Using a Password One Doesn't Consciously Remember 270
ZiggyM writes "Researchers from Hebrew University in Israel have devised a way to assign a password to a user in a way that prevents the user from conciously remember or describe it, yet the user can input it correctly over 90% of the time in a 3 month period after [s]he learns to input it.
It involves using visual recognition of previously-seen images, which you can recognize but cant consciously recall in detail. Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000.
Not ready for practical use yet, but very interesting concept that can develop further."
My tinfoil hat (Score:4, Funny)
Re:My tinfoil hat (Score:4, Funny)
I'm not remebering my passwords all the time already
Re:My tinfoil hat (Score:2, Funny)
Well (Score:3, Funny)
Do we get to use touch screens?
Rock, Paper, or Scissors (Score:2)
Read more about RoShamBo here [komar.org]
Here's the password solution I recomend... (Score:2)
The World's Most Dangerous Password [slashdot.org]
Re:Rock, Paper, or Scissors (Score:2)
Their own metrics are so awful. (Score:4, Interesting)
It better not be used in any situation where a machine can attempt the password, and hopefully they've avoided storing the password itself on the disk, though it certainly could be found with brute CPU (see above).
Basically, it looks like this is a very unimpressive system.
Re:Their own metrics are so awful. (Score:5, Insightful)
Definitely one of the worst password-type mechanisms proposed in recent history.
Re:Their own metrics are so awful. (Score:5, Interesting)
The specific implementation may need work, but the concept has very real possibility.
Best comment when I told someone their password expires every 90 days and they can't use the last two:
"That's OK, I have four grandchildren."
Re:Their own metrics are so awful. (Score:4, Insightful)
Oh and I would lie to some for chocolate as well
Re:Their own metrics are so awful. (Score:2)
Re:Their own metrics are so awful. (Score:2)
I strongly suspect this is why phone numbers in the usa are the length they are, 7 digits for the most part and then 3 digits for area code, but the structure makes 'area codes' a seperate item cognitively. that is you don't think of someones number as 5554324321 but as 4324321 in the 555 area code, which you usualy associate with an area whe
Re:Their own metrics are so awful. (Score:3, Interesting)
There's a system called PassFace which issues passwords consisting of sets of pictures of faces. The idea is that faces are easy to remember but hard to describe, thus preventing passing on of the password.
It was tested as part of a student project. The project found that PassFaces are *trivial* to sniff. In some cases it only took one "shoulder surfing" session for someone to sniff a password. So if a person wants to transfer their password to someone else, they migh
Re:Their own metrics are so awful. (Score:3, Informative)
Re:Their own metrics are so awful. (Score:2, Funny)
Unchangeable embarassing passwords are good for that too...
Re:Their own metrics are so awful. (Score:2, Interesting)
Think of it as sacrificing limited security against one unlikely technique (brute force attack) for perfect security against a more common one (h
Re:Their own metrics are so awful. (Score:5, Informative)
Re:Their own metrics are so awful. (Score:2)
Though this is probably not based on the same principle, as I consciouslly know my passwords, just not in plaintext form, it has the same effect, to where in both cases, I am prevented from revealing the password under everyday circ
I do this now (Score:5, Insightful)
I can type my password, but if you asked for it I couldn't tell you what it is. The other day someone needed my password for one of the test boxes. I had to open vi, type in the password, and read it back to them.
The only problem with this is that it takes so long to remember such a password, so as soon as you learn it you can't change it often.
Re:I do this now (Score:2)
Re:I do this now (Score:5, Funny)
Re:I do this now (Score:3, Interesting)
To quote a phone number I almost have to watch myself dial it. Even worse is remembering my own phone number. I don't exactly call it often.
the best password is...... (Score:2, Informative)
along the same line.... what's the shortest distance between two points?
the shortest distance is to have NO distance at all. (Try the folding paper trick)
If you said a straight line, that'll do for now.
Re:the best password is...... (Score:3, Funny)
Re:I do this now (Score:5, Interesting)
......0...0......
.....0__0__0.....
would become ridFGhIJkcm, which is judged to be a rather strong password by http://www.securitystats.com/tools/password.php
Re:I do this now (Score:2, Interesting)
p455W0rD was a pretty strong password
Re:I do this now (Score:3, Interesting)
My users are given the task of creating an 8-12 character password. This is usually, for beginning users, achieved by selecting a letter, -the first letter of their name, for example. This letter is then 'drawn' on the keyboard using each key as one 'pixel' and alternating the shift key every other stroke. For example, for the letter 'E', we can create the following picture:
Re:I do this now (Score:3, Interesting)
Re:I do this now (Score:3, Insightful)
You learned it because you practiced it in a real life setting.
I'm sure if you typed it 100 times in a row, your muscle memory would kick in and push it to long term memory.
Re:I do this now (Score:3, Interesting)
Really, I don't see how this memory process is any different than remembering something like, "Right click on desktop, go to Properties. Click on the Display tab. Go to "Advanced"...." or such. Or for that matter, memorizi
Re:I do this now (Score:2)
I often can't tell someone the exact sequence over the phone unless I can see it in front of me.
It's very frustrating sometimes when someone new comes along and has trouble believing I know what I'm doing when I can't easily walk them through a fix. Fourtuneately thats rare, I usually goto them and just fix it on the spot.
I've fixed a few problems in seconds a few of my more tech savy f
Re:I do this now (Score:5, Funny)
i currently remember 24 16-random-character passwords which i generate by locking myself in the closet with a torch, pad, pencil and 3 dice. for each character of the password, i roll each die once and concatenate the 3 individual numbers to give me one of 216 codes which i map to the numbers 0 through 215. i then divide this number by 72 and take the remainder as an index into my character table. the table contains uppercase, lowercase, numerals, and shift+numerals, which of course adds up to 72 characters. i sometimes replace some of the characters at random with characters outside the set (plus, brace, comma, etc) when i am feeling paranoid. i repeat this process until i have my 16-character password, writing each character on my pad as i go. i then study the written password until i feel i have remembered it. then i immediately tear the paper up take it into the bathroom and burn it in the toilet. i throw the rest of the pad in the fire incase someone tries to get the imprints, and usually i break the pencil in half and throw it in too. then if i need to go to the toilet, i'll go before i flush everything down. it sometimes takes a while for the pencil to burn. i then wash my hands thoroughly, twice, and turn the light switch on and off 5 times before i leave the room. i then go and unplug my machine from the network, take it into the closet, boot single-user mode and change my password.
Re:I do this now (Score:3, Funny)
Mycroft
Re:I do this now (Score:2)
Re:I do this now (Score:2)
-a
Very interesting (Score:4, Interesting)
Time? (Score:3, Interesting)
Still, it's an interesting concept, though I can't forsee it ever becoming applicable to personal computing.
To prevent eavesdropping, use iris tracking (Score:5, Interesting)
Re:To prevent eavesdropping, use iris tracking (Score:2)
Now just by taking pictures of a person looking at their computer you can authenticate as them. Although I suppose you'd also have to see which ones were on the screen.
Re:To prevent eavesdropping, use iris tracking (Score:2)
eg: with 3 images at a time, you could use left-middle-right mousebutton. For up to 10 the number keys are usable.
Re:To prevent eavesdropping, use iris tracking (Score:2)
Scanning is quite easy, but recognition is harder, so it isnt just as simple as you say it is, and it is not any particularly more secure.
You seem to forget the 3. possible forgery, namely creating a fake eye. To create this fake eye, you just need a pretty detailed picture of the persons eye, and then you create the fake eye. Possibly using a normal technology as contactlinses. Thinking about it, i can not imagien that CIA and al
This is too complicated - try this (Score:5, Funny)
It struck me yesterday that the answer to making secure and difficult to guess passwords that are immune to dictionary attacks is staring us all in the face. Let's recap:
A good password is:
Greater than 6 letters long
Composed of numbers and letters
Easy to remember, easy to reremember when changed.
.
Now it struck me that ideally we needed to create a new language that was innovative and imaginative which people could talk in, and use as passwords. Then it struck me: we already have it: L33T SPEEK
Passwords such as OMGN00BSUXSROR! and ROFLGH3YB0ISTFU and almost impossible to guess, are immune to dictionary attacks, and are perfectly memorable. Perhaps L33T language classes could be started at major institutions, and a Creative Commons licenced dictionary created.
It's about time someone started talking sense - password security is a problem which needs innovative solutions.
Re:This is too complicated - try this (Score:4, Funny)
Uh, heh. Yeah, that's it!
Re:This is too complicated - try this (Score:3, Informative)
A good password is:
I don't think so. On a single machine it takes l0phtcrack [atstake.com] a day or two to crack passwords with only letters and numbers.
It took my comp 36 days to crack the M$ generated ASPNET user account; it's generated from the full keyboard charset.
Password policies like this won't enhance security. Maybe disabling LM hashes would, but the vulnerability is still there.
Re:This is too complicated - try this (Score:2)
If someone has gotten that far into your system, you're already fucked. Your security measures have failed.
No, the more important thing is that someone never gets into the system in the first place. Thus, this password scheme would work, as the word of the day is guessable - such passwords are not guessable unless you know the person well, and know their password naming scheme (everyone has one) - and even then it would take some time.
I enc
Re:This is too complicated - try this (Score:3, Interesting)
Like SF oriented geeks who use alien names - Cthulhu, Gharlane, Nostromo?
From only the social engineering standpoint, the most unguessable password might be as simple as GTO, if your co-workers think you don't pay any attention to cars, or sosa if you don't seem to follow baseball. Such passwords are lousy from other vi
Re:This is too complicated - try this (Score:2)
we have a password I have to occasionally give over the phone to an employee fix an account. every time, I change the password the next day.
they all more or less rhyme,
i.e. fish, dish, kiss, phish, miss,
no matter what, I'll rerember it eventually..
Re:This is too complicated - try this (Score:2)
Don't forget to mix upper- and lowercase.
Pig Latin (Score:2)
Re:This is too complicated - try this (Score:2)
Re:This is too complicated - try this (Score:2)
Similar Experience (Score:3, Interesting)
Re: (Score:2)
Re:Similar Experience (Score:2)
Excellent! (Score:5, Funny)
This should come in handy to all the other costumed crime fighters in the Slashdot community, too!
Easy 24 or more letter-number combinations (Score:3, Funny)
maybe someone could expand?
Re:Easy 24 or more letter-number combinations (Score:5, Interesting)
Re:Easy 24 or more letter-number combinations (Score:3, Interesting)
Sounds like that bit in "Johnny Mnemonic". (Score:4, Interesting)
Password is the wrong word (Score:3, Insightful)
they should call it passphrase if you want people to use long passes
all the time websites/apps ask for a password it just re-enforces the insecurity of using a single word
8 character passwords/filenames should of died in the 70's
Better editing, please (Score:2)
[...]to assign a password to a user in a way that prevents the user from conciously remember or describe it[...]
cant
Come on. The next sentence is really wretched. Not only is there a verb-subject agreement problem, is doesn't even parse:
Recognizing the right ones from a series is interpreted as knowing the password, and the chances of guessing it is 1/100,000.
Re:Better editing, please (Score:2)
Sigh. OK, I typoed. But my comments still stand.
Great (Score:3, Funny)
This actually makes a lot of sense (Score:3, Insightful)
That said, I do end up memorizing most things this way--I know pin numbers, telephone numbers, and even my password by the "feel" of typing them, and I usually can't remember what they are when I'm not using a keyboard or number pad.
been there, done that (Score:4, Funny)
My bank-card pin-number uses a different trick. I just used four consecutive digits of pi. The trick is that they're pretty far into the sequence. Oh, and I made a mistake when I set it, so it's actually wrong. Oops. Guess it's pretty random, then. ;)
Re:been there, done that (Score:2)
About 10 years ago I had a password where I typed an easy-to-remember non-word with my hands shifted on the keyboard. I actually went over a year without knowing what my password was, until one day I accidentally typed it at a login prompt.
Is that when you found out that all along you were using "password"? I hate it when that happens!
Re:been there, done that (Score:3, Informative)
I reckon it's probably still four consecutive digits of pi... (and indeed would be, no matter which 4 digits you chose!)
Keepass (Score:5, Interesting)
The only thing I have to remember is the password to get into Keypass and decrypt its database.
This is natural... (Score:2)
You simply go with your instinct, and more often than not it ends up being the path previously traveled. An interesting approach to idiot proof security
1/100,000? (Score:2)
but even an 8 character, lower-case letter only password has 208827064576 possibilities...
it might take a while for that to catch up
Tell me your password or you're dead!!! (Score:3, Insightful)
How long does it take a computer program to make 100,000 guesses? Not too long, I'd wager. I think the reason text passwords are so effective is that you can have different length passwords with uppercase, lowercase, numerical, and symbol characters, giving you some 100 characters to play with, in any combination, and in any length (within range), meaning that there are probably a lot more than 100,000 combinations.
If Hebrew University figures out a way to dramatically increase the number of possible combinations, while retaining one's ability to remember, but not describe, the password, that would be very useful in situations, for example, where your filesystem is encrypted with one of these passwords, and there is no way you can tell the CIA/FBI/NYPD/MPAA/RIAA/DEA/Microsoft/SEC what it is, in case one of these organizations seizes your equipment.
Just lock the account (Score:2)
Sounds like Passfaces (Score:5, Interesting)
Useless for the blind of course.
Odds? (Score:4, Insightful)
When you consider that the chance of randomly guessing a random 3-letter long case-sensitive password is 52^3 (1 in 140608), this really isn't that impressive.
This idea (Score:3, Interesting)
Johnny Mnemonic (Score:2, Redundant)
Sci-Fi becomes reality once again.
Re:Johnny Mnemonic (Score:2)
Gibson is definitely one of the most prophetic sci-fi writers of our time (The only other two I can think of that match him are Neal Stephenson or possibly Bruce Bethke.) He invented the term "cyberspace" for crying out loud!
Patiently waiting for my deck.
Kinda of interesting, but... (Score:2)
I already can't really "remember" my passwords... (Score:2)
It's that only with me?
Patterns on the keyboard. (Score:2)
It' easy: (Score:2, Interesting)
(i.g., 651-5984 = oiji09u ; [w/ oiu=456])
Secure, unquessable, and easy to remember.
More than anything... (Score:3, Insightful)
it's been done before (Score:2)
I do that currently. (Score:2)
Mnemonics (Score:5, Insightful)
I would find it much more important that knowledge about mnemonic techniques become more widespread. As far as I know, people who take part in memory contests, where they have to remember long numbers, use systems wehere each number stands for something (a letter in the alphabet, which in turn stands for certain words), and they quickly construct a kind of story around the numbers. Human beings are very bad at remembering raw data, but they are quite good at remembering semantically connected concept. As long as people conceive passwords as a kind of words, perhaps slightly altered and with numbers added, it will always be difficult - either it is still vulnerable (dictionary attacks or even if the word doesn't exist phonotactic attacks exploiting the rules sounds can combine in languages) or it is hard to remember, especially if the password has to change from time to time. It would be much easier of people conceived passwords as phrases or whole sentences and use the first, second, last or whatever letters that make up the words of these expressions (and still add numbers).
For instance, I think it would be relatively hard to remember a password like 'dl3w5pwthbtceth', but if it stands for 'During [the] last 3 weeks, 5 people went to [the] hairdresser because their cats eat their hair' (absurd, but not really devoid of semantic content and therefore possible to remember). Next time, the password might be '3ohtehfsocatioh2jgu' (3 of [the] hairdressers tried [to] extract [the] hair from [the] stomachs of [the] cats and to insert it on their heads, 2 just gave up). The style of the sentences that should not be too obvious can, of course, vary.
That is easier to remember than things conceived as nonsense-words and practically impossible to guess. The transition from one password to the next is easier - the next phrase or sentence can somehow be connected semantically or pragmatically to the previous in the mind of the owner of the password in a way that isn't accessible to anyone else.
With the ubiquity of passwords in today's everyday life, such methods deserve much more attention.
Re:Mnemonics (Score:5, Informative)
Disturbing quote from article (Score:2, Insightful)
Ouch! I don't like this idea at ALL. Anyone else disturbed?
Dave. Open the pod bay doors, please, Hal...Open the pod bay doors, please, Hal...Hullo, Hal, do you read m
Serious uses in oppressive regimes (Score:5, Informative)
Using this technique, it would be possible to prove that you could not remember the password.
Re:Serious uses in oppressive regimes (Score:2)
Not good enough... (Score:2)
Imagine introducing something like this and being responsible for it during the rollout period. You'd have to have people on-call 24/7 just to reset passwords, check IDs and help people log on to their computers (which is the very thing they need to do to even start their work day).
Additionally
Oblig. Lost Ark quote (Score:2)
Remember Microsoft (Score:3, Insightful)
Already in use ... unconsciously? (Score:2)
In some way, I think a lot of us may unconsciously be using this method already.
I once knew my 4-digit PIN for my creditcard by the pattern I would press on a keypad. At the time I wasn't consciously aware of the fact that I didn't know the actual sequence of numbers. One day I had to memorize the PIN for my Mom's creditcard (yeah, I know, the PIN is personal!) as I was to run an errand for her - just once. That was enough for me to forget my own PIN when I was to use my own creditcard the next time.
Today
wow... bad bad. (Score:2)
yikes, so trying this brute force would take about 1 second. cool.
Not so bad (Score:2, Interesting)
Kanji (Score:3, Insightful)
It's far easier to learn to read a word in kanji than to write it down accurately.
This sounds like a similar phenomenon.
Using a Password One Doesn't Consciously Remember? (Score:2)
Images? Pfft. (Score:2)
not effective for men (Score:4, Funny)