Microsoft Wants To Give You A Rorschach - Slashdot

Slashdot

Microsoft Wants To Give You A Rorschach 223

Posted by ScuttleMonkey on Wednesday December 05, 2007 @04:55PM
from the sticky-note-to-put-on-your-monitor dept.

Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."

This discussion has been archived. No new comments can be posted.

Microsoft Wants To Give You A Rorschach

Search 223 Comments Log In/Create an Account

Comments Filter:

Storing and insecure (Score:5, Informative)

by tkdtaylor (1039822) writes: on Wednesday December 05, 2007 @05:06PM (#21589891)

It's a research project so of course it's storing the responses.
From the actual site:

Security and privacy of this service

InkblotPassword.com is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.

Share
twitter facebook linkedin
Re:Slight problem with this approach (Score:3, Informative)

by eldavojohn (898314) * writes: <eldavojohn@NoSpam.gmail.com> on Wednesday December 05, 2007 @05:17PM (#21590027) Journal

That's not the only problem. If you read the research paper [microsoft.com][PDF Warning] from 2004 (pretty old stuff actually), they state:
In both experiments, users missed at most one association, even after having not used the system for one week. Thus it may be advisable to modify the system to allow for successful authentications when k out of a possible n associations are correct. Assuming that all blots produce an equal distribution on responses, this reduces the security of passwords to the level of the original system with only k blots. Therefore, it might be advantageous for users to have to enter associations for more blots. A disadvantage of this approach, however, is that authentication would take longer.
As of interest may also be their conclusion:
Our preliminary data suggest that inkblot authentication offers a potentially significant improvement over existing widely-deployed user authentication mechanisms. In addition to gathering our quantitative results, we also asked users who had taken part in our experiments for their comments on the system. In almost all cases we received the same response: the users were happily shocked that they could remember such a "huge password." In fact, many users asked if there were any plans to allow the use of the system in their production environment. This kind of positive user experience is arguably as important to the eventual adoption, acceptance and scrupulous use of an alternative password system as any measure of security. More experiments would help confirm or discount our security and memorability results, and could answer such questions as: How many inkblots (that is, how much entropy) can be used before the resulting passwords are no longer memorable? What is the best way to help users retain their inkblot associations? What inkblot-to-character hash function generates the most entropy without sacrificing ease of use? And what inkblot generation algorithms create inkblots with the highest-entropy (or the fewest low-entropy) association spaces?
While inkblot authentication should be quite easy to deploy in a wide variety of settings, there exist some environments (such as devices with tiny screens) where it is unworkable, and alternatives are needed. Adapting the inkblot password scheme to other password-using contexts, such as those in which the user interface is under the control of a (possibly uncooperative or legacy) application, may also require some innovative thinking.

Parent Share
twitter facebook linkedin
Silly... try a leet password generator (Score:3, Informative)

by cenonce (597067) writes: <anthony_t&mac,com> on Wednesday December 05, 2007 @08:36PM (#21591951)

That is just silly... I spend too much time trying to think of what these inkblots look like, and some of them really don't look like anything.

Try a leet password generator [goodpassword.com]... way easier to remember!

Share
twitter facebook linkedin
Re:Captcha (Score:3, Informative)

by linumax (910946) writes: on Wednesday December 05, 2007 @11:44PM (#21593317)

This website was designed for people who are not visually disabled, otherwise how the hell are they gonna see the inkblots? Save your Microsoft bashing for when they implement it on MSN or sth.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

546 commentsChanging the Ratio of Women In Tech: How Etsy Did It
334 commentsLast Forking Warning For Bitcoin
274 commentsBotched Security Update Cripples Thousands of Computers
234 commentsFedora 19 To Stop Masking Passwords
211 commentsMitigating Password Re-Use From the Other End

Q: Why was Stonehenge abandoned? A: It wasn't IBM compatible.