the first, second, last or whatever letters that make up the words of these expressions (and still add numbers).
For instance, I think it would be relatively hard to remember a password like 'dl3w5pwthbtceth', but if it stands for 'During [the] last 3 weeks, 5 people went to [the] hairdresser because their cats eat their hair' (absurd, but not really devoid of semantic content and therefore possible to remember). Next time, the password might be '3ohtehfsocatioh2jgu' (3 of [the] hairdressers tried [to] extract [the] hair from [the] stomachs of [the] cats and to insert it on their heads, 2 just gave up). The style of the sentences that should not be too obvious can, of course, vary.
That is easier to remember than things conceived as nonsense-words and practically impossible to guess. The transition from one password to the next is easier - the next phrase or sentence can somehow be connected semantically or pragmatically to the previous in the mind of the owner of the password in a way that isn't accessible to anyone else.

With the ubiquity of passwords in today's everyday life, such methods deserve much more attention.

Re:Mnemonics

[Skeezix]

I wrote a paper on using mnemonics which you might find interesting [pubcrawler.org]

Disturbing quote from article

[LincolnQ]

"I like the idea of developing computer-human interfaces in which the computer is a skeptic [and so] doesn't perform the actions of which it is capable until the human has convinced it that the need is genuine and the human is an appropriate person for whom to perform this action," he said. "This might lead to greater safety for all of us."

Ouch! I don't like this idea at ALL. Anyone else disturbed?

Dave. Open the pod bay doors, please, Hal...Open the pod bay doors, please, Hal...Hullo, Hal, do you read m

Serious uses in oppressive regimes

[AmiMoJo]

In some of the more oppressive legal environments, such as the United Kingdom, the police can demand that you hand over your passwords. Saying "I forgot", even if you did, is not considered a valid reason for not doing so. Check out the Regulation of Investigatory Powers Bill [stand.org.uk].

Using this technique, it would be possible to prove that you could not remember the password.

Re:Serious uses in oppressive regimes

[headkase]

They would simply have you unlock the data for them by entering your "password", no matter the method used for entry.

Not good enough...

[igrp]

The obvious weakness and insecurity of this aside, this just isn't a good idea. For starters, 90% is no where good enough. A password system like this would be a nightmare to setup and, more importantly, to maintain.

Imagine introducing something like this and being responsible for it during the rollout period. You'd have to have people on-call 24/7 just to reset passwords, check IDs and help people log on to their computers (which is the very thing they need to do to even start their work day).

Additionally

Oblig. Lost Ark quote

[Wheaty18]

"You'd be surprised what someone can remember... if properly 'motivated'..."

Remember Microsoft

[MikeDawg]

Didn't Microsoft try something like this, with passwords? I'm trying to find the /. article on it, but I can't seem to find it. MS would develop a password that was developed from images the user saw, I can't remember the exact details (Damn, I need to find that article).

Already in use ... unconsciously?

[zonix]

In some way, I think a lot of us may unconsciously be using this method already.

I once knew my 4-digit PIN for my creditcard by the pattern I would press on a keypad. At the time I wasn't consciously aware of the fact that I didn't know the actual sequence of numbers. One day I had to memorize the PIN for my Mom's creditcard (yeah, I know, the PIN is personal!) as I was to run an errand for her - just once. That was enough for me to forget my own PIN when I was to use my own creditcard the next time.

Today

wow... bad bad.

[buttahead]

...and the chances of guessing it is 1/100,000.
yikes, so trying this brute force would take about 1 second. cool.

Not so bad

[SuperDry]

Regarding the 90% rtention rate, that was within a 3-month period of having been issued the password. I'd say that at least for me, there's a far less than 90% chance that I'll remember a new password 3 months later if I don't use it regularly. So, this part of the new scheme doesn't seem so bad. Also, regarding the 1-in-100,000 chance of a false positive, consider that most bankcards are protected with a 4-digit numeric password, yielding only 10,000 combinations and they are considered secure for their

Kanji

[ThreeDayMonk]

This reminds me of Japanese kanji - and anyone who's studied Japanese will know what I mean.

It's far easier to learn to read a word in kanji than to write it down accurately.

This sounds like a similar phenomenon.

Using a Password One Doesn't Consciously Remember?

[skinfitz]

It's called a biometric [biometrics.org].

Images? Pfft.

[Feztaa]

I've been using the same password for everything for so long that I don't even remember what it is, I just type it in by muslce memory. ;)

not effective for men

[muckdog]

This won't work at all. If its based on images, every male password will be boobs.