Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Map Based Passwords

samzenpus posted more than 3 years ago | from the getting-directions-to-your-password dept.

Security 169

smitty777 writes "Discovery is running an article on passwords based on a very specific location on a map. Instead of showing UID and Password fields, the user would simply click on a very specific spot on Google Earth, for example. I wonder how you would make that secure? Also, if you forgot, would you get a message saying 'Your password is the third flamingo on the left on the lawn of Aunt Bessie's house'?"

cancel ×

169 comments

Sorry! There are no comments related to the filter you selected.

slacker geo-hack (1)

alphatel (1450715) | more than 3 years ago | (#33738268)

Fastest password crack ever: Click "1600 Pennsylvania Avenue"

Re:slacker geo-hack (5, Funny)

Intron (870560) | more than 3 years ago | (#33738470)

MEMO FROM IT DEPT.

It has come to our attention that some users are selecting weak passwords. Henceforth, we have implemented measures to prevent selecting passwords based on well-known locations, major cities and major landmarks. When selecting a password we will not allow you to use a place that you, a relative or a friend have ever lived or visited. Please fill out the attached questionairre listing everywhere you have been since you were born.

Thank you.
IT - Department - help you can count on

Re:slacker geo-hack (1)

Jazz-Masta (240659) | more than 3 years ago | (#33738542)

MEMO FROM IT DEPT.

It has come to our attention that some users are selecting weak passwords. Henceforth, we have implemented measures to prevent selecting passwords based on well-known locations, major cities and major landmarks. When selecting a password we will not allow you to use a place that you, a relative or a friend have ever lived or visited. Please fill out the attached questionairre listing everywhere you have been since you were born.

Thank you.
IT - Department - help you can count on

How did you get my Memo?

Re:slacker geo-hack (0)

Anonymous Coward | more than 3 years ago | (#33738878)

I read your email.

Re:slacker geo-hack (1, Funny)

Anonymous Coward | more than 3 years ago | (#33738912)

Your pass-location was weak.

Re:slacker geo-hack (1)

FoolishOwl (1698506) | more than 3 years ago | (#33739220)

How did you get my Memo?

It was in the recycling bin in your cubicle.

Re:slacker geo-hack (2, Funny)

Lumpy (12016) | more than 3 years ago | (#33738694)

I prefer the one we put on all the windows machines here at work.

"your password must not contain any characters that can be typed on the keyboard."

The CTO did not think that it was funny...

Re:slacker geo-hack (4, Funny)

badboy_tw2002 (524611) | more than 3 years ago | (#33738764)

Dang, my password was someone's backyard where they had spelled out "GOD" "SEX" and "LOVE" with their hedges. If I ask them to grow a "1" after it will we be all good?

Re:slacker geo-hack (1)

jank1887 (815982) | more than 3 years ago | (#33739458)

you need a special character, too. And that better not be all uppercase.

Re:slacker geo-hack (1)

oodaloop (1229816) | more than 3 years ago | (#33738898)

In order to make passwords more secure, we will no longer be using overhead views.

Brilliant... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33738290)

... and when the internet link is down or God forbid, Google Earth is down, users login how?

Re:Brilliant... (2, Funny)

T Murphy (1054674) | more than 3 years ago | (#33738662)

But if Google Earth is down, google.com itself is probably down, in which case the user couldn't navigate to the website in the first place. I don't see the problem.

Re:Brilliant... (2, Funny)

Lumpy (12016) | more than 3 years ago | (#33738734)

Enter the Lattitude and longitude in by hand DUH.

click script... (1)

hyperion2010 (1587241) | more than 3 years ago | (#33738300)

Maybe if you were trying to hide the log in box, but you can write click scripts that will hit that map at every pixel. Stupid.

Re:click script... (1)

colinnwn (677715) | more than 3 years ago | (#33738340)

I'm not saying this is a great idea for an authentication system, but why wouldn't you include with this logarithmic rate limiting or account disabling with incorrect guesses? Additional security measures with this shouldn't be different than any other well designed password or token based system.

Re:click script... (0)

Anonymous Coward | more than 3 years ago | (#33738344)

Not really... seeing as how Google Earth doesn't present the entire Earth in full definition from a Planet-Level view, only when you zoom in to around 'Neighborhood-Level' view do you get the most detailed pictures.

Re:click script... (1)

zero.kalvin (1231372) | more than 3 years ago | (#33738350)

Several points on the map as a username. and several others as a password. How in the hell a script will deal with that ? If you have several million pixels, that would translate as your alphabet with few million letters. Brute forcing will be the idiotic thing to do.

Re:click script... (0)

Anonymous Coward | more than 3 years ago | (#33738352)

If every username and password is mapped to a specific region of a map of the world, the probably space for cracking that password goes way up. You have to try every user/pass combination in every spot on the map. The right user and pass info in the wrong spot will not work.

It works! (4, Funny)

grub (11606) | more than 3 years ago | (#33738302)


I forgot my gmail password

and here was my hint [google.ca] .

(how I forgot "goatse" as a password is beyond me.)

Re:It works! (1)

JWSmythe (446288) | more than 3 years ago | (#33739340)

That's a lot safer than this one [google.ca]

Forget mouse trackers... (4, Insightful)

bieber (998013) | more than 3 years ago | (#33738326)

...this one is easy enough to crack just by shoulder-looking. And of course there's the issue of needing to load a ton of map data just for a simple password entry, and if the map provider is out you're screwed. Plus the hassle of zooming down from a world-map to some specific point every time you want to get into a site. Need I go on?

Re:Forget mouse trackers... (-1)

tsa (15680) | more than 3 years ago | (#33738372)

No.

Re:Forget mouse trackers... (0)

Anonymous Coward | more than 3 years ago | (#33738754)

Yes lets go on.

This has terrible entropy. To crack a password all you would have to do check check all major features on the map. Sounds like a lot but it's nothing compared to a normal random text password.

Re:Forget mouse trackers... (0)

Anonymous Coward | more than 3 years ago | (#33739268)

Oh? and just how many "major features" do you figure exist on the earth?

and that presupposes that you have a complete understanding of what counts as a "major feature" for a given individual [x]? maybe the Sphinx at Al-Giza is, but what about just it's head, or it's tail? Perhaps the pyramids themselves? but then which pyramid? which corner? or the top/center? or the entrance? On a less noteworthy scale, what about a bluff near where [x] grew up? how about the park where [x] and [x]'s [n]th g/f kissed on that special night...

Oh wait, I forgot that this is /. and nobody will get that last part...

Finally, presupposing all of those problems, at what zoom level will you do the check?

Personally, I think the biggest problem with this method is the "over-the-shoulder" observability...

-AC

Re:Forget mouse trackers... (4, Funny)

T Murphy (1054674) | more than 3 years ago | (#33738830)

this one is easy enough to crack just by shoulder-looking

So don't display the map plainly- replace it with asterisks. Problem solved.

Re:Forget mouse trackers... (-1)

Anonymous Coward | more than 3 years ago | (#33739070)

winner

Re:Forget mouse trackers... (3, Funny)

Zerth (26112) | more than 3 years ago | (#33739362)

So my password would be ore, ore, ore, ore, ore, ore, ore, ore

I'd rather have tower-cap, quarry bush, pigtail, dwarf, elephant, corpse, corpse, corpse

Re:Forget mouse trackers... (1)

PRMan (959735) | more than 3 years ago | (#33738836)

Can you? That's pretty comprehensive already.

Re:Forget mouse trackers... (1)

Crudely_Indecent (739699) | more than 3 years ago | (#33738956)

If implementing a map-based-password, I would require users to choose more than one location. I might place an upper limit on the number of locations as well.

Someone could then set their password to equal: 1. where they were born, 2. where they work, 3. where they went on vacation last year.

Of course, there wouldn't be any prescribed formula for choosing the locations, so a user could choose any number of locations for any reason. They might even choose "..that place where they put that thing that time [youtube.com] ."

Re:Forget mouse trackers... (1)

DavidTC (10147) | more than 3 years ago | (#33739680)

Indeed, the password reminder clue would be pretty interesting. 'It's the place where you got that flat tire that time' or 'Won't ever eat there again' or 'The weird sign'.

Incidentally, I love that clip, as it has the single realistic 'hack' in the entire movie. If you're on a phone where you can't dial at all, hang up the phone, take it back off the hook, click the switchhook ten times, which dials '0' in rotary, and you get an operator, who can dial for you.

Re:Forget mouse trackers... (1)

geekoid (135745) | more than 3 years ago | (#33739752)

It actual hard to gte an exact pin point by should surfing with this then any ATM machine or keyboard.

Compromised password (0)

Anonymous Coward | more than 3 years ago | (#33738336)

So when you get compromised not only is your 'password' gone but also your house address? Don't be naive to think that peoples password won't be their house/workplace.

Find a point on a map? (5, Funny)

bigredradio (631970) | more than 3 years ago | (#33738364)

Here is the US that would be very effective.

REQUEST: Locate Belgium on a map

RESPONSE: uh.....uh......connection timed out!

Re:Find a point on a map? (2, Interesting)

Nadaka (224565) | more than 3 years ago | (#33738800)

We don't use that kind of language around here mister!

Re:Find a point on a map? (1)

PRMan (959735) | more than 3 years ago | (#33738852)

Hey, you're on to something there. If you want to keep Americans out of your site, just use this.

Re:Find a point on a map? (0)

Anonymous Coward | more than 3 years ago | (#33739022)

Belgium... that's the capital of Africa, right?

Re:Find a point on a map? (1)

JWSmythe (446288) | more than 3 years ago | (#33739426)

No. Use Google Maps, it will show you the way. [google.com]

Re:Find a point on a map? (1)

bill_mcgonigle (4333) | more than 3 years ago | (#33739124)

The best ridicule posts are proofread.

Re:Find a point on a map? (0)

Anonymous Coward | more than 3 years ago | (#33739324)

French Response: We surrender!

Re:Find a point on a map? (1)

Cro Magnon (467622) | more than 3 years ago | (#33739574)

Belgium? Heck, by the time the average American searched all of South & Central America for New Mexico, the connection would be long dead.

I couldn't print out my homework... (0)

Anonymous Coward | more than 3 years ago | (#33738370)

A sinkhole ate my password!

That's great for me (1)

Beerdood (1451859) | more than 3 years ago | (#33738382)

I don't have much trouble spotting familiar places on google maps, but what about those that can't read maps very well? aka women

/me ducks

Re:That's great for me (4, Funny)

RapmasterT (787426) | more than 3 years ago | (#33738560)

something tells me you don't need to worry about women.

pull over (4, Funny)

Comboman (895500) | more than 3 years ago | (#33738884)

They pull over and ask a gas station attendant what their password is.

Re:pull over (1)

Surt (22457) | more than 3 years ago | (#33739272)

While men never pull over, and instead just keep trying to brute force their own passwords?

Re:That's great for me (1)

aliloln (973288) | more than 3 years ago | (#33739578)

I always thought it was the men who can't read maps (or ask for directions)...

Interesting concept (1)

MDHowle (634114) | more than 3 years ago | (#33738396)

To recover a lost "password", does it provide turn-by-turn directions? This is an interesting and potentially useful concept, especially to use in conjunction with a username and password. Also, I can see how you can prevent people certain people to login to the network if they're in a "insecure" location such as in an airport.

Re:Interesting concept (1)

hedwards (940851) | more than 3 years ago | (#33738476)

That's more how I imagine it. Choose two points, then the route between the two is the actual passphrase.

Re:Interesting concept (1)

CastrTroy (595695) | more than 3 years ago | (#33738944)

So if they construct a new road, or change their routing algorithm, I've now lost my password forever?

Re:Interesting concept (1)

bill_mcgonigle (4333) | more than 3 years ago | (#33739300)

So if they construct a new road, or change their routing algorithm, I've now lost my password forever?

Don't worry, the guy down the hall sniffed all your Google Maps HTTP request traffic.

Re:Interesting concept (1)

radicalpi (1407259) | more than 3 years ago | (#33738538)

[Mod Parent Up +1 Funny] Better yet, you have to go to that location and take a picture and it will let you log in.

Re:Interesting concept (1)

dfsmith (960400) | more than 3 years ago | (#33739010)

You just did for free what Google needed a whole "Street View" fleet of trucks to do....

Re:Interesting concept (1)

DavidTC (10147) | more than 3 years ago | (#33739754)

You laugh, but some GPSes are using that specific idea, although it's in combination with a PIN.

You simply set a 'password recovery' location in the GPS. You forget your PIN, you drive there, do the password reset, and it lets you in.

Some people use their house, but I always thought that was silly...if someone steals your GPS, they could easily find your house (After all, it's in the damn GPS.) and drive there and park close enough. They're unlikely to figure it out if it's the parking lot of the local Arbys.

Uh (0)

Anonymous Coward | more than 3 years ago | (#33738556)

I wonder how you would make that secure?

You should know. Why are you asking us?

The third flamingo on the left on the lawn of Aunt (4, Funny)

sakdoctor (1087155) | more than 3 years ago | (#33738592)

That's amazing! I've got the same flamingo on my luggage.

Fractal images a better bet? (2, Interesting)

Banichi (1255242) | more than 3 years ago | (#33738604)

Could you use the scalability of fractal images as a map in this manner?
By my understanding, this would give you random numbers depending on your "depth" and x/y coordinates.

Re:Fractal images a better bet? (0)

Anonymous Coward | more than 3 years ago | (#33739004)

Only if the fractal doesn't exhibit any self-similarity: http://en.wikipedia.org/wiki/Self-similarity [wikipedia.org]

Otherwise there will be too many collisions.

Re:Fractal images a better bet? (1)

quickOnTheUptake (1450889) | more than 3 years ago | (#33739670)

It seems like that would make it easy to get lost, fractals have an odd way of looking similar at various magnifications.

Map/Imagery Updates? Accessibility? (1)

literaldeluxe (1527087) | more than 3 years ago | (#33738624)

So what happens when they update the imagery or the map (streets do change, you know)? Also, this is clearly not usable for many people with disabilities (requires good eyesight, good coordination, a steady hand, good memory, etc.).

Re:Map/Imagery Updates? Accessibility? (1)

NFN_NLN (633283) | more than 3 years ago | (#33738834)

So what happens when they update the imagery or the map (streets do change, you know)? Also, this is clearly not usable for many people with disabilities (requires good eyesight, good coordination, a steady hand, good memory, etc.).

I hadn't thought of that but it's a good point. This could be a great system for eliminating AOL users from the rest of the internet.

Intercourse, Pennsylvania (1)

xednieht (1117791) | more than 3 years ago | (#33738628)

Is about to become a lot more popular.

Re:Intercourse, Pennsylvania (1)

belthize (990217) | more than 3 years ago | (#33738668)

Sometimes when driving on I-40 I find myself thinking "Fuck, Texas".

Re:Intercourse, Pennsylvania (1)

Jawnn (445279) | more than 3 years ago | (#33739368)

Sometimes when driving on I-40 I find myself thinking "Fuck, Texas".

I'm wondering if the comma belongs there, indicating exasperation when confronted with Texas, or not, indicating what ought to be done with Texas. Either way, I know exactly what you mean.

Re:Intercourse, Pennsylvania (1)

Shadis (934448) | more than 3 years ago | (#33738716)

Around here I would think more along the lines of Blue Ball, Pennsylvania becoming popular.

Re:Intercourse, Pennsylvania (1)

oodaloop (1229816) | more than 3 years ago | (#33738848)

Blue Ball is on the way to Intercourse, right before Paradise. Bird in Hand isn't far away either.

I'm serious.

Re:Intercourse, Pennsylvania (1)

russotto (537200) | more than 3 years ago | (#33739214)

Intercourse, Paradise, and Bird In Hand are pretty close to each other, but Blue Ball is several miles further away. And in any case, Intercourse is on the way from Blue Ball to Paradise.

Re:Intercourse, Pennsylvania (1)

oodaloop (1229816) | more than 3 years ago | (#33739364)

I guess it would depend on which direction you were going, wouldn't it? I live in Strasburg. You from the area?

Re:Intercourse, Pennsylvania (1)

_ivy_ivy_ (1081273) | more than 3 years ago | (#33738890)

Go to Hell, Michigan!

And no, despite the similarity, it's not Detroit.

Re:Intercourse, Pennsylvania (0)

Anonymous Coward | more than 3 years ago | (#33739442)

Alternately, there's always Dildo [google.ca] ...

-AC

Re:Intercourse, Pennsylvania (1)

iPhr0stByt3 (1278060) | more than 3 years ago | (#33739196)

errr, fucking (1)

iPhr0stByt3 (1278060) | more than 3 years ago | (#33739210)

I mean, "Fucking, Austria"

Just use a picture (1)

PktLoss (647983) | more than 3 years ago | (#33738648)

Rather than using a map, just have the user upload a picture.

You're killing two birds with one stone. First, the user is being shown something to confirm that this is indeed the site they think it is (think: sitekey or the like). Second, they can pick some incredibly detailed point without all the hassle of licensing someone else's data.

All that, and this is still a pretty stupid idea. You have all the same problems with password: users don't want a long one, users want to pick the same one for multiple sites, users tell the wrong people who their passwords are (though, now with more difficult language). All that, plus it's now multiple clicks, pans and zooms to enter your "password", and if the satellite data updates you're screwed.

Re:Just use a picture (1)

hoggoth (414195) | more than 3 years ago | (#33738776)

This!

Every user gets his own picture, and coordinate within that picture.
So my password could be Aunt Bertha's left eye and yours could be Megan Fox's umm... freaky thumb.

Enter username. Gets instant feedback that you aren't on a trojan site. Only the real site should know and have a copy of YOUR picture. Then select your secret point on the picture. Don't send the coordinates, but an encrypted or one-way hashed version of the coordinates so an eavesdropper doesn't get any useful information.
Easier to remember than a password.
You might still have "bad passwords" if the user selected a photo with very few obvious points of interest (back to my Megan Fox example).

Re:Just use a picture (0)

Anonymous Coward | more than 3 years ago | (#33739438)

So, I attempt to login as you since usernames are easy to get/guess and then... I get your picture! no more or less secure than just a username. Little bit harder to do, nothing excessive.

Re:Just use a picture (0)

Anonymous Coward | more than 3 years ago | (#33739600)

Microsoft's Tablet Touch Pack had this capability (Picture Password)

It would show you a picture, and you would touch as many points on the picture that you wanted for your password. You'd have to touch them again in the correct order within a certain threshold to log in.

EG, one of the stock pictures was a shot of a bunch of fish in a reef. One of my logins was something like the Angel Fishes eye, the octopus in the reef, the third clam from the right, and the bright bit of coral in the middle.

Passwordless? (1)

EkriirkE (1075937) | more than 3 years ago | (#33738650)

I imagine the back-end simply being the coordinates with a margin of error.
Still a password: "You could have a 10-digit latitude, and a 10-digit longitude, then you'd have a 20-digit password." - TFA

In Geographic Password ... (1)

rlp (11898) | more than 3 years ago | (#33738704)

In Geographic Password you pick Soviet Russia.

Actually (1)

TheCarp (96830) | more than 3 years ago | (#33738714)

If you could choose your own map areas, this could work well.

I could easily choose map spots that could be described in a way that only I or a very select group of people would know. Things like if I showed you a map of the neighborhood where I grew up, and said "the tits", how would you know where it is? Would you guess in the park? Where in the park?

Trust me, no google earth view is going to show you the landmark in question, and it would only be visible as such from one spot.... but I know exactly where it is, I used to climb all over those rocks as a kid.

-Steve

Well, what about this (0)

Anonymous Coward | more than 3 years ago | (#33738724)

What if we had GPS, a Cell tower, and a local device embedded in the ground.

If the computer is moved from these 3, then no password will work.

//Then you can simplify the job to keeping people out of the room.

Network fail or storage fail (1)

goodmanj (234846) | more than 3 years ago | (#33738750)

Nope, won't work. You have two options: either store the maps locally, or download them from an online source like Google Earth.

If you get them online, then anyone watching your network traffic can see which map tiles you're requesting, and use that to figure out the approximate location you're clicking on. This limits the possible passkeys to some point on the last map you loaded -- which given image/mouse resolution, means there are only about 100,000 possible passkeys. Not enough.

If you store them locally, then you need to store high-res map data for the whole planet. You're going to need to store at least a gigabyte worth of images in order to be able to distinguish streets from one another: probably closer to a terabyte if the user is to be able to recognize and click on their uncle Joe's summer home.

The basic problem is, in order to allow the user to pick one of N choices on the map, you need to store and present several times N bytes worth of data -- color pixel information for each possible click-location. That means that to match the password security of an 8-character a-z password, you need to store several gigabytes of raw image data -- less if you JPG it.

Re:Network fail or storage fail (1)

goodmanj (234846) | more than 3 years ago | (#33738822)

Let me put it another way: if the number of possible passwords is X^Y, where X is the number of symbols and Y is the length of the password, using a password system in which Y = 1 is stupid, for any feasible choice of X.

Now, a map password in which the user clicks on *several* locations on a low-res map, in order? *that's* got some entropy behind it. But at that point, you might as well just make your "map" image a photo of a keyboard and reinvent the wheel.

Better for password recovery? (1)

w0mprat (1317953) | more than 3 years ago | (#33738752)

Just as people set their own names, birthdates and 'password', they will assuredly put their own home as their password.

This makes more sense as a optional authentication factor for password recovery than for the sole means of authentication.

not dumb (2, Insightful)

Tom (822) | more than 3 years ago | (#33738876)

It's not half as dumb as the summary makes it sound.

For security, what matters is the keyspace and the likelyhood of guessing correctly. The keyspace easily competes with alphanumeric passwords. It is dramatically reduced by the assumption that people will pick places with meaning to them, which means places they've been to. Nevertheless, it should measure up to passwords in security.

Different from passwords, though, the human mind is pretty well equipped to recall specific places. Arbitrary alphanumeric combinations, on the other hand, are amongst the most difficult things to remember and recall.

Re:not dumb (1)

Hacksaw (3678) | more than 3 years ago | (#33739692)

People are dumb. Millions of people would select something like the entrance for Fort Knox, or Norad, or a local bank. You have a training problem just as large as the one you have now.

Cryptographical weak (0)

Anonymous Coward | more than 3 years ago | (#33738916)

Ultimately it maybe easier to remember what your password is by remembering such a map reference and as someone else stated the password hint could be the map point of interest, but the actual value is just numeric therefore not very secure.

Real life (0)

Anonymous Coward | more than 3 years ago | (#33738938)

The system is extremely secure ... for those with no social life. Noone knows where they live ...

Beware of... (0)

Anonymous Coward | more than 3 years ago | (#33739040)

geocaches !

I can barely tell where I am right now (1)

Drakkenmensch (1255800) | more than 3 years ago | (#33739044)

My 3rd grade teacher said geography would be useful one day.

Bullshit. (0, Redundant)

unity100 (970058) | more than 3 years ago | (#33739078)

doesnt matter what you 'click on'. still, some certain identifiable data is going to be sent from your remote pc, to the server that is going to do the authentication. or, even if its on your local pc, to whatever is going to authenticate you in local pc.

its no different than anything else. if anything, it makes dictionary type attacks much easier. the number of possible coordinates that can happen on a world map are much much lower than the possibility of combinations of alphanumberic passwords with special characters.
BR.

Re:Bullshit. (1)

Red Flayer (890720) | more than 3 years ago | (#33739290)

the number of possible coordinates that can happen on a world map are much much lower than the possibility of combinations of alphanumberic passwords with special characters.

The number of possible coordinates on a world map is infinite. What bounds the number of coordinate passwords is resolution of the images used to identify the coordinates.

Besides, you could easily increase the difficulty of cracking the password by requiring multiple locations.

My new password . . . (1)

cashman73 (855518) | more than 3 years ago | (#33739082)

This is excellent news! I will finally be able to set my password up as "CowboyNeal's Mother's Basement!" ;-)

My selection (1)

SnarfQuest (469614) | more than 3 years ago | (#33739128)

I selected a shark in a backyard pool, but for some reason the camera pointing at it has been burned out, and now I cannot log in!

Garmin (1)

olsmeister (1488789) | more than 3 years ago | (#33739142)

I have a Garmin Nuvi GPS that does something similar for theft deterrence. If you enable locking on the unit, you must either input a 4 digit PIN code, or the unit must be in a pre-programmed 'Home' location when it is powered on for it to function.

Much smaller search space (1)

Caerdwyn (829058) | more than 3 years ago | (#33739182)

The issue with this is that most people will either choose locations that are well-known landmarks, or which they are associated with. This vastly reduces the potential search space for a password based upon a physical location. But even if you choose a location at random... Let's pull a number out of the air: let's suppose there are 100 million buildings in the United States that represent potential candidate "geokeys". That's what, a 27-bit key? How long would it take to exhaustively brute-force a 27-bit keyspace?

The other issue is that you now have a dependency upon the map-display. If it ever changes (new satellite imagery, the Taco Bell you use as your key moves across the street to a new building), or the map-server is down, you can't get in without some sort of time-consuming (and itself potentially hackable) recovery method.

Nice idea on paper, and far better than choosing a random word that appears in /usr/share/dict/words (480 thousand entries on my installation) ... but still weak compared to even a 6-byte password composed entirely of ASCII 33-96 chosen at random (64 possible values per character, 64 = 2^6, 6*6 = 36, keyspace = 2^36 = 69 billion possibilities).

Real men don't use maps. (1)

PatPending (953482) | more than 3 years ago | (#33739206)

Real men don't use maps.

'Nuf said.

My Password is 12345 (1)

PatPending (953482) | more than 3 years ago | (#33739270)

My password is 12345 [google.com]

Note to self: Now I have to change my password.

Re:My Password is 12345 (1)

Beerdood (1451859) | more than 3 years ago | (#33739676)

1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!

Re:My Password is 12345 (1)

AndrewNeo (979708) | more than 3 years ago | (#33739684)

Hah, there's an Amazon distribution center right there.

Hmm sounds familiar (1)

TheGhostface (1284408) | more than 3 years ago | (#33739642)

I remember using things like this about 10 years ago on my pocket pc, where instead of entering a pin to unlock it, you would have to press specific points on a picture of your choice (in the correct order of course). So the concept isn't that new, I was actually quite fond of the idea back then.

14 Digit Password (2, Interesting)

DaleSwanson (910098) | more than 3 years ago | (#33739696)

Looking at Google Maps the area covered by the windshield of my car is about five places after the decimal point of precision in both lat and long. That is about one square meter and as precise as you could realistically expect users to be. That would mean each location would give you 2+5 digits for the lat and the long, a total of 14 digits for a password. That's 10^14 possibilities. For comparison a password made up of random characters (lower, upper, digits, special) for a total of 95 total possible choices would need to be seven characters long to have about the same entropy (67 trillion vs 100 trillion).

Seven character random passwords are ok, but certainly not uncrackable. You could argue that letting the user choice several spots would greatly increase the entropy, but realistically the user is going to pick spots close together. Not to mention you could probably cut down on the possible locations with something similar to a dictionary attack, i.e., eliminating the vast expanses of nothingness that are unlikely to be chosen (like oceans, and deserts). Lastly, it relies too heavily on the mapping service. What happens when they update their images and your landmark disappears or moves slightly?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>