Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Microsoft Wants To Give You A Rorschach 223

Posted by ScuttleMonkey
from the sticky-note-to-put-on-your-monitor dept.
Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."
This discussion has been archived. No new comments can be posted.

Microsoft Wants To Give You A Rorschach

Comments Filter:
  • by Enlarged to Show Tex (911413) on Wednesday December 05, 2007 @04:59PM (#21589795)
    This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:

    Uppercase letters
    Lowercase letters
    Numbers
    Non-Latin characters (i.e. symbols)

    Every password I use has at least three, even for free-registration-required sites...
  • by Culture20 (968837) on Wednesday December 05, 2007 @05:11PM (#21589965)

    "Nothing prevents a user from learning a strong password on Inkblotpassword.com and then reusing it at other sites," Microsoft's researchers said.

    Common sense might.
  • by TubeSteak (669689) on Wednesday December 05, 2007 @05:14PM (#21589999) Journal

    A truly strong password should have at least three of the following, if not all four:
    Only if there's a maximum character limit on the password.

    Or are you going to tell me that
    "atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
    is not a strong password?

    I'm not suggesting everyone should use such a long pass, but what's so hard about implementing passphrases instead of passwords?
  • by Rakishi (759894) on Wednesday December 05, 2007 @05:15PM (#21590009)

    A truly strong password should have at least three of the following, if not all four:
    Not really, you can just make you password longer and you are just as secure.
  • 26^10 > 95^5. Even if you restrict your password to only a few characters, you can get the same level of security as with many characters. You just need far more of them. Think about it: when we strip off all of our abstractions, everything is stored as 1s and 0s, right? (Note: Parent's point is good and right, if your password must be short, or you don't want to spend time doing the inkblot test, or you don't want to have to remember 90 characters.)
  • by ChatHuant (801522) on Wednesday December 05, 2007 @05:34PM (#21590241)
    This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:
    Uppercase letters
    Lowercase letters
    Numbers
    Non-Latin characters (i.e. symbols)


    That's just not true. Admins request this kind of nonsense to force a bigger password space with shorter passwords. Informally, the security of your password is given by the number of random bits you have. With ASCII passwords using only lowercase letters, you're adding less than 5 bits of randomness per character. Even worse, most people use real words as passwords, so they can remember them easily. That reduces the randomness even more and makes dictionary attacks feasible. Adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character, but makes the password much more difficult to remember.

    Microsoft's method works around the password memorization by using the inkblots. The security is given by the much larger size of the resulting password. They get a password of 20 lowercase characters, say about 100 bits of randomness (less than that, because not all letter combinations are equiprobable - very few words I know begin and end with a q for example). A totally random password consisting of a mix of 10 symbols, numbers and different cased letters only gives you a bit less than 70 bits of randomness.
  • Re:I'm shocked!!! (Score:2, Insightful)

    by calebt3 (1098475) on Wednesday December 05, 2007 @05:37PM (#21590267)
    Even if MS said that they weren't keeping the data, I'm not sure anybody would believe them.
  • by AeroIllini (726211) <aeroilliniNO@SPAMgmail.com> on Wednesday December 05, 2007 @07:06PM (#21591247)
    Because many people have trouble typing their own names correctly without using the backspace key a few times, and typing a password in a box gives no visual feedback. Higher letter count gives a higher chance of typos, and a higher chance of getting locked out after typing "atrulystrongpasswordshouldhaveatleastthreeoftehfollowingifnotallfour" five times in a row.

    Chances of a typo are even higher if someone routinely types in MS Word with AutoComplete turned on and is now physically incapable of typing "the", "from", or any number of words correctly the first time. Double bonus points if they work in a major corporation and hunt'n'peck.

Your good nature will bring you unbounded happiness.

Working...