Picture Passwords More Secure than Text 261
Hugh Pickens writes "People possess a remarkable ability for recalling pictures and researchers at Newcastle University are exploiting this characteristic to create graphical passwords that they say are a thousand times more secure than ordinary textual passwords. With Draw a Secret (DAS) technology, users draw an image over a background, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted. If a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. The "passpicture" is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly. The software has been initially designed for handheld devices such as iPhones, Blackberry and Smartphone, but could soon be expanded to other areas. "The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security," says computer scientist Jeff Yan."
Meh. (Score:4, Insightful)
Sounds hard (Score:5, Insightful)
Normal signature (Score:5, Insightful)
We have had signature recognition for a while.
Whats new?
Damnable Security! (Score:5, Insightful)
And "shoulder surfing". (Score:5, Insightful)
With typed passwords that is a lot more difficult.
2 characters. (Score:5, Insightful)
More Secure? (Score:3, Insightful)
There are only so many places to start drawing your password on a picture and a human would recognize that. People would probably draw birds in the sky and dogs on the ground, right? Also, I would guess that people would make linear leaps with their pictures: someone will draw a bird, and not a fish, in a picture of a tree.
That said, I'm not saying that this isn't a worthwhile endeavor, just that it wouldn't necessarily be as secure as it looks at first glance.
Re:I don't belive it. (Score:3, Insightful)
Easy dictionary attack (Score:3, Insightful)
Re:I don't belive it. (Score:3, Insightful)
I think most people will associate the same things to the same background (eg. flowers->bee) resulting in even less combinations... also, the universe of "drawable things" is smaller than the universe of words, and that is smaller than the universe of pass...
Re:Easier in Asia... (Score:3, Insightful)
Re:Meh. (Score:5, Insightful)
Re:2 characters. (Score:4, Insightful)
Re:Meh. (Score:2, Insightful)
After a long time doing it, you would get damn fast at it too.
One problem however is disability. If I had a horrible accident and became a quadrapole, I could still recite my password to someone if need be... good luck doing that with this kind of authentication.
Re:Sounds hard (Score:3, Insightful)
SHA (Score:4, Insightful)
You could use some algorithm to simplify the users drawing, rounding angles (I punned!
Re:SHA (Score:2, Insightful)
Re:2 characters. (Score:3, Insightful)
"Hey, Susan. I'm Bob from IT. We're doing a company-wide password security survey, and I need to get yours down. Can you let me know what it is?"
"Well, hi Bob. It's sort of a dopey-looking antelope with horns and big teeth."
"Ah. Thanks." *click*
Re:SHA (Score:3, Insightful)
Since even only a single bit difference to a hash algorithm generates an entirely different result, this means you can't hash that file and expect it to match a hash of the "same" pass picture on the server, unless you draw the pass picture absolutely identically every time.
So how do you securely store a user pass-picture on the server without risking its compromise if the server was hacked? Which was the point of the GP.