Microsoft Wants To Give You A Rorschach 223
Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."
Not sure this will help (Score:5, Funny)
I got vavavapsva.
More seriously, if they're saving the word associations, doesn't that mean that they have the password you've just generated?
P**n (Score:2, Funny)
Re:P**n (Score:5, Interesting)
Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.
You end up repeating it to yourself every time you log in, which serves double duty as both a mnemonic device and a way to preserve your positive attitude.
I get it (Score:3, Funny)
You're right I feel better already! Wow everything feels faster! Any more exclamaitions and I'd be using Yahoo!!
Re: (Score:3, Funny)
I use mnemonic devices also, but perhaps I should rethink my current "Nobody loves me, I wish I were dead" password. Oh, what's the use. It wouldn't matter anyway.
Re: (Score:3, Funny)
Here, let me try one:
People Always Say Something's Wrong Or Really Depressing.
Awesome! I'll use it on all my accounts!
- RG>
Re: (Score:3, Funny)
I'm not sure whether I should be afraid of your mind or the site...
Re:Not sure this will help (Score:5, Funny)
Re: (Score:2, Funny)
Re: (Score:3, Funny)
Re: (Score:2, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
You, sir, have a filthy mind! =)
Cheers
Re: (Score:3, Funny)
Vanillia? Viagra? Volousia? Pens? Va....oh wait (Score:3, Funny)
Re: (Score:2, Funny)
That all look like butterflies.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
Obligatory Emo Philips (Score:5, Funny)
I said, "Oh, it's kind of embarrassing."
He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."
I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness." And he gets kind of depressed.
I said, "Okay, it's a butterfly." And he cheers up.
He said, "What does this inkblot look like?"
I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."
He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."
"Oh," I said, "was I far off?" He said, "No. That's the sad part."
Re: (Score:2)
Re: (Score:2)
I'm shocked!!! (Score:5, Funny)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
More likely it's for a technical analysis. My guess is they want to verify whether there's enough unpredictability [wikipedia.org] in the passwords produced to mean this is a secure method.
Re: (Score:2)
Re: (Score:2)
Second, "debatable" doesn't really rebut anything, because in science everything is debatable. (If you want to get philosophical [stanford.edu], nothing in science is ever 100% settled.) But as a useful summary of the expert consensus, I stand by what I said. There is very little independent, peer-reviewed evidence that supports the Rorschach
Slight problem with this approach (Score:5, Insightful)
Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)
Every password I use has at least three, even for free-registration-required sites...
My slashdot password (Score:2)
Don't tell anybody, ok?
Re:Slight problem with this approach (Score:5, Funny)
Re: (Score:2)
For backup, on a piece of paper [schneier.com], maybe in your wallet. For quick access from your computer, get a password manager. PasswordSafe [sourceforge.net] works great for me. Make sure you get a newer version, because some attacks [secunia.com] have been found against older ones (but that's true about almost any security software).
Re:Slight problem with this approach (Score:5, Insightful)
Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?
I'm not suggesting everyone should use such a long pass, but what's so hard about implementing passphrases instead of passwords?
Re: (Score:2)
You know, now that you've said that, everyone is going to use it.
On another note, it would be entertaining wouldn't it. Kind of like making your password "OMFG, how did you guess my password!?"
Re:Slight problem with this approach (Score:5, Interesting)
For example, is passwordpasswordpassword any harder to remember than just password?
But it greatly expands the key space to be searched for anyone trying to brute force...
Ob. Schneier (Score:3, Funny)
Re: (Score:2)
"wecandanceifyouwanttowecanleaveyourfriendsbehind"
Then sweeten it up with leet stuff like:
"w3c4nd4nc31fy0uw4ntt0w3c4nl34v3y0urfr13ndsb3h1nd!"
It's not only strong, but catchy!
Re: (Score:3, Insightful)
Chances of a typo are even higher if someone routinely types in MS Word with AutoComplete turned on and is now physically incapable of typing "the
Re: (Score:2)
Actually, just so long as they are consistent, that's a GoodThing (TM). After all, "atrulystrongpasswordshouldhaveatleastthreeoftehfollowingifnotfour" is a more secure password than "atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotfour". Even more secure would be "atrulystrongpasswordsshoul
Re: (Score:3, Interesting)
I agree with you, but the problem for the average user is that they are not touch typers. They are constantly looking at the keyboard and screen to confirm what they have typed. As the length of the password increases, the odds that a typing error is going to be made also goes up. As passwords are blocked out, it would be very frusterating to a person who has to look at the screen to confirm what they have typed and backspaces often.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
In both experiments, users missed at most one association, even after having not used the system for one week. Thus it may be advisable to modify the system to allow for successful authentications when k out of a possible n associations are correct. Assuming that all blots produce an equal distribution on responses, this reduces the security of passwords to the level of the original system with only k blots. Therefore, it might be advantageous for users to have to enter associations for more blots. A disadvantage of this approach, however, is that authentication would take longer.
As of interest may also be their conclusion:
Our preliminary data suggest that inkblot authentication offers a potentially significant improvement over existing widely-deployed user authentication mechanisms. In addition to gathering our quantitative results, we also asked users who had taken part in our experiments for their comments on the system. In almost all cases we received the same response: the users were happily shocked that they could remember such a "huge password." In fact, many users asked if there were any plans to allow the use of the system in their production environment. This kind of positive user experience is arguably as important to the eventual adoption, acceptance and scrupulous use of an alternative password system as any measure of security. More experiments would help confirm or discount our security and memorability results, and could answer such questions as: How many inkblots (that is, how much entropy) can be used before the resulting passwords are no longer memorable? What is the best way to help users retain their inkblot associations? What inkblot-to-character hash function generates the most entropy without sacrificing ease of use? And what inkblot generation algorithms create inkblots with the highest-entropy (or the fewest low-entropy) association spaces?
While inkblot authentication should be quite easy to deploy in a wide variety of settings, there exist some environments (such as devices with tiny screens) where it is unworkable, and alternatives are needed. Adapting the inkblot password scheme to other password-using contexts, such as those in which the user interface is under the control of a (possibly uncooperative or legacy) application, may also require some innovative thinking.
Re: (Score:3, Insightful)
Re:Slight problem with this approach (Score:4, Insightful)
Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)
That's just not true. Admins request this kind of nonsense to force a bigger password space with shorter passwords. Informally, the security of your password is given by the number of random bits you have. With ASCII passwords using only lowercase letters, you're adding less than 5 bits of randomness per character. Even worse, most people use real words as passwords, so they can remember them easily. That reduces the randomness even more and makes dictionary attacks feasible. Adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character, but makes the password much more difficult to remember.
Microsoft's method works around the password memorization by using the inkblots. The security is given by the much larger size of the resulting password. They get a password of 20 lowercase characters, say about 100 bits of randomness (less than that, because not all letter combinations are equiprobable - very few words I know begin and end with a q for example). A totally random password consisting of a mix of 10 symbols, numbers and different cased letters only gives you a bit less than 70 bits of randomness.
Re: (Score:2)
Or, derive the password password from one of those machine kids dance to in malls. Lens overhead, objects move, then feet keep up. How you jiggle and wiggle structures your password. This might be safe for OLPC.
But, adult-oriented password/action access can be derived from thrust-n-strut gyrations, maybe in a chair. Sorta like responding to a lapdance (without touching the computer) to eventually gain access to the computer's ass sets. This might be saf
Re: (Score:2)
A truly strong password MAY have all of those. If you REQUIRE that it do so, then you weaken the password.
Re: (Score:2)
Hmmmm .... (Score:5, Interesting)
So, psyche 101 was a long time ago, and that's the extent of my exposure to it.
Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it? If there's drift over time, this wouldn't be such a good idea.
Anyone with a better schooling in human psychology care to chime in?
Cheers
Re: (Score:3, Interesting)
I don't know, but about three years ago, I recall suggesting the use of non-abstract images and measuring the brain's electrical response to determine a map of the user's response to a given stimulus. After the system was trained properly, you could use that to be a really, really solid passphrase; while your brain may react a bit differently to images over time, it isn't likely to react dramatically differently for the most part (except maybe after head trauma or something similarly extreme). This seems
Re: (Score:2)
So much for having a few beers during lunch.
Unless, of course, the initial measurement is done when I'm already buzzed... in which case I'll need to have a bloody mary every morning in order to get started at work...
Idea intriguing, newsletter please.
Re: (Score:2)
Hmm, when I tried it half an hour ago, they all looked like pizzas. Now all I see there are pillows.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, they change over time. It is common to use the same test several months apart to gauge the effectiveness of ongoing therapy.
In the actual Rorschach ink blot test, what you see is almost immaterial compared to how you see it. If this system uses its own inkblots it is likely that some of them are particularly evocative of specific images (even
Don't do it... (Score:5, Funny)
Re: (Score:2)
-mcgrew
Re: (Score:2)
I have actually always been more intrigued as to whether or not an amalgamation of responses would indicate a physiological predisposition in humans to see particular images, rather than indicating what any particular individual might see. Especially since, anecdotally, everyone but the crazies always see sexual images or butterflies.
I believe, however, that other research has already demonstrated this with more prec
And zees one? (Score:2)
Re: (Score:2)
BEWARE the breasts of DOOM! (Score:2)
Re: (Score:2)
Re: (Score:2)
random? (Score:3, Funny)
db
Re: (Score:2)
Ballmer's unencrypted file (Score:5, Funny)
chair
developers
chair
banana
ooohshiny
developers!
developers!
developers!
Storing and insecure (Score:5, Informative)
From the actual site:
InkblotPassword.com is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.
Wait... (Score:5, Interesting)
No way.... (Score:2, Funny)
If this is anything like a wet willy, I don't want one, and you can't make me.
*runs away screaming*
Same password for different sites == bad security (Score:2)
It's even more important that people not do this. If your password is the same for 15 different sites, and one of those sites gets hacked (or even phished, or someone keylogs your password) suddenly that hacker has access to your account at
Re:Same password for different sites == bad securi (Score:2)
Re:Same password for different sites == bad securi (Score:2)
Something like:
username: Exo5Aiqua0pa
password: mypassword
Reusing the password (Score:5, Insightful)
Common sense might.
All I keep seeing... (Score:5, Funny)
Re: (Score:2)
Captcha (Score:5, Interesting)
Please select all the cats. Pictures supplied (and sponsored) by petfinder.com. Brilliant. Even HAL-9000 might not be able to do that.
Re: (Score:2)
Identifying the cats was hands down the better half of the inkblot website game. Once I got to the password part, I decided it was too stupid to continue with.
Something that still needs working... okay, I passed the CAPTCHA once, but my request failed (in the case of this website, the username I typed had already been chosen). I then had to change my username choice and re-authenticate myself by finding more cats. Yet, as far as I could tell, I am still human.
A similar thing bugs me about Ticketmaste
Re: (Score:2)
Re: (Score:3, Informative)
This is just a beta test for the m$ psychological. (Score:2)
Rorschach inkblot test (Score:2)
(obligatory link for the uninformed)
Rorschach Inkblot Test [wikipedia.org]
Insecure? (Score:2)
rorschach? (Score:2)
Several flaws immediately come to mind (Score:2)
No shit. Type any password enough times your fingers learn where the keys are, even if you're not consciously thinking about what you're typing.
So their aim is to have you look at the inkblots, work out your passwords, type the password until your finger
Another option to APG (Score:2)
http://supergenpass.com/ [supergenpass.com]
Enter the... (Score:2)
Is this really new?
Eventually it'll be something done by Open Source from the future SeaCode employees...
But, also, hasn't this been show in Sci-Fi shows? (No, I'm not talking about "cheating" to make a result/action appear on screen). It would be ghastly if a patent is "awarded" for this...
I use a keyboard patern nemonic (Score:2)
Any 12 characters (1a...!A...) I never repeat, but I always recall, because of the pattern matching I must always recall the first character to enter, then I follow the appropriate pattern-match.
When I take vacation and return to the office two weeks later
Example: c6b
Note:I use a keyboard patern nemonic (Score:2)
Resistance is futile... (Score:2)
Possible Microsoft ink-blot results:
phishing (Score:2)
So essentially this is a phishing site, and they're telling you that up front. Of course MS is aware that if you take a sample 1000 people who have fallen for a phishing scam in the past and send them to this inkblot password site with a disclosure that their password will be recorded, 1000 of these will go ahead and use it anyway. It's a great way to do as the criminals do, and through a simple legal disclosure it's no longer a crime.
db
Easy ways to get random pass-foo from books. (Score:2)
Open a large book on random pages and note down the LAST digit. Repeat until the pin is long enough.
For passphrases:
Pick a book, open it on a random page and note down the first word on that page longer than 3 characters. Generate 2 pass phrases this way and insert the acronym of one of them into the other. Add some random special characters and numbers at random places (i.e chosen as for pin numbers ).
May well be vulnerabilities in there, but if you know enough about computer security to avoid
Re: (Score:2)
Think of somethings relevant to you.
ex:
I have the:
9th sign
31 st is the date of my favorite holiday
9 was how old I was win my dog was put down.
9319
use things that are common, but not something hyou would bother to talk about. Keep it in your wallet.
That is stupid, hard passwords are easy. (Score:2)
My brothers initals ar JaL and FdL
My Wifes Birthday and month 01/01
My first toby was 'Toby'
dd a letter to rotate
yb0T0101JaLFdLa
Bam, I just created personal and hard password. The bibbes argument against that is that 'everybody knows all about you'. In that case, this information is just noise in the data.
or
!5b00B_g1B
Easy to remember for a human.
No, none of the information given in the example is accurate.
Also, put the password in your wallet. You do not need to put what the password is to, you'll re
What I find interesting (Score:2)
WTF, I have to select a bunch of cat pictures? (Score:2)
I'm just leaving my password at "changeme" and getting on with my life.
Silly... try a leet password generator (Score:3, Informative)
Try a leet password generator [goodpassword.com]... way easier to remember!
Re: (Score:2)
Most passwords tell you one or two things, not "a lot." They tell you whether the person has a clue about security or not. If they have a clue, their password will either be unintelligible to you or pure nonsense. If they don't have a clue, their password will be a word or phrase that is familiar to them and likely reveal very little to you other than their dog's name.
That not Obligitory..... (Score:2)
Watchmen - 74 minutes
"Guy with black and white mask eats beans from a can"
Re: (Score:3, Funny)
Re: (Score:2)
"asdf$1234" is your chosen "strong" password, but after typing "asdf" you click the cursor after the second character, "s" and continue from there, leaving as$1234df. Since mouse clicks are not (typically) recorded by keyloggers, you would frustrate attempts to stea
Re: (Score:2)