Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Inkblot Passwords 590

Posted by CmdrTaco from the i-see-a-walrus-humping-a-turkey dept.
TechnoPope writes "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots. Because of how the human brain works, you can show the same pictures to different people and almost always come up with different passwords. What's even crazier, is that people generally are able to remember the complex passwords. Sounds like a major breakthrough in security."
This discussion has been archived. No new comments can be posted.

Inkblot Passwords More

Inkblot Passwords

Comments Filter:

  • So What did people get? (Score:5, Funny)

    by miradu2000 ( 196048 ) * on Friday July 18, 2003 @02:57PM (#6472969) Homepage
    Anyone else see these shapes?
    butterfly swimmer
    recycle logo
    WWE Smackdown Enterance
    Helping Hands
    Evil Eyes
    Person Gasping
    Turtle man
    Boys Spitting
    Batman fighting
    Batman flying

    with an end password of brrowehsespgtnbgbgbg

    Hmm, maybe i shouldn't of shared that. This seems to be a really cool system. I look forward to MS adding it to passport!

  • See the example images (Score:5, Funny)

    by Anonymous Coward on Friday July 18, 2003 @02:58PM (#6472976)
    Blot number 10 would be "Bn": Batman having sex with Catwoman.

    • Actually thats the recommended approach (Score:5, Interesting)

      by goombah99 ( 560566 ) on Friday July 18, 2003 @03:13PM (#6473179)
      Blot number 10 would be "Bn": Batman having sex with Catwoman.

      though your post was meant to be humorous it also jibes with convention security wisdom for recalling strong passwords.

      I forget who it was that said it, but a widely recomended strategy for strong passwords is to think of a shockingly graphic sexual phrase then use the first letters.

      The vividness and the link to sexual activity makes it memorable (at least in males). And also its not likely to be a phase you would blurt out or something anyone cold easily guess about you. e.g. "take this job and shove it" would NOT be a good pass phrase because its something that might well be an expression you would use in your writings or speech.

      Oh and by the way that's actually me in the batman costume doing your wife. or Ge

      • Re:Actually thats the recommended approach (Score:4, Interesting)

        by Misch ( 158807 ) on Friday July 18, 2003 @03:31PM (#6473385) Homepage
        Or Shakespeare.

        "When shall we three meet again, in thunder, lightning, or rain?"

        Becomes

        Wsw3ma-itlor

        You have capital letter, number, and punctuation symbol.

        Time for a new password? Flip to another passage.
        • Read the article - they use the first *and* last letter, so the line you quoted from Macbeth becomes:

          wnslwetemtanintrlgorrn

          Which points up a flaw in the system that a previous poster alluded to, namely, that you end up with only alphanumeric character passwords, so a cracker program would only need to run permutations of first/last letter pairs from a dictionary to crack these passwords.

          Moreover, there are undoubtedly some first/last letter combinations that are more common than others in english, even f

  • Van Wilder guy... (Score:5, Funny)

    by batobin ( 10158 ) on Friday July 18, 2003 @02:59PM (#6472984) Homepage
    From the movie Van Wilder:

    Random man (being shown an ink blot picture): "DUDE! It's a guy... and he's giving a circumcision... to HIMSELF!"

    How exactly would his password turn out?

  • What would happen (Score:5, Funny)

    by OverlordQ ( 264228 ) on Friday July 18, 2003 @03:00PM (#6472992) Journal
    If they showed this to the /. crowd:

    User1: It's Natalie Portman, i mean look at those curves . . .
    User2: Beowulf cluster of Linux boxen!
    User3: Its the dead body of Steven King.
    User4: Hot Grits . . . definately . .
    User5: In Soviet Russia, the inkblots analyze you!

    Think I covered them all :)

  • Can't be!!! (Score:5, Funny)

    by TopShelf ( 92521 ) * on Friday July 18, 2003 @03:00PM (#6472997) Homepage Journal
    An innovative, potential useful idea coming from Microsoft?

    I can't figure out which is more incredible - that, or the fact that the story got told here...

  • Well... (Score:5, Funny)

    by blackmonday ( 607916 ) on Friday July 18, 2003 @03:00PM (#6473000) Homepage
    I would love this so much more, and find it much more useful, if Steve Jobs had thought of this.

  • Ink blots? (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Friday July 18, 2003 @03:00PM (#6473008) Homepage Journal

    They'll make a total mess of /etc/passwd...
  • Microsoft Research
    Microsoft Security
    Microsoft Innovations
    Military Intelligence
    McDonald's Restaurant
    American Democracy
    Land of the Free, Home of the Brave

    everything just feels like rain

    • Re:Microsoft Research? (Score:5, Insightful)

      by Wabin ( 600045 ) on Friday July 18, 2003 @03:08PM (#6473112)
      The sad thing is, MS has long had a good research department. They hire very bright people and pay them a lot. But bright people with great ideas and great research doesn't mean that any of that good stuff will ever make it into production code. Marketing drones and codemonkeys do a good job of stopping that. If only people would listen to the real eggheads.

      Ah for Plato's republic of philosopher kings... of course, it didn't really work out on the Simpsons...
      • I just think that it was really cool that an intern came up with the idea. I wish that the ideas that I come up with at my internship would end up on the front page of slashdot.
        • I wish that the ideas that I come up with at my internship would end up on the front page of slashdot.

          So every disgruntled nerd in the world can take potshots at your idea, just because it came from Microsoft?

          I think not.
      • They hire very bright people and pay them a lot. But bright people's great ideas and great research doesn't mean that any of that good stuff will ever make it into production code.

        Yes, but on the other side of the coin, bright people and their great ideas don't necessarily deserve to be made into a product.

        Before everyone jumps down my throat, all I mean is that a bright idea, something that can be made to work, that's cool, that 'egg' head people like (speaking as atleast a quasiegg head myself), don't

  • It's a Freudian thing... (Score:5, Funny)

    by tinrobot ( 314936 ) on Friday July 18, 2003 @03:01PM (#6473015)
    Great. Now every password will have something to do with sex.

  • Check your password files (Score:5, Funny)

    by Mononoke ( 88668 ) on Friday July 18, 2003 @03:02PM (#6473024) Homepage Journal
    The password 'inkblot' has just debuted in the top ten and is climbing fast.

  • I already use this.. (Score:5, Funny)

    by gowen ( 141411 ) <gwowen@gmail.com> on Friday July 18, 2003 @03:02PM (#6473025) Homepage Journal
    I used this system, with 5 different inkblots to generate my 5 most important passwords. They are, in turn:

    MyMother.
    Mom.
    MyMother.
    Momagain.
    and
    MyMo ther

  • More classic sentence structure (Score:5, Funny)

    by flynt ( 248848 ) on Friday July 18, 2003 @03:02PM (#6473026)
    Here is some more of our favorite Slashdot composition style for your pleasure.

    "Microsoft Research a new way to get users to not only develop, but remember more secure passwords can be achieved through using inkblots."

    Makes one want to weep really.

  • How many poosible combinations could there be? (Score:4, Funny)

    by L. VeGas ( 580015 ) on Friday July 18, 2003 @03:02PM (#6473032) Homepage Journal
    Here's the passwords I came up with:

    Inky
    Blotty
    inkblotty
    inkyblot

    I bet there's not too many of these. Put 'em in a wordlist, and, bang!, you're a hacker!

  • build a better inkblot (Score:5, Insightful)

    by deke_2503 ( 569986 ) on Friday July 18, 2003 @03:02PM (#6473033)
    It's nice, but the inkblots could use some work. If you look closely, they all look basically similar in construction, with the only differences being the color and size of the shapes. They also are all symetrical along a vertical axis. A little more randomization would be nice I would think.
  • Microsoft Research [has come up with] a new way to get users to... Sounds like a major breakthrough in security.

    Sounds like a major break-in in security to me!

  • Random Letters (Score:4, Insightful)

    by aerojad ( 594561 ) on Friday July 18, 2003 @03:03PM (#6473043) Homepage Journal
    Well the idea sounds cool and all, but isn't this just a bit too involved to help people come up with and remember what will become basically random strings of characters? This seems like going through lots more of an effort then just using a random password generator of x-characters and handing the person something to memorize. When it comes to cracking, wouldn't you have just about the same odds of guessing what random password the person got through inkblots with what the person would have got with a random character generator? Sure neither would be really easy, but to hackers... it's still just a password.
  • I think... Yes, I see... A Slashdotting!

  • They are all obvious (Score:5, Funny)

    by Anonymous Coward on Friday July 18, 2003 @03:03PM (#6473049)
    Its obvious number 7 is a frog getting blown by a kitten and fucked doggy style by something with wings. All the rest are my mother.

  • Dictionary attack now way too easy! (Score:3, Funny)

    by RobertB-DC ( 622190 ) * on Friday July 18, 2003 @03:03PM (#6473052) Homepage Journal
    We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well.

    Sounds to me like this is tailor-made for dictionary attacks. The only letters you'll need to break into any /.er's computer would be P[]Y, T[]S, A[]S...

    (Oh, crap, I'd better post AC or else I'll lose my squeaky-clean image!)

  • I liked faced passwords better (Score:5, Interesting)

    by HiKarma ( 531392 ) * on Friday July 18, 2003 @03:04PM (#6473061)
    How strong are these passwords. For each blot, might you guess what somebody will see? Some seemed more obvious than others.

    I like the face password system. With this system you remember some faces, something we are very good at doing. Then you are shown tablets of faces, around 16 of them. Your face is among them and you click on it -- 4 bits of data. You do this several times to generate a strong enough password.

    The really interesting aspect of this system is, unless you are a skilled police sketch artist, you can't tell other people your password. Even if they torture you, you can't reveal it. Many people will find themselves unable to even describe the faces in their set, they just know them when they see them.

    You might be able to go to the terminal and sketch or digitally photograph your faces to tell somebody else, but if this is used as an access control system, for example, with a guard watching you as you enter your code, it's hard to do. Thus the military is interested in such systems. But even if you don't care about the no-torture feature, you can generate memorable passwords that use an entirely different type of memory.

    • I agree. (Score:2, Interesting)

      by Microsift ( 223381 )
      About two years ago, slashdot ran a story about RealUser, which provides a passface solution. I was shocked at how well I remeber the passfaces I was given. I just tried to login to the site, and I was succesful, I haven't tried to login in months.

      www.realuser.com for more info

    • Re:I liked faced passwords better (Score:5, Funny)

      by gizmonic ( 302697 ) * on Friday July 18, 2003 @03:29PM (#6473363) Homepage
      Even if they torture you, you can't reveal it.

      Whoa! Fuck that! I am not a secret agent! I want a password I can reveal BEFORE torture! :)
    • Relying on face recognition a bad idea. Certain segments of the population have a condition called "prosopagnosia" in which victims are unable to recognize faces, even familiar ones like their mother's or even their own. A similar condition is described in the famous book "The Man Who Mistook His Wife for a Hat" [amazon.com]. Here the researcher describes the more general condition of object agnosia [wikipedia.org] which is the inability to recognize any type of object. Presumably those with object agnosia would fail the inkblot p
  • You have to have some imagination to see anything in the blobs in the article. I certainly didn't have enough, so my password would be ngngngngngngngngngng.

  • The problem with this approach (Score:5, Insightful)

    by Dr. Bareback ( 644802 ) on Friday July 18, 2003 @03:05PM (#6473068)
    One of my college professors actually outlined a similar scheme several years ago. But (as he admitted) it had a fatal flaw: the keyspace was too small. In other words, it is not hard to assemble a list of under 50 possible passwords or two-letter combinations that describe a given inkblot.

    The other flaw (which is less serious) is that this strategy is only effective when the user has to remember a small, finite number of inkblots. If a user is forced to memorize a few hundred inkblots to cover the dozens of passwords he needs on a daily basis, this mnenomic technique loses its value.

  • Cute but flawed? (Score:3, Interesting)

    by dmccarty ( 152630 ) on Friday July 18, 2003 @03:05PM (#6473072)
    How will they prevent someone from guessing easy passwords when the random blobs happen to be something that everyone thinks is the same thing? For example, if a blob looks just like a butterfly, everyone will enter "by" as the first two letters in the password, and if successive blobs share the same property it may be cumbersome, but not too difficult, to guess their password.

    Also, most people's passwords are a string that they easily remember + some numbers. It's much easier to remember blahblah123 than to look at the blobs every time you want to login and reconstruct "frherotspsmt..." from the images.

    Perhaps this system could be used to help people remember forgotten passwords, like being able to select 5 of out 10 images in the correct order.

  • I found out the more often I use a password the more obsecure and meaningless it can be. So I make some of my passwords total gibberish with numbers and letters and whatnot. After about 2 weeks, Their easy to remember. I dont know what happens if you take a vacation...
  • cscscscscs Too many guys are going to see a "chick with big hooters" in every blot.
  • Hey... How come all these inkblots look like butterflys?

  • ...the average length of some of your "strong" passwords?

    I personally have a 30 character one that is locked in my brain now... but only use it for things I would actually be worried about.

  • Strong passwords? (Score:3, Informative)

    by gpinzone ( 531794 ) on Friday July 18, 2003 @03:06PM (#6473089) Homepage Journal
    Take the first letter from the first word and the last letter from the last word in the first blot. That forms your first two password letters. If you described the first blob as a 'flying gardener,' your first two letters would be fr. Continue doing this with all of the inkblots. You'll end up with a strong twenty-letter password.

    Not quite. You password will be long, but still only consist of letters. A truly strong password includes non-alpha and non-numbers to increase the search space to help against brute force attacks.
    • Wrong. the strongest possible password is simply the longest string you can reliably comit to memory. It makes no difference if your alphabet is 50% larger.

      • Re:Strong passwords? (Score:5, Insightful)

        by tazan ( 652775 ) on Friday July 18, 2003 @04:04PM (#6473719)
        If my alphabet was only one character I could remember a password hundereds of characters long. It would be the strongest password ever.
      • madeglorioussummerbythissonofYorkandallthecloudsth atlowereduponourhouseinthedeepbusomoftheocean. . .

        . . . hereClarencecomes

        Oh, sure, maybe they'll get lucky with the first 16 letters or so, but they'll never guess the next few hundred.

        KFG

      • You're both wrong... (Score:5, Informative)

        by wirelessbuzzers ( 552513 ) on Friday July 18, 2003 @04:36PM (#6474041)
        [am not! are too! am not!]

        The strongest possible password is the string with the most entropy that you can reliably remember and enter. i.e. the output of a password-generation method that has the largest possible number of different outputs (assuming that they are equally likely up to computational feasibility, and that you can reliably remember and enter the password, and that an attacker has any reasonable chance of guessing how you generated it).

        It is NOT the longest string you can commit to memory. There are people who have memorized thousands of digits of pi, but the first thousand digits of pi would be a horrible password if someone knew that you had memorized them. Similarly, Shakespearean soliloquies suck, especially if you are a Shakespeare geek.

        A random sentence from War and Peace has maybe 16 bits of entropy. A random paragraph has fewer, because there are fewer paragraphs in War & Peace than there are sentences. A random word from /usr/share/dict/words has about 19 bits of entropy, and thus beats out the sentence. A decent PC could crack any of these in seconds flat, if an attacker suspected you had used one of them.

        If the string is anywhere on your hard drive in plaintext form, be it in the words dict, a deleted email from Amazon, or your War and Peace ebook, it has at most 40-some bits of entropy (depending on your hard disk size and its length), and could be cracked on a small cluster in days if your hardrive wore stolen.

        A 5-word diceware.com password such as "cleft cam synod lacy yr" has about 63-64 bits of entropy, and is my preferred password type for long passwords because it is fairly easy to remember. A 10-character RAD-64 password such as "4TFA/ii+Xc" has 60 bits. An 18-digit random number has about the same.

        If you can narrow each inkblot to 50 possibilities, then a sequence of 10 of them has about 57 bits of entropy in 20 characters. (don't take my word, i calculated it in my head). That's feasible for the govt, or distributed.net, or a very large company. Not bad for a passport account which is unlikely to have its hash lifted anyway, but since I can remember the RAD64 or the diceware one easier and enter it faster, I'll stick with one of them for the accounts I care about.

        Anyway, the password strength you need depends on how much you care about what it protects.

        For instance, I have 10-word diceware for my PGP master signing key, which is about as strong as the hash. Accounts that I don't really care about, like /., have lousy passwords which are variants on an older one, but are easy to remember and quick to enter. You won't guess any one without looking at the others, and I wouldn't care much if you did.
      • Most web sites, and I'm sure hotmail is in this number, limit the size of the password field. If I had committed to memory a random string that was 1000 characters long, it doesn't matter much when the web site asking for a password only accepts 10 characters. Now, when you're dealing with a 10 character limit (a reasonable real life example) it matters A LOT if your dictionary is 50% larger.
  • Wouldn't only insane people see something other than inkblots [deltabravo.net]. This would mean that everyone's password will be "inkblot".

    Oh wait, this is MS. Built from the ground up for insane security.

  • Take the test (Score:3, Funny)

    by Chundra ( 189402 ) on Friday July 18, 2003 @03:09PM (#6473126)
    "Take your own inkblot test - what do you see in these blobs?"

    1. nothing whatsoever
    2. fat black sumo wrestler with purple arms doing the splits
    3. goatse with chopsticks
    4. CowboyNeal's legs in blue spandex
    5. two Chinese soldiers looking longingly at each other
    6. abstract goatse
    7. A black man with bad posture, a green afro, and wings coming out his ass.
    8. Blueberry people flanking goatse.
    9. A very fat superhero.
    10. Birdman does it doggie style. Possibly with goatse.

  • Old psychiatrist joke: (Score:5, Funny)

    by panurge ( 573432 ) on Friday July 18, 2003 @03:09PM (#6473128)
    Neurotic goes to psychiatrist and is shown Rorschach blots. First one reminds him of sex, second one reminds him of sex and so on. Eventually psychiatrist says "I think what we are seeing here is an obsession with sex." "What do you mean?" asks the man, "You're the one with the collection of pornography."

    Based on this argument, start off with a password of sxsxsxsxsxsxsxsxsxsx.

    Seriously, the problem is that with this method the password gets written down. OK, what's rule 1 of security? A written password is a potentially compromised password.

  • You can probably hack all of those with a book by Freud on the subject.
    "it looks like my mother yelling at me!" :)

  • How could this possibly work? (Score:3, Insightful)

    by jdan ( 411331 ) on Friday July 18, 2003 @03:11PM (#6473151)
    This couldn't work for the following reasons:

    1) People are lazy. They aren't going to look through ten inkblots and write down each one and then figure out the first and last letter of each. They are more likely to write their password down somewhere, or just click on the link that says "e-mail me a new password".

    2) People are stupid. Normaly users would get a page saying "View each of these inkblots and write down ...", but what they actually read is "blah blah blah pretty pictures blah blah blah click". Without the person administering the test standing behind them to explain what to do, most people would just glaze over, like they do whenever they are presented with instructions longer than 1 sentence.

    3) Did they have a control group that attempted to remember their "strong" password? They state that it is unusual for a user to remember a strong password after one day, but I wonder how unusual?

    4) "... by the umpteenth time you've logged in, you've remembered these twenty characters". Wouldn't it just be simpler to make them type the 20 characters over and over again 15 times? Then they remember it anyway, and don't have to reverse engineer the whole process.

    --jdan

  • Psychological Experiment (Score:5, Funny)

    by eric76 ( 679787 ) on Friday July 18, 2003 @03:12PM (#6473164)
    About 30 years ago, I took part in a psychological experiment that had to do with ink blots.

    There were 4 test subjects and the psychologist in the room. He'd show an ink blot to each test subject in turn and record the responses.

    I was test subject #4.

    On the first ink blot, the first three all said the same thing and I said something different.

    The second ink blot went like the first.

    I remember that on one ink blot, the guy next to me tried to argue with me into agreeing with him, but I didn't.

    In fact, in the entire series of ink blots, the only time I agreed with anyone else was the one time he asked me first. Then everyone else agreed with me.

    It turned out that there was only one true test subject, test subject #4. The rest were in cahoots with the psychologist.

    The purpose of the experiment was to measure our socialness. The psychologist was rather upset with me because I was way off the curve and told me that I was the most anti-social person he had ever met.

    That's something coming from a psychologist who worked at a state reformatory.

    Anyway, back on topic, I tend to use passwords that are quite long usually by stringing unusual words together or by creating nonsensical sentences. In both cases, unusual spelling, punctuation, and capitalization are present.

    20 characters just doesn't seem enough.
    • The psychologist was rather upset with me because I was way off the curve and told me that I was the most anti-social person he had ever met.

      Given that you read & post on slashdot, he can't be far off, can he?
  • I hope not. But they'd be justified if they did, IMHO. This is the first truly new idea in the area of password generation I've heard. I'd sure like to be proven wrong, though. It'd be a shame if only Windows could use this system.

  • MS Security reveals (Score:3, Funny)

    by nolife ( 233813 ) on Friday July 18, 2003 @03:13PM (#6473174) Homepage Journal
    18 months after MS decides security is important and lauches the biggest security review in history, they spent 10000 man hours and 10's of millions of dollars to determine that:

    Stubblefield, and his manager at MSR, Dan Simon, knew that people are the weakest link in secure computing environments

  • Not a very good idea - easily breakable (Score:5, Interesting)

    by MasteroftheVoxel ( 162902 ) on Friday July 18, 2003 @03:14PM (#6473185)
    If you know anything about the Rorshach test (the original inkblot test), you'll know its all about
    statistical analyzing. The Rorshach inkblots were randomly chosen - it didn't matter at all what they looked like - as long as they were always the same.

    After many decades of testing, psychiatrists were able to plot people on charts based on certain responses and then empirically decide whether someone might have a given mental illness based on whether their response should statistical similarity to others who had proven to have that illness. Most of the categories that the responses were judged on were extremely arbitrary.

    The point is, the inkblot test relies on the fact that most people with "normal" brain function will look at an inkblot the same way. You'd be surprised at how many people who list "fly" as the one that looks like a "fly" etc. What you are going to end up with is only a handful of different words for each inkblot. People aren't going to pick phrases like "flying man with with green wings getting ready to lift-off" because those phrases are hard to remember. Most of them will be "fly" "flying man", "wing man" etc.

    This is not a secure password.
  • Personally, I'd find it more helpful if this system would assign me a password based on my complexes and psychoses.

    Then I could not only feel better about my data, but about myself as well.

    *honk*

  • Memory (art & palaces as well) (Score:5, Interesting)

    by theefer ( 467185 ) * on Friday July 18, 2003 @03:15PM (#6473202) Homepage
    You have to read The Art of Memory by Frances Yates [amazon.com]. This book deals with ancient practice of memory training and using, including those fantastic Memory Palaces where you litterally build imaginary (or not) places in your mind and use them to store representations that remind you from one idea, word, sentence, concept, or anything. You can then "walk" from place to place, looking at those representations and re-building a speech for instance.

    Actually, this is the "intellectual", generic version of the idea posted (and slashdotted) above, and you can use it to remember your passwords, long speeches, todo-list, anything.

    And M$ won't be patenting this any time soon, the greeks used this even BC.

    Worth a read and a try, really.

    Note: Thomas Harris has had Hannibal Lecter use and play with memory palaces in his novels too.

  • The interview (Score:4, Funny)

    by ajs ( 35943 ) <ajs.ajs@com> on Friday July 18, 2003 @03:17PM (#6473225) Homepage Journal
    So, this interviewer asked me to look at a picture and tell him what I saw. I told him it was too embarasing....

    He said, "No, it's ok. Everyone sees something different."

    So I told him, "Well, to *me* it looks like pattern number 7 in the Rorschach test for obsessive compulsive dissorder." But, then he got all depressed so I said, "Ok... it's a password prompt."

    [with appologies to Emo ;-]

  • Lipstick on a pig (Score:3, Funny)

    by lildogie ( 54998 ) on Friday July 18, 2003 @03:17PM (#6473229)
    Using a more secure password to log into a less secure box.

    It wastes your time, and annoys the pig.

  • Using that method, my new password is... (Score:4, Funny)

    by hipster_doofus ( 670671 ) on Friday July 18, 2003 @03:20PM (#6473261) Homepage
    Secur!ty H013

  • just letters? (Score:3, Insightful)

    by WebMasterJoe ( 253077 ) <{moc.renotseoj} {ta} {eoj}> on Friday July 18, 2003 @04:17PM (#6473855) Homepage Journal
    Sure, it may be pseudo-random 20-character passwords, but there are some real issues that make brute-force attacks work better:
    • Even characters are the last letter of the second word, so this is likely to be an 's' for plural-looking blots, and not so likely to be a, i, o, u, and almost definitely not q.
    • The length of the password is known.
    • There are no capital letters. In fact, they're all lowercase letters.
    A normal dictionary attack on twenty characters would have 94^20, 2.90e39 permutations. The passwords with the restrictions listed above would be at MOST 26^10*25^10 (assuming no q's in the even positions), or 2.37e14, possibilities. Using some "probably's" listed above, you could save some of the less likely combinations for the end of the list.

    OTOH, an eight-character max, mixed-case password that could have special characters will have (i=1..8)94^i (sorry, I can't do sigma notation) possibilities, which is 6.16e15. That's 26x as many as the method listed above, and given that the human mind can easily remember between five and nine characters, it seems we're better off memorizing some sequence from /dev/random.

    DISCLAIMER: I am not a mathematician. I may be talking out of my ass. Please correct me if I am.

  • How is this a strong password? (Score:3, Interesting)

    by MemeRot ( 80975 ) on Friday July 18, 2003 @04:32PM (#6474001) Homepage Journal
    There's no mixing of case, numbers, etc. It's twenty random characters. Now you may remember these 20 characters better than your normal random characters but it leaves you with a password where there are only 26 options for the first character, 26 for the next, etc. - it's still trivially easy for a password generator to crack.

    Plus, how many places are there on the web that limit the lenght of passwords to like 8 or 10? If you use 4 inblots and generate an 8 character string of letters all in one case, that's not exactly a strong password.

    Did those inblots suck ass or what? Some just really didn't lend themselves to pictures for me.

  • Proving Microsoft Right... (Score:3, Funny)

    by Jucius Maximus ( 229128 ) on Friday July 18, 2003 @05:18PM (#6474406) Journal
    Well I think it is proven that different people see different things when looking at these shapes. Here is a complation of what people have said so far. And yes, it did take friggin' long to compile this:

    Please blame the lameness of the formatting of this list on slashcode: "Your comment has too few characters per line (currently 20.0)."

    Image 1:
    -butterfly swimmer, Snooty Nose, mantle, Mask and dress, Mugatu from Zoolander, Person with hands behind back looking at feet
    -Two birds on a tree with two dogs breathing fire -on them, Angry hippie, diablo howling into the air, A rabbit with horns lifting weights, Angry robot with guns
    -Strongbad, Fighter Plane, Two birds singing, Missouri, tripod mortar

    Image 2:
    -fat person stretching, Christian Slater, Bear in a T-shirt, Board Meeting, Gravity challenged lady in lycra super hero outfit doing the splits
    -Sumo wrestler on his ass, Jabba the hutt wearing a cape, fat sumo man in his fight stance, Squatting sumo, Cartman (I haven't even seen many SP episodes)
    -Headboard or a bed, A gorilla in sweats doing a split, Fat woman stretching, linebacker, Kneeling fat man, recycle logo

    Image 3:
    -WWE Smackdown Enterance, Transformer, two hands, Zoro meets Willie Nelson, Someone eating coffee grounds from a filter with chopsticks
    -Bob the Tomato from Veggie Tales, Someone drawing with both hands, Knitting a fez, one of the things from the movie Gremlins, An ambidexterous person writing with both hands
    -Two bunny rabits eating guts, Bee face close up, Cockpit, Tropical island with two palms without tops, Obviously Goatse, buglike jetboat

    Image 4:
    -bushy woman on the shitter, Oak leaf, Hands washing black socks, LAN Party, Woman with grey arms force feeding candy to two children
    -Batman's crotch, A large table saw designed to work in a gravity-less environment run by a tip driving magnetic motor, pelvic bone yo
    -Hands full of glue, I have no idea. Nothing comes up., Comfy slippers , Feet of a reclining person
    -Woman with panties down doing the Charleston, knees, Earmuffs, Evil Eyes

    Image 5:
    -Person Gasping, Pierre and Pierre, two faces, Two green berets talking, Two ice cream cones, Arab looking in a mirror, Two weeping men with large green hats
    -Rastafarian argument, two men crying as they face eachother with big puffy green hats, two frogs wearing hats sticking their tongues out, Two green berets with black eyes, Two malnourished mullah's with camouflaged hats discussing the art of fellatio,
    -Osama, Two boys playing soldiers, Trent Reznor, two eyes with big green brows

    Image 6:
    -grinning insect mouth, Edmonton (Canada), Camp entrance, Bloody Chest, Super hero adjusting bra
    -Football shoulder pads, a person's hat with fake hair and pigtails attached, another pelvic bone?
    -Hands holding a brassiere, Spider, Monkey doing telepathy
    -A headless woman, Man hiding eyes, spider, Mittens, Person Gasping

    Image 7:
    -Turtle man, Flying Monkey, flying frog, Flyman, A frog in an apron, Frog with wings in apron, Mean green fly, Dragonfly frog, totally a flying frog chef duh!
    -A winged frog wearing coveralls, Fairy frog wearing an apron, Jack Osbourne dressed as an angel, Frog Ferry, Green winged mole, Letter label, Yoda with bug wings

    Image 8:
    -The fat blue guys from yellow dubmarine shooting condoms out of their bellies
    -Yugos
    -Blue rabbits smoking.
    -Globe
    -Two Blue Meanies looking at a big butterfly
    -Two sheep heads crapped on by a butterfly
    -2 dinosaurs watching a large butterfly
    -two men in suits watching a butterfly fly between them
    -Tying a bowtie
    -Dino men from Super Mario Brothers movie
    -RC controllers
    -Snapping fingers
    -Two men shot in their heads thinking about bras.
    -smoking
    -Two Aliens
    -Boys Spitting

    Image 9:
    -Batman fighting
    -Bird in the hand
    -demon
    -Italian man twirling two pizzas.
    -Batman peeing

  • dumb (Score:3, Funny)

    by erikdotla ( 609033 ) on Friday July 18, 2003 @06:09PM (#6474775)
    I like my system better: Change everyone's password directly on the server. Keep them in an encrypted (but easily searchable) database which only the admin can keep.

    Tell the user to remember their password.

    Demerit the user each time they have to ask for it, and publish the demerit count every week. Shame them. Demerit them further during daily inspections of workspaces if they have written it down anywhere.

    Encourage "Survivor" tactics where workers try to figure out each other's passwords, and earn points for each password they discover. Keystroke logging, hidden cameras, it's all fair in the name of security. And of course, demerit the person who's password was compromised.

    They will remember. Oh yes, they will remember.

    On first day of hire: "WELCOME TO STRICTCO! YOUR EMPLOYEE NUMBER IS 103489923477730493. THE COSINE OF THAT IS YOUR PASSWORD. FORGET IT, AND WE DOCK YA!"

    # Erik - 27 password demerits since 1997

    Disclaimer: According to section 39485 of StrictCo's Employee Handbook, by using STRICTCO's Internet connection to post this message, the user's name and password demerit count must be published with each message, along with this disclaimer. Please report any violations to hr@strictco.gg

Slashdot Top Deals

"It's a dog-eat-dog world out there, and I'm wearing Milkbone underware." -- Norm, from _Cheers_

Close