Pictorial Passwords

Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.

ATMs

Looks like they are planning on using it for ATM Machine's which only have 4 digit numbers... seems like a better idea to me.

Re:ATMs

ATM security is based on more than your PIN number. It has two foundations: PIN number and the card. Therefore, you need to have the card (physical media) and the PIN number.

If you consider that a person would first need to steal your card and then figure out your PIN number, it becomes apparent that increasing the difficulty of the password is foolish. If your card is lost or stolen, you report it and you save yourself some pain. If your card is lost or stolen, you have a pretty reasonable barrier because the card is physical and needs to be taken to an ATM. Then, even if the card is used immediately, the thief needs to sift through 9999 combinations.

Security is not meant to lock you in. It is meant to keep other people out. When you think about that, you'll see that you often just want very good security with excellent convenience. That is, you want optimum security, not maximum security. You do not really want maximum security because that would drammatically decrease convenience. For example, if you really wanted maximum security of your funds, you would put them in the bank physically and you would pull them out physically. You would not even use an ATM because the security is not maximum.

ATMs are convenient and the security is reasonable. Most people can remember their cards and their 4-digit codes. If you start trying to increase the security, you are in for trouble in my opinion. If you really wanted to increase ATM security, forget about pictures. Instead, look into biometrics [ittoolbox.com], which are much more reasonable.

Images?

Sure, why not? At least one penguin would be in any Linux user ;)

implications..

> than the passwords most people choose (usually
> their significant other's name)

So does this mean that the harder a person's password is to crack, the less likely they are to have a sex life?

Re:implications..

It's thea great paradox of network security. You can force users to change them every 2 weeks, disallow "easy" passwords by forcing certain characters, mixture of numbers/characters/symbols, not allowing words in dictionary, etc, but the more you do that, the more likely your users are to just stick the password on the monitor with a post-it.

From a Tech Support view

Customer's have enough trouble understanding "click the button with the X in the upper right corner".

I wouldn't know where to begin trying to describe what pictures to use for their password... "Ok, now choose the picture that looks like a moose being sucked into a vortex".

Reg. Bypassed URLs for those articles:

First Link: http://college.nytimes.com/2001/12/27/technology/c ircuits/27PBOX.html [nytimes.com]

Second Link: http://college.nytimes.com/2001/12/27/technology/c ircuits/27PASS.html [nytimes.com]

Jeebus!

Why is this still an issue? Pick a phrase, stick a couple of numbers in it, perhaps a 'special character' or two and go.

"Galadriel is one icy babe but Jackson got it right"

Password: gi1ibbJgir

And I'm sure this approach is nothing new to most /.'ers. And the cool thing is that just a couple of words from the password, say Galadriel and babe, is enough to bring the bloody password back long after one's finished with it.

Feh!

Re:Jeebus!

This is a fairly standard practice. It's been used in at least two IT offices I've worked in. It even makes handing out passwords during 'change day' easier, because all the networking and development staff have come to expect a neumonic rather than the password itself:

"All Your Base Are Belong To Us!"

becomes

"aybab2u!"

Another useful password naming procedure is the use of 'l33t speak' inside passwords... especially long ones. On systems that support passphrases or long passwords instead of 8 char strings, this makes creating and remembering passwords quite a bit easier.

"My Password Rocks" is probably not so good, but

"MyP455w0rdR0X0r5" is a 16 character password with 7 numbers, upper and lower case characters, and no long strings of plain english text to get chewed up in a dictionary attack.

Similar to Passface

A year or so ago, I found this little beauty: PassFace Technology [realuser.com] -- Give it a try. You click on people's faces to get in.

What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

There's definitely something to this technology!

rOD.

Re:Similar to Passface

A year or so ago, I found this little beauty: PassFace Technology [realuser.com] -- Give it a try. You click on people's faces to get in.

What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

There's definitely something to this technology!

Unless you're face blind [choisser.com].

My Favorite Quote On The Second NYT Article:

"Even high-ranking executives may act on naïve impulses when it comes to choosing a password"

Even high-ranking executives? Make that especially.

Done earlier/better by RealUser?

RealUser [realuser.com] has done almost exactly the same thing, except using faces, not abstract designs. It's worth checking out their site, since they seem to have thought it through reasonably well. (Read the whitepapers; they have the real meat...) One of the interesting things about these systems is that since you can't describe your password, the correct choices have to be displayed on screen along with some invalid choices, which opens up the system to some attacks unless you construct it very carefully.

Eliminates repetitive password use!

I've found that most of the people I know tend to use the same password or pin for everything they have - their e-mail password is the same as their AOL password is the same as their bank PIN and so on.

Using pictures would make this all but impossible, since every provider would (or at least, SHOULD) be using their own set of pictures.

While that's all good for security, I can't believe that it would make remembering your password any easier. Since the story is touting that as the chief benefit, I think they're going to have a really hard sell.

Try telling this one to a friend

Can you imagine having an emergency in our future-tech age?

"No Bill, it's Black Guy, Asian Guy, Samoan Woman, Black Guy with the scar, White Guy with glasses! Hurry up before the Holodeck explodes!"

Re:Try telling this one to a friend

...they have scanners that can scan your DNA... why to they need the cheesy passwords to activate the self destruct mechanism on the ship, the ship could scan the captain, first officer etc. to verify their identity...

Because then all the people from the alternate universe could just waltz on in and blow up the ship - it would be chaos, man, chaos!

--
Mod me down, I'm way off-topic.

Re:Alright

how about we just stick to the good old "3 tries and you're locked out" system...

Because systems with built-in self-DOS capabilities aren't such a good idea, goofball. Got somebody you don't like? Try to log in as him, fail, and his account gets locked. Delay systems are better than lockouts. I admit to not being entirely sure how all this would or should apply to something like an ATM that can't be accessed remotely, though.

If it can't KNOW who I am, it's still spoof-able

Passwords have never been more than a low level rung on the ladder of trust. If you want security, equip the ATM with a fingerprint pad and/or a camera and eye piece capable of taking retinal prints.

The rest, as we can read, is just a bunch of jokes.

Not so sure about this...

I'm not so sure how I feel about this...

root@artschool-104:~ # which login
/bin/login
root@artschool-104:~ # du /bin/login
363256 /bin/login
root@artschool-1024~ #

Not so sure at all.

Color blind

Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.

Passphrase strength

The best article on passphrase strength I have seen is Randall Williams' document, Choosing a strong passphrase [stack.nl].

This document contains a rough reckoner for calculating whether a passphrase is strong or weak. It makes the point that for a passphrase to be as strong as the encryption in PGP, it needs to be 30+ characters long. ! Remembering one or two paintings might not quite cut it.

For most systems, you can safely use shorter passphrases if you are only permitted a limited number of attempts or have no access to the machine (like at a bank) or the passphrase is changed frequently, or if the phrase is truly random.

Regardless, the strength of the passphrase is almost always the weakest link in any security system.

Shoulder surfing

It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.

apparent problems

one of the problems that many people have with "strong passwords" is *NOT* their lack of a strong kinesthetic memory- I can ``remember'' any password simply by typing it: sound familiar?

Problem is that this has NOTHING AT ALL to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you ALWAYS use the same password... more on this later)

What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.

This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?

Some "realistic solutions" to these problems include: BIOMETRICS - which don't require ANY memory, SINGLE LOGIN - which limit the number of cues needed, ASSYMETRIC-KEY - which relies on math, etc, etc.

I say "realistic" because people have used them and they DO work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person :)

Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.

Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes WAY too much emphesis on only one cue.

With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)

I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies :D)

My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of WHAT we remember is less important than changing the cues by which we DO remember.

(There, I think that makes more sense now)

neat, but...

it's not new. i remember using an apple newton that had a picture based password option.

need some psychology on this

Interestingly enough, this is something that I tried hacking out a few years ago (though not under the pleasure of being funded by an academic institution).

I found that people like to click on distinct places, and not the whitespace between shapes/objects. Otherwise, they won't be able to remember exactly which spot they clicked on. This can be analogous to people using dictionary words for their alphanumeric passwords.

Another annoyance that I found was that hitting the exact pixel that you wanted was nearly impossible. You're more likely to hit one adjacent, or 2 away... so increasing the area of error reduces the number of possibilities.

Finally, when I want to get work done, I don't want to play a video game. Making someone hit their exact spot in a sequence of 5, or 10 images, whatever requires skill and accuracy. If you hit the first 9 right, and mess up by one pixel on the last, you have to start all over again. Imagine if you had to achieve a difficult feat - like slaying 20 characters in Quake on nightmare mode before you can log in... damn.

In summary, I think this is a really cool idea (otherwise, I wouldn't have gone to the trouble of implementing it myself) - but the downsides outweigh the benefits.

Limited application

This just won't work for most applications.

Oh, maybe for an ATM, where it's more secure than a four-digit PIN, it'd be secure enough, but it's still unworkable.

Most ATMs use very low-res displays; in fact, many are text-only displays. (I believe a large number of them are actual Hercules monochrome cards, with the ATM running OS/2, for instance.)

If you use a touch-screen, it'll become impossible to hide what you're typing, so you pretty much have to stick numbers up there and have people type the number of the correct picture. You'll have to swap the pictures around if you want to prevent people from just writing the numbers down, so you'll end up with it being harder to remember because the pictures are all on screen at once and in a different place every time.

In the end, you'll have to keep the number of pictures low, and the length of the password low, or people won't be able to remember. Hell, people forget their 4-digit PINs now.

At least with a PIN you can disguise it when writing it down; put it in your address book as Uncle Luigi, with the last four digits of his bullshit phone number being your PIN. What are you gonna do if you need a reminder for this, take a Polaroid of the screen and put it in your wallet?

I'm sure there are applications where this technology will work, but I don't think ATMs are it, and I'm REALLY skeptical about using it for locking PCs.

Biometrics are the future of easy-to-remember identification.

And here is the interesting URL

for the project itself

http://www.sims.berkeley.edu/~rachna/dejavu/ [berkeley.edu]

Which always seems to be missing.

Re:login required

>> (For the record, yes I have registered a couple of times. And forgotten the password.

Then all the better reason to be interested in an article about easy-to-remeber passwords. :)