Recognizing Your Own Handwriting As A Password 151
Gary writes "A new online authentication system called Dynahand could make logging in to websites a little easier. With Dynahand, users simply identify their own handwriting, instead of entering a cryptic password or buying a biometric device to scan their fingerprints. The user's handwriting samples contain only digits, since numerals are harder for an outside party to recognize than letters are. The digits displayed are random, so the handwriting is the only clue to the correct answer."
How about poor geeks like me... (Score:5, Interesting)
I'd say it would be pretty hard to determine how my digits would look like.
Re:How about poor geeks like me... (Score:5, Funny)
012345679 (bitstream vera sans)
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
"We only have a 10% break-in rate!"
Re:How about poor geeks like me... (Score:5, Interesting)
Re: (Score:2, Interesting)
...and someone you know. (Score:2)
The last bit ("something you I.D.") seems marginally useful for identifying the I.D. challenger, but for identifying the one being challenged, it seems a bit useless. For example, my bank shows me one pre-chosen image from a potentially infinite set (I could upload any arbitrary image) to "prove" I'm still talking to them. Even for that, it's only marginally useful as the man-in-the-middle attack it seeks to thwart could easily be foiled by a man-on-the-inside. Bottom line is it is at worst a 1:n chance if
Re: (Score:2)
Human authentication methods are usually:
Re: (Score:2)
Re: (Score:2)
Handwriting and penmanship may well become one of the most important losses in modern civilization.
Re: (Score:2)
Re: (Score:2)
You would also have to scan my handwriting in by hand, as I can't write at all on those electronic pen pads for credit card purchases. The stylus slides all over the surface, producing something that looks nothing at all like my hand-writ
Re: (Score:2)
Re: (Score:2)
As long as you suck in similar ways each time you write then its fine.
Re: (Score:2)
This technology not only is not mature, but can likely never be made useful.
Brute Force? (Score:3, Insightful)
An attacker could simply select a hand writing at random till they get the right one.
TFA doesn't say anything about that.
Re:Brute Force? (Score:5, Informative)
http://www.technologyreview.com/Infotech/18986/ [technologyreview.com]
Re:Brute Force? (Score:5, Insightful)
The folks at Dynahand obviously don't know how bad hijacking someone's social network identity could be. While not as sensitive as banking or medical information, access to one's online profile is a pretty sensitive thing. A person pretending to be you on MySpace or Facebook could cause all kinds of damage to your reputation, lose you (real) friends, and leave an incriminating trail for any future employer to find. Even if you are able to regain control of your account via customer service, and could remove the offending material from your page, nothing is every really deleted from the Internet.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Actually, Mister Whirly comes from lyrics to a song by the Replacements, the greatest rock band you've never heard of...
Re:Brute Force? (Score:5, Insightful)
While the idea of a system that depends on recognition is interesting (though in my mind, not terribly secure for the exact reason you stated), handwriting is probably the poorest example because we leave handwriting samples everywhere. It'd be much more secure to have the system be "Recognize a picture of your own genitalia" because at least then you only have to worry about former significant others...And hell, for this crowd, you don't even have to worry about that.
Re:Brute Force? (Score:5, Funny)
Re:Brute Force? (Score:5, Funny)
Speak for yourself, I'm quite positive that several hundred people have seen my genitalia. Though I'm not sure they got a good enough look to be able to identify me in the short time my trenchcoat was open.
Re: (Score:2)
An even better system would be to select a semi-random series of numbers, letters, and punctuation, that we could key in to uniquely identify ourselves...We could call it a "Secret Word" or a "Pass phrase" or something. "Password?" Nah. Not catchy enough.
Re:Brute Force? (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Of course, I also know his password off the top of my head, and he never changes it, so I guess the current situation isn't any better.
Re: (Score:2)
I really thought you were going to say "genitalia" instead of "handwriting."
It would certainly have been funnier.
Re: (Score:2)
You can say that again.
Re: (Score:2)
-->Right... the group of people who most want to do you harm.
Re: (Score:2)
Even easier than that.. analyze all options given, guess at random then when round #2 starts simply pick the one that matches a sample from round #1 if it's a string of numbers there should be enough numbers displayed to at least find one or two digits in common, and if they happen to show you one or more of the same alternatives displayed in round one you have at least one set you know it wont be (because you tried and f
Re: (Score:2)
*Now let's see, which finger do I use to log into Slashdot?*
Re: (Score:2)
I have distinctive handwriting, but it would still take me a few seconds (as long or longer than it takes me to type my average 10 character password) to identify my own handwriting out of a random selection of a dozen or two decoy samples.
I just don't think "Picking the correct answe
Re: (Score:2, Insightful)
Picking and choosing = bad (Score:4, Interesting)
Additionally, that's not taking into account the massive amounts of ways someone could get samples of your handwriting. Besides the obvious garbage-picking, things like tax returns, property deeds, or other legal forms can often be public information, and there's a good chance you've written numbers on one at some point.
Re: (Score:2)
Especially if the stranger is using proxied bots to guess ten times a second. Assuming a generously extravagant implementation, you might have to correctly choose from 100 handwriting samples to log in. An attacker appears to be you on average 1 time in 100. Assuming a very weak password system, six characters, all lower case, no numbers or special characters, then your password is 1 among 26^6 possible passwords. An a
You don't even need brute force... (Score:2)
It should be pretty obvious which handwriting sample appears twice...
If you know the person... (Score:3, Interesting)
I can't help thinking that IF I ever did try to get into someone else's account, it would be to spy on or get revenge on someone I know. (Really, that isn't something I do. This is a big IF). In those cases, this would surely be so much easier. For example, I am sure I would recognise my family's handwriting.
I certainly remember, when I was a secondary school maths teacher, having to work out who had produces a certain piece of work by recognising the handwriting. Obviously, being maths work, this usually involved recognising digits.
Sometimes, simple is best (Score:5, Insightful)
I know, I know, people forget their passwords or choose the word "password" all the time. It still seems a little depressing that we have to use all this extra trickery to compensate for people being morons.
Peter
Re:Sometimes, simple is best (Score:4, Insightful)
In cases like that, the real morons are the people pushing their authentication complexity onto the users, not the users themselves.
Re: (Score:2)
I think you can get keyrings that manage your passwords for you, generating new ones when needed and with a single sign-on. From what you say, they might be out of bounds for your friend's job, but it sounds as though they should certify some sort of assistance technology to make their job possible...
Peter
Re: (Score:2)
Brute-force crackers gets stronger all the time. The number of accounts a typical user has grows all the time, and the ability to remember passwords don't. 64 bit keys aren't really secure anymore, and that is a truly-random 8-character password, or a truly random 12-character password consisting of lower UPPER and numeric characters. Could you remember a dozen different passwords of the type Qw
Re: (Score:2)
Of course, I use at most 2 upper case, and at most 3 numerics in an 8 character password, so that helps a little.
Re: (Score:2)
We don't. Just let them be morons and suffer the consequences of being morons. If it gets to be that they don't like it, maybe they'll change. If they don't, it's not anybody else's responsibility to fix their problems for them.
Security through redundancy? (Score:2)
A single memory buffer problem can frequently lead to 100% system compromise. A single firewall penetration frequently means total access to the network. Can a security system be devised that requires multiple compromises to effect a system compromise?
Passwords actually strike me as quite a good security method. A good password is difficult to gue
Totally utterly useless on 2 counts (Score:3, Insightful)
2. Doesn't prevent MITM in any way whatsoever
Now the biometric of someone's typing rythm strikes me as a good thing, along with "PC fingerprinting" and trend analysis, but this suggestion is significantly worse than what we already have available on the market.
"3/10 - see me" would be my mark for this particular gem.
Re:Totally utterly useless on 2 counts (Score:5, Funny)
Haven't we been over this? That system assumes that you are always logging in at the same level of drunk - that's not feasible.
Re: (Score:2)
Most people who have participated in contact training for more than a couple years have this same condition to one degree or another.
Stick with strong passwords. At least then only two classes of people are negatively impacted: users who can't be bothered, and users who deal with onerous security requirements related to multiple passwords
WTF (Score:5, Funny)
A single html radio-button form-based multiple choice question is a reasonable security measure.
A) True
B) False
But I think there should be an option "C," though that would make this not a real t/f question:
C) WTF?!
Re: (Score:2)
Re: (Score:2)
seriously... (Score:2)
Re:seriously... (Score:4, Interesting)
Almost 15 years ago, I was working on a demo system for a more secure way of issuing benefit payments (at the time, the payee had a paper booklet, and there was quite a lot of trouble with stolen booklets). We investigated what we could practically put on a smart card (similar type of smart card as what is in modern credit cards). One of the things we investigated was signature recognition.
We had a system that did it extremely well, well enough that we never managed to forge another person just signing with an "X". The system not only looked at the shape of the writing, but the way the person wrote - the speed, accelerations, stroke weight etc. The genuine user could be recognised even if they signed fairly scruffily (the system didn't return 'true' or 'false', but rather a confidence). However, another person even if they signed their X to LOOK as much as the original person's X looked would get a very low confidence score.
This was almost 15 years ago - the technology was pretty damned good (but quite expensive) at the time. We managed to get the signature, the person's details and a photograph onto the smart cards of the day (I think they had 8K of storage). The signature took up 1K.
Re: (Score:2)
So suppose I'm the sysadmin at a small company, and you use this for opening a door or something like that. If the system is under my control I can easily practice all I want with it, then duplicate your signature on an ATM or whatever else uses the system.
Re: (Score:2)
As the sole means of access, you are right it's a ridiculous idea.
However, as a combination of the account number, the password and this thing... it acts as a captcha AND it helps the organization identify the user (who might be at a public terminal, or on a different OS or whatever) in a way that is much harder for a keylogger or infected computer to track.
For example, given time, my login and "personal question" answers can get logged by an infected machine and used.
This raises the bar a bit
have to hide my hand writing? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Wrong direction (Score:2)
Doesn't even require much more from the user in the way of hardware (trades off a scanner for a graphics tablet).
William
Bad Idea (Score:2)
Requiring kinesiometric data is always a bad idea because it leads to too many false denials. If the person injures their writing hand then they can't write the password the same way as before. It also assumes that the person always writes the character the same way all the time. For example, sometimes I write an upper case "E" by drawing the three horizontal lines followed by the vertical line. Sometimes I'll do the verti
How? (Score:2)
Uh what's the point? (Score:2)
If you lose your wallet/handbag, call up the banks to cancel your cards etc, call up the rest to cancel your passwords.
You're keeping it in a fairly secure place.
Old idea and a badly implemented one at that (Score:3, Interesting)
In case anyone reads this and copyrights the damn thing, there is prior art and it worked. They just didn't think the market was ready for it.
Ok, but what happens when... (Score:2)
What a stupid concept (Score:5, Insightful)
1. generate a bunch of new sessions to the login page.
2. Identify samples that appear more often than others.
3. Recognize the handwriting style.
4. Log in.
Re: (Score:2)
computer recognize my handwriting? (Score:2)
Recognizing Your Own Face As A Password (Score:2)
Slashdot, USA. A new online authentication system called Dynaface could make logging in to websites a little easier. With Dynaface, users simply identify their own face, instead of entering a cryptic password or buying a biometric device to scan their fingerprints. The user's sample photographs are made under a variety of hair styles and lighting conditions, since the shape and other characteristics of a person's face are harder for an outside party to recognize than hair and lighting
How about typical credential operations? (Score:3, Informative)
There is no improvement here over biometrics or other credentials falling into the “something you are” category. How do you revoke this credential? How do you limit its scope? I would even argue this is worse than a password because it is not easily changed, and worse, your signature is very public. Consider how many documents you have floating around with your hand-written signature on it. You really want to use something that can be learned and easily reproduced as a secret? Nonsense. We need real solutions (OpenID [wikipedia.org] is a start), not rehashes or regressions of old schemes.
This isn't handwriting recognition! (Score:2, Redundant)
This system just presents a few lines of handwriting, and invites you to choose the correct one. A useless system, basically reducing security to a 1-in-10 guess. This is supposed to be developed by a university?
Re: (Score:2)
That and I think drinking and login is out of the question too ;)
Re: (Score:2)
I am a doctor, (Score:2)
I suggest "DynaRant" instead (Score:2)
This would be much simpler than the proposed scheme, as no real Internet user ever writes by hand, but most are expert at spouting loony political gibberish.
I'd be locked out of all my logins (Score:2)
My signature is never the same twice because I just write too fast and too frantically. Handwriting analysts would have a conniption trying to determine if my signature was real or forged. A security program would do
Re: (Score:2)
Good (Score:2)
Weak. (Score:2)
Hand Writing??? (Score:2)
Use photos (Score:2)
School hands (Score:2)
Well, I can't write. I did my degree before they had word processors (or at least before they were ubiquitous) and for that I learned to handwrite and then immediately forgot. When I want to write 'CAT' I have to think about how I'm going to make the A -- sometimes I make it an upside down U with a line, sometimes it's more like a capital delta. I know I'm not alone(*).
My wife has a much worse problem, though. She was taught to write according to an exact model, with iron-hard discipline and years of tr
relax ? .. (Score:2)
I even get a "doctors signature" whenever I write too fast rendering the entire text only readable by me and some other freaky goons who shouldn't be able to read that in the first place
Relax ? Take yo
Not so good (Score:2)
Let's see, not content with excluding only the blind, they have also decided to exclude those who can't use their hands, those with a more or less random tremor, and those of us who never write anything quite the same way twice.
They should try MY new authentication scheme. It displays a randomly generated question and based on your answer chooses exactly which insulting message to return before refusing access. Nobody will ever break in! It excludes everyone equally so you don't face a discrimination suit
More precisely (Score:2)
Nothing to see here ... (Score:5, Insightful)
You can't afford to be careless regarding the password coz you never know
And with that, I stopped reading. Why? Because I don't have enough time to read things that aren't written in at least passable English. If someone has a good idea, and are serious about it, they'll make the effort to communicate it well or have it communicated well for them.
Nothing to see in this article, and, by strong implication, a worthless idea.
The Real Solution[tm] (Score:2)
Anyway, I think the real solution is much easier and already half the way implemented: Email!
On almost each and every side where you login with a password, you have to register your email address. If you lose your password, you let yourself send a new one via email. So in reality there is only
Graffiti and writing (Score:2)
I was an early Palm adopter, and learned Graffiti. I used it heavily for taking all my notes, appointements, and such. Found I didn't use paper much any more.
And when I did finally use paper on the odd occasion, I found my handwriting tended towards Graffiti-esque scribblings, than traditional handwriting... It wouldn't have been so
Re: (Score:3, Insightful)
Additionally, the number of samples would have to be constrained to what a normal person could be expected to go through, so the odds of someone being able to guess it are huge. I mean, I could set my password to the crappy "Guess,15" and it w
Re: (Score:2)
Re: (Score:2)
From TFA; "Renaud doesn't think Dynahand is secure enough for protecting sensitive information, such as bank accounts or health records.
" It's an interesting idea, but clearly needs further work.
Apart from people probably not recognising their own handwriting
Are there really people that dumb or unfamiliar with their own writing?
Re: (Score:2)
Apart from people probably not recognising their own handwriting
Are there really people that dumb or unfamiliar with their own writing?
I cannot. Or rather, I cannot to the degree of speed and reliability that I type. The only things I ever write by hand are checks. Heck, I tried to write in cursive recently and realized, with the exception of my signature, which is all muscle memory, I don't know any of the capitals.
When's the last time you tried to record something on paper using a pen for
Re: (Score:2)
Perhaps 2 mins ago. I don't produces pages of hand writing, but I take notes and annotate all the time. I can't imagine anyone in a desk job, or practically any job, not having to do this reasonably frequently.
I think a lot of the problems people may have about this proposed system is to do with the demise of cursive writing. And when I say cursive I means straight-forward mixedcase handwriting. Not the biz
The thing with my signature is . . . (Score:2)
Re:Giving out your phone number is risky... (Score:4, Funny)