Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pictorial Passwords

michael posted more than 12 years ago | from the no-pr0n-allowed dept.

Security 331

Stone Rhino writes: "No longer do you need to remember passwords. Now, thanks to graduate students at Berkeley you merely need to pick out the right pieces of abstract art. There is a story on it at the New York Times. However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices." Maybe you have to get the sequence of images correct? If so there are some six million combinations, still weaker than a optimum password but probably stronger than the passwords most people choose (usually their significant other's name). There's another article on passwords in that same NYT edition.

cancel ×

331 comments

Sorry! There are no comments related to the filter you selected.

ATMs (5, Insightful)

davidesh (316537) | more than 12 years ago | (#2758250)

Looks like they are planning on using it for ATM Machine's which only have 4 digit numbers... seems like a better idea to me.

Re:ATMs (1)

Omicron (79581) | more than 12 years ago | (#2758359)

Very true. This sounds like it could be even stronger than standard ATM pins. ATM pins are only 4 places, and there are only 10 possible digits for each place.

This thing makes you pick 5 images, and then tosses in another group of images to mix it up. If they make the password sequence based on top of all this, it would be very good.

The thing of it is, I can remember numbers and passwords like a champ. I could see myself sitting at the ATM going "Hrrrm....did I pick the light green or the dark green last time?" =)

Props to all the dead sporkiez! (-1)

spork_testicle (449364) | more than 12 years ago | (#2758252)

Get it the fuck inya!

No need for passwords (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2758253)

Why do we need passwords?

Richard M. Stallman showed us the way decades ago when he refused to use password on his account on the university computer.

Re:No need for passwords (-1)

Al Gore (152558) | more than 12 years ago | (#2758304)

RMS is also the most baggy-pantsed [tuxedo.org] h4X0r who ever lived. Whatta maroon!

Uncrackable Password (0, Funny)

Anonymous Coward | more than 12 years ago | (#2758260)

Nobody will ever find out my password, because it's "swordfish"!

login required (0, Offtopic)

virtual_mps (62997) | more than 12 years ago | (#2758261)

These links to stories that can't be read are rather annoying. Isn't there enough news that can be read without an obnoxious registration procedure? (For the record, yes I have registered a couple of times. And forgotten the password. It just ain't worth doing again. I still haven't managed to kill the emails I get from the last registration.)

Re:login required (3, Funny)

Adversive (159469) | more than 12 years ago | (#2758283)

>> (For the record, yes I have registered a couple of times. And forgotten the password.

Then all the better reason to be interested in an article about easy-to-remeber passwords. :)

easy to remember passwords (2)

Alien54 (180860) | more than 12 years ago | (#2758332)

(For the record, yes I have registered a couple of times. And forgotten the password.

The point being of course, that for a password to be easy to remember, it does not have to be a literal word. It can be based on some other factor that is easily memorized, not based on words at all.

Re:login required (2, Informative)

yatest5 (455123) | more than 12 years ago | (#2758292)

Here is a link that works

The Link [nytimes.com]

er, and if that doesn't, simply take the linked url in the sotry and replace www.nytimes.com with archive.nytimes.com

Scratch that, this is right (1)

yatest5 (455123) | more than 12 years ago | (#2758302)

Here is the right link

Story here no login required [nytimes.com]

Re:Scratch that, this is right (1)

virtual_mps (62997) | more than 12 years ago | (#2758334)

nope, still requires a password

Use the goatse login (-1)

Anonymous Coward | more than 12 years ago | (#2758341)

ID: goatse
pwd: goatse

It works perfectly.

Re:Use the goatse login (0)

Anonymous Coward | more than 12 years ago | (#2758467)

Thank you goatse man! :*)

Images? (3, Funny)

Ace Rimmer (179561) | more than 12 years ago | (#2758262)

Sure, why not? At least one penguin would be in any Linux user ;)

Oh, really? (-1)

TrollMan 5000 (454685) | more than 12 years ago | (#2758392)

I'd use a penguin, not because of Linux, but perhaps I like a certain team from Pittsburgh [pittsburghpenguins.com] .

implications.. (5, Funny)

Xzzy (111297) | more than 12 years ago | (#2758266)

> than the passwords most people choose (usually
> their significant other's name)

So does this mean that the harder a person's password is to crack, the less likely they are to have a sex life?

Re:implications.. (2, Funny)

bornie (166046) | more than 12 years ago | (#2758275)

Nah, don't think so. If they have no sexlife they'll choose their mothers name.

Re:implications.. (-1, Funny)

Al Gore (152558) | more than 12 years ago | (#2758315)

As opposed to the sexually promiscuous, who invariably choose your mother's name.

Re:implications.. (0)

Anonymous Coward | more than 12 years ago | (#2758426)

Al Gore
Inventor of the Internet
Father of our Country

Will you people shut up and stop misquoting him. Ye gods, it's like a flock of sheep following their media shepherd.

Re:implications.. (2)

Adversive (159469) | more than 12 years ago | (#2758297)

This might actually be a decent idea.

While working in technical support, I noticed that a disturbingly high amount of our users used theie own username as their password. Either that or the highly secure "password".

Sadly, most customers would just be frustrated if we actually disallowed such stupid passwords.

Re:implications.. (4, Insightful)

arkanes (521690) | more than 12 years ago | (#2758385)

It's thea great paradox of network security. You can force users to change them every 2 weeks, disallow "easy" passwords by forcing certain characters, mixture of numbers/characters/symbols, not allowing words in dictionary, etc, but the more you do that, the more likely your users are to just stick the password on the monitor with a post-it.

Re:implications.. (2, Funny)

rastachops (543268) | more than 12 years ago | (#2758346)

>So does this mean that the harder a person's
>password is to crack, the less likely they are
>to have a sex life?

Not if their significant other is known as "PC" ;)

FUCK KATY ALLEN! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2758268)

If you don't then drink diesel!

Can I do both? (-1)

ringbarer (545020) | more than 12 years ago | (#2758269)

Pleeeeeeeaaassseee?

Re:FUCK KATY ALLEN! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2758287)

Isn't she [cp16.com] a bit too young to be fucked roughly from behind?

Well, here's [preteengir...llinks.com] some more for you old pervert.

The *REAL* problem with LUNIX (-1)

spork_testicle (449364) | more than 12 years ago | (#2758270)

Below is the actual output from the xdpyinfo command for just one of my screens on this ultra60 sparc solaris box. You will notice that I have *overlay visuals*! (!!!!) This is something LUNIX lacks, and sadly lacks at that. Until LUNIX can fix this, it is too immature for a real *power* user like me.

xdpyinfo
name of display: :0.0
version number: 11.0
vendor string: Sun Microsystems, Inc.
vendor release number: 6410
maximum request size: 262140 bytes
motion buffer size: 256
bitmap unit, bit order, padding: 32, MSBFirst, 32
image byte order: MSBFirst
number of supported pixmap formats: 3
supported pixmap formats:
depth 1, bits_per_pixel 1, scanline_pad 32
depth 8, bits_per_pixel 8, scanline_pad 32
depth 24, bits_per_pixel 32, scanline_pad 32
keycode range: minimum 8, maximum 132
focus: window 0x840000e, revert to Parent
number of extensions: 29
AccessX
Adobe-DPS-Extension
DOUBLE-BUFFER
DPMS
DPSExtension
Extended-Visual-Information
FBPM
GLX
LBX
MIT-SCREEN-SAVER
MIT-SHM
MIT-SUNDRY-NONSTANDARD
Multi-Buffering
RECORD
SECURITY
SHAPE
SUN_ALLPLANES
SUN_DGA
SUN_OVL
SUN_SME
SYNC
SolarisIA
TOG-CUP
XC-APPGROUP
XC-MISC
XIE
XInputDeviceEvents
XInputExtension
XTEST
default screen number: 0
number of screens: 2

screen #0:
dimensions: 1600x1280 pixels (451x361 millimeters)
resolution: 90x90 dots per inch
depths (3): 1, 8, 24
root window id: 0x4b
depth of root window: 24 planes
number of colormaps: minimum 1, maximum 5
default colormap: 0x34
default number of colormap cells: 256
preallocated pixels: black 0, white 16777215
options: backing-store YES, save-unders YES
largest cursor: 64x64
current input event mask: 0xf8403f
KeyPressMask KeyReleaseMask ButtonPressMask
ButtonReleaseMask EnterWindowMask LeaveWindowMask
KeymapStateMask SubstructureNotifyMask SubstructureRedirectMask
FocusChangeMask PropertyChangeMask ColormapChangeMask
number of visuals: 16
default visual id: 0x2c
visual:
visual id: 0x20
class: PseudoColor
depth: 8 planes
available colormap entries: 256
red, green, blue masks: 0x0, 0x0, 0x0
significant bits in color specification: 8 bits
visual:
visual id: 0x21
class: PseudoColor
depth: 8 planes
available colormap entries: 256
red, green, blue masks: 0x0, 0x0, 0x0
significant bits in color specification: 8 bits
visual:
visual id: 0x22
class: StaticColor
depth: 8 planes
available colormap entries: 256
red, green, blue masks: 0x7, 0x38, 0xc0
significant bits in color specification: 8 bits
visual:
visual id: 0x23
class: StaticGray
depth: 8 planes
available colormap entries: 256
red, green, blue masks: 0x0, 0x0, 0x0
significant bits in color specification: 8 bits
visual:
visual id: 0x24
class: GrayScale
depth: 8 planes
available colormap entries: 256
red, green, blue masks: 0x0, 0x0, 0x0
significant bits in color specification: 8 bits
visual:
visual id: 0x25
class: TrueColor
depth: 8 planes
available colormap entries: 8 per subfield
red, green, blue masks: 0x7, 0x38, 0xc0
significant bits in color specification: 8 bits
visual:
visual id: 0x26
class: DirectColor
depth: 8 planes
available colormap entries: 8 per subfield
red, green, blue masks: 0x7, 0x38, 0xc0
significant bits in color specification: 8 bits
visual:
visual id: 0x27
class: StaticGray
depth: 8 planes
available colormap entries: 256
red, green, blue masks: 0x0, 0x0, 0x0
significant bits in color specification: 8 bits
visual:
visual id: 0x2e
class: PseudoColor
depth: 8 planes
available colormap entries: 224
red, green, blue masks: 0x0, 0x0, 0x0
significant bits in color specification: 8 bits
visual:
visual id: 0x2f
class: PseudoColor
depth: 8 planes
available colormap entries: 224
red, green, blue masks: 0x0, 0x0, 0x0
significant bits in color specification: 8 bits
visual:
visual id: 0x28
class: TrueColor
depth: 24 planes
available colormap entries: 256 per subfield
red, green, blue masks: 0xff, 0xff00, 0xff0000
significant bits in color specification: 8 bits
visual:
visual id: 0x29
class: TrueColor
depth: 24 planes
available colormap entries: 256 per subfield
red, green, blue masks: 0xff, 0xff00, 0xff0000
significant bits in color specification: 8 bits
visual:
visual id: 0x2a
class: DirectColor
depth: 24 planes
available colormap entries: 256 per subfield
red, green, blue masks: 0xff, 0xff00, 0xff0000
significant bits in color specification: 8 bits
visual:
visual id: 0x2b
class: DirectColor
depth: 24 planes
available colormap entries: 256 per subfield
red, green, blue masks: 0xff, 0xff00, 0xff0000
significant bits in color specification: 8 bits
visual:
visual id: 0x2c
class: TrueColor
depth: 24 planes
available colormap entries: 256 per subfield
red, green, blue masks: 0xff, 0xff00, 0xff0000
significant bits in color specification: 8 bits
visual:
visual id: 0x2d
class: TrueColor
depth: 24 planes
available colormap entries: 256 per subfield
red, green, blue masks: 0xff, 0xff00, 0xff0000
significant bits in color specification: 8 bits

From a Tech Support view (5, Funny)

scott1853 (194884) | more than 12 years ago | (#2758271)

Customer's have enough trouble understanding "click the button with the X in the upper right corner".

I wouldn't know where to begin trying to describe what pictures to use for their password... "Ok, now choose the picture that looks like a moose being sucked into a vortex".

Re:From a Tech Support view (2, Interesting)

malx (7723) | more than 12 years ago | (#2758477)

I wouldn't know where to begin trying to describe what pictures to use for their password...



That's the whole point. Because our mapping of language to art is so loosely coupled, it's hard to write down and/or describe to another person your password. Theoretically, this dramatically reduces a source of password insecurity.

Re:From a Tech Support view (2)

scott1853 (194884) | more than 12 years ago | (#2758488)

What different does it make. The user's still going to write/draw it on a post-it and stick it to the monitor.

I like it ! BOOBS everywhere (1, Offtopic)

CDWert (450988) | more than 12 years ago | (#2758272)

I agree with the article poster on combination issues, sooooooo, what about a drawing addition, it shows you a piece of abstract art and you draw (ala Graffiti style) your interpretation......

Oh wait , thats no good, all the guys will be drawing boobs and all the girls cats......Hmm Ok weve got our combinations down to 2, what not that is reached this level of sophistication and security MS will buy the patent for sure......

Seriouly keep working on it guys it could be cool.

(o o) (1, Offtopic)

Slashdolt (166321) | more than 12 years ago | (#2758382)

We can already do boobs, ya boob.

Reg. Bypassed URLs for those articles: (5, Funny)

thesolo (131008) | more than 12 years ago | (#2758280)

Re:Reg. Bypassed URLs for those articles: (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2758406)

For the love of God, Moderators, mod this guy up as informative. When a guy makes this kind of effort to whore for karma, it should be rewarded.

Thank you.

Re:Reg. Bypassed URLs for those articles: (0)

Anonymous Coward | more than 12 years ago | (#2758478)

Thanks, but those are exactly the links given in the original post. Someone mod parent down as redundant, please.

Graduate students... (1)

TexTex (323298) | more than 12 years ago | (#2758290)

This seems to be a great example of a unique and rather interesting way of looking at something we use every day which will be an impossible sell in the real world. We're stuck in the mindset that "My password is...X-X-X-X" rather than "My password looks like..." I'd expect to see more studies about password retention and techniques.

I wonder how the ATM screen burn would play hell with this.

Jeebus! (5, Insightful)

mrfiddlehead (129279) | more than 12 years ago | (#2758294)

Why is this still an issue? Pick a phrase, stick a couple of numbers in it, perhaps a 'special character' or two and go.

"Galadriel is one icy babe but Jackson got it right"

Password: gi1ibbJgir

And I'm sure this approach is nothing new to most /.'ers. And the cool thing is that just a couple of words from the password, say Galadriel and babe, is enough to bring the bloody password back long after one's finished with it.

Feh!

Re:Jeebus! (5, Informative)

Bonker (243350) | more than 12 years ago | (#2758444)

This is a fairly standard practice. It's been used in at least two IT offices I've worked in. It even makes handing out passwords during 'change day' easier, because all the networking and development staff have come to expect a neumonic rather than the password itself:

"All Your Base Are Belong To Us!"

becomes

"aybab2u!"

Another useful password naming procedure is the use of 'l33t speak' inside passwords... especially long ones. On systems that support passphrases or long passwords instead of 8 char strings, this makes creating and remembering passwords quite a bit easier.

"My Password Rocks" is probably not so good, but

"MyP455w0rdR0X0r5" is a 16 character password with 7 numbers, upper and lower case characters, and no long strings of plain english text to get chewed up in a dictionary attack.

Re:Jeebus! (1)

fedos (150319) | more than 12 years ago | (#2758464)

I have actually run into systems where that would be unusable because it's too long.

It worked in Jonny Mnemonic.... (0)

motardo (74082) | more than 12 years ago | (#2758298)

until the dolphin hacked his brain :P

-motardo

Similar to Passface (5, Interesting)

rodbegbie (4449) | more than 12 years ago | (#2758303)

A year or so ago, I found this little beauty: PassFace Technology [realuser.com] -- Give it a try. You click on people's faces to get in.

What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

There's definitely something to this technology!

rOD.

Re:Similar to Passface (5, Interesting)

tswinzig (210999) | more than 12 years ago | (#2758403)

A year or so ago, I found this little beauty: PassFace Technology [realuser.com] -- Give it a try. You click on people's faces to get in.

What was interesting was that in finding that URL, I went back to the site for the first time in over a year, and was able to log-in no problem. I remembered my combination of faces.

There's definitely something to this technology!


Unless you're face blind [choisser.com] .

This probably won't help the situation (2, Insightful)

TheGreenLantern (537864) | more than 12 years ago | (#2758307)

Remembering passwords can be tough, granted, but I don't think pictures are the answer either. If you only had one or two "passwords" (Picwords? Passpics?) to worry about, but more than that, you'll just start to confuse pictures from one set to another.

Also, what about the disabled? It would seem like a no-brainer to offer vision-impaired an alternative, text-based password, but if your rolling this out large scale (like ATM's or something), you might be looking at a number in the thousands of customers who can't use your picture-password system. Major admin headaches.

Re:This probably won't help the situation (1)

bubbasatan (99237) | more than 12 years ago | (#2758460)

if your (sic) rolling this out large scale (like ATM's or something), you might be looking at a number in the thousands of customers who can't use your picture-password system.

...As opposed to the thousands of vision-impaired people who currently use the braille on drive-up ATM's...

michael (-1)

The WIPO Troll (267426) | more than 12 years ago | (#2758309)

Goatsex!! [tntie.com]

For The Love of God (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2758313)

STOP posting links to NY Times articles that require a login.

HW Requirements (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2758314)

...will become more demanding. There are lots of terminals around that are not capable of displaying graphics.

My Favorite Quote On The Second NYT Article: (5, Funny)

awrc (12953) | more than 12 years ago | (#2758316)

"Even high-ranking executives may act on naïve impulses when it comes to choosing a password"

Even high-ranking executives? Make that especially.

Friends (0)

Andreas Ribbefjord (542899) | more than 12 years ago | (#2758318)

To increase your security, instead of using your significant other's name, use your significant others' name. Get more {girl, boy}friends.

Done earlier/better by RealUser? (3, Insightful)

RFC959 (121594) | more than 12 years ago | (#2758319)

RealUser [realuser.com] has done almost exactly the same thing, except using faces, not abstract designs. It's worth checking out their site, since they seem to have thought it through reasonably well. (Read the whitepapers; they have the real meat...) One of the interesting things about these systems is that since you can't describe your password, the correct choices have to be displayed on screen along with some invalid choices, which opens up the system to some attacks unless you construct it very carefully.

Speaking of bruteforceing passwords. (2, Interesting)

Ch_Omega (532549) | more than 12 years ago | (#2758320)

The latest PocketPC OS have a nice way of avoiding bruteforcing of four-digit passcodes. There is simply a growing delay between each time you can enter a new passcode after entering a wrong one, so that after entering the wrong passcode seven times or so, there is an almost ten second wait before you enter in a new passcode.

Wouldn't this be a good way to avoide bruteforcing of these pictorial passwords? :)

In car stereos (1)

Tychoma (235497) | more than 12 years ago | (#2758366)

Have been doing exactly this for at least 6 years.

Re:Speaking of bruteforceing passwords. (2, Insightful)

arkanes (521690) | more than 12 years ago | (#2758401)

Well, for the web sites with faces, I imagine it'd be trivial to use a script to hit the login screen (but not attempt a login!) a couple hundred times, and then see which faces recur. I can think of ways around this, but the basic flaw is always there - you're showing the correct answer everytime you ask for a login.

Re:Speaking of bruteforceing passwords. (1)

timbck2 (233967) | more than 12 years ago | (#2758429)

IIRC, BSD *nix has been using this in the basic standard login for much longer than most of us can remember.

Re:Speaking of bruteforceing passwords. (0)

Anonymous Coward | more than 12 years ago | (#2758457)

"This is ten words, three commas, one letter, and a dot. "

That appears to be _eleven_ words; even though 'a' is a letter, it's also considered a word - look it up.

A film that shows drawing passwords instead typing (2, Informative)

DrD8m (307736) | more than 12 years ago | (#2758324)

Have you seen Safe House film? http://us.imdb.com/Title?0120051 [imdb.com]
There's a intesting way to draw passwords.

Re:A film that shows drawing passwords instead typ (0, Insightful)

TrollMan 5000 (454685) | more than 12 years ago | (#2758357)

Ummm...I'm a lousy artist and probably couldn't accurately duplicate the drawing.

And "being close" and getting through only defeats the purpose of a password in the first place.

Eliminates repetitive password use! (3, Insightful)

Brento (26177) | more than 12 years ago | (#2758330)

I've found that most of the people I know tend to use the same password or pin for everything they have - their e-mail password is the same as their AOL password is the same as their bank PIN and so on.

Using pictures would make this all but impossible, since every provider would (or at least, SHOULD) be using their own set of pictures.

While that's all good for security, I can't believe that it would make remembering your password any easier. Since the story is touting that as the chief benefit, I think they're going to have a really hard sell.

Re:Eliminates repetitive password use! (1)

inerte (452992) | more than 12 years ago | (#2758353)

>
>since every provider would
>(or at least, SHOULD) be using their own set of pictures

Not really, 25 pictures looks like the number of letters on the alphabet (I don't know about you rest of the World, but here in Brazil we have (I think) 26). They could use the same 25 and your options would be similar.

But what could be improved is not to show all 25 pictures and choose 5 at the same time. You should select 1 from 25, show 25 again / pick one, 25/1 and so on. And guess the correct order.

Try telling this one to a friend (5, Funny)

NiftyNews (537829) | more than 12 years ago | (#2758331)

Can you imagine having an emergency in our future-tech age?

"No Bill, it's Black Guy, Asian Guy, Samoan Woman, Black Guy with the scar, White Guy with glasses! Hurry up before the Holodeck explodes!"

Re:Try telling this one to a friend (2)

JWW (79176) | more than 12 years ago | (#2758400)

Good analogy, except that along with holodecks, they have scanners that can scan your DNA. Come to think of it, since this is the case, why to the y need the cheesy passwords to activate the self destruct mechanism on the ship, the ship could scan the captain, first officer etc. to verify their identity, oh except the other Will Riker could cause problems that way...

Alright (1)

NiftyNews (537829) | more than 12 years ago | (#2758336)

However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices."

Gee, how about we just stick to the good old "3 tries and you're locked out" system we've had for, oh, 20+ years now?

Re:Alright (4, Insightful)

RFC959 (121594) | more than 12 years ago | (#2758489)

how about we just stick to the good old "3 tries and you're locked out" system...
Because systems with built-in self-DOS capabilities aren't such a good idea, goofball. Got somebody you don't like? Try to log in as him, fail, and his account gets locked. Delay systems are better than lockouts. I admit to not being entirely sure how all this would or should apply to something like an ATM that can't be accessed remotely, though.

Passwords (1)

sehryan (412731) | more than 12 years ago | (#2758342)

everyone knows that the three most commonly used passwords are love, secret and sex, but not necessarily in that order.

oh, and don't forget god. system admins love to use that one, its the whole male ego thing.

Re:Passwords (-1)

TrollMan 5000 (454685) | more than 12 years ago | (#2758367)

I don't know anyone who uses those passwords.

Either that, or I don't know many stupid people.

My PW's are cryptic.

Re:Passwords (0)

Anonymous Coward | more than 12 years ago | (#2758437)

How do you know? If you know many people's passwords then I think we can presume you do know many stupid people.

"cryptic" is a great password - unless it's in the dictionary.

Do the math... (2, Insightful)

Draxinusom (82930) | more than 12 years ago | (#2758344)

A cursory reading of the article suggests that passwords aren't limited to permutations of 25 elements; 25 is just the number of images against which you have to verify. It's like being shown a list of 128 binary numbers and asked to choose the one that's yours; the numbers themselves can be more then 7 digits long. Of course, that still means that some mechanism is necessary to prevent brute-forcing, but that's a relatively trivial problem (especially in contexts like ATMs, where they already do that).

If it can't KNOW who I am, it's still spoof-able (5, Informative)

crovira (10242) | more than 12 years ago | (#2758348)

Passwords have never been more than a low level rung on the ladder of trust. If you want security, equip the ATM with a fingerprint pad and/or a camera and eye piece capable of taking retinal prints.

The rest, as we can read, is just a bunch of jokes.

Johnny Mnemonic (0)

Anonymous Coward | more than 12 years ago | (#2758349)

'nuff said

So it's not perfect, (2)

Bender Unit 22 (216955) | more than 12 years ago | (#2758352)

But I have done my work in the IT-support dept. and I think that many would agree that this system would be a lot better in many cases.
I have seen to many times people doing all the "don't do's" like writing down the password and putting it on the desk, keyboard, monitor. and forcing them to change the password once in a while makes it even worse, like they use a name followed by a number and then they just increment the number when the have to change the password.
The lack of a single signon [novell.com] often amplifies this problem.

Re:So it's not perfect, (2)

suwain_2 (260792) | more than 12 years ago | (#2758415)

Heh, I'm pretty apathetic with my password... When I have to change it, I change it to something like "1", and then immediately change it back to whatever it was. (Windows 2000, the way we have it set up, doesn't track older passwords, although, IIRC, you can make it...)

Old SNES passwords (1)

Dante'sPrayer (534726) | more than 12 years ago | (#2758355)

If I remember correctly, there were some SNES games that used this scheme before. I think that some FIFA game used arrows to represent passwords, and used the control pad to input them. Of course, the maximum combinations were 4^n being n the lenght of the string.

By other side, the alphanumeric characters are just the same that abstract symbols, only that they are limited by 36^n combinations, given only uppercase; there is not real difference on using kanji (4000+), hebrew (22-27) or abstract shapes (unlimited?) except for the fact that they may be easier or harder to remember.

Light on details..... (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2758360)

OK, they've done a little feasibility study and it's interesting, but what about the details:

1) How do you mail a customer his PIN number/password? How does tech support tell a user that's locked out of his account that his password has been changed to squiggly line with blue background, orange ball, pink hearts, green clovers, yellow moons, etc.?

2) What will the blind do?

3) What about all the terminals in the world (ATM and otherwise) that aren't in color or don't support the needed graphics resolution?

4) How about a more comprehensive study to see if users tend to select the same images? Doesn't do much good to have 25 images if 70% of the population ends up picking the same 5 images every time. If users keep selecting common passwords, how do we know that they won't select common picture combinations?

Not so sure about this... (3, Interesting)

Snowfox (34467) | more than 12 years ago | (#2758361)

I'm not so sure how I feel about this...
root@artschool-104:~ # which login
/bin/login
root@artschool-104:~ # du /bin/login
363256 /bin/login
root@artschool-1024~ #

Not so sure at all.

You stoopid hack! (-1)

spork_testicle (449364) | more than 12 years ago | (#2758368)

That should be:

du `which login`

Its is amazing what you kiddiez can learn from a *power* user!

Re:You stoopid hack! (0, Flamebait)

Snowfox (34467) | more than 12 years ago | (#2758405)

That should be:

du `which login`

Its is amazing what you kiddiez can learn from a *power* user!

And du -k `which login` if you want to guarantee canonical results, but we're not so pedantic that we want to go optimizing our humor now, are we?

Color blind (5, Insightful)

Eimi Metamorphoumai (18738) | more than 12 years ago | (#2758377)

Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.

Well it still doesn't help... (2)

hyehye (451759) | more than 12 years ago | (#2758379)

...if you leave info on your ex-roommate's computer and he loses his junk lawsuit against you and uses the info to steal all your accounts/nicks/webmailboxes/etc.

What I find interesting is that most people have poor spatial reasoning and form recognition. In fact, tests of those two are used in IQ tests and the ASVAB (Armed Services Vocational Aptitude Battery) - specifically for military to guage your ability to avoid friendly-fire incidents, recognize enemy movements/formations/activities.

Since it's obviously not a picture-puzzle to be assembled, I think a lot of people would have a hard time remembering.

Pr0n... (1)

saint10 (248611) | more than 12 years ago | (#2758380)

Uhh... can you see the implications for this and pr0n sites? Hrmm... Jenna Jameson, then Ron Jeremey... crap what was the rest of my password??!!?

page at Berkeley (1)

Roast Beef (2298) | more than 12 years ago | (#2758391)

On the group's page [berkeley.edu] they don't offer any code, but there's a screen shot, some research papers and links to other articles, and a link to Andrej Bauer [cmu.edu] 's (of Forum 2000 [forum2000.org] fame) Gallery of Random Art [cmu.edu] .

Mac OS X will have it first! (0)

Anonymous Coward | more than 12 years ago | (#2758393)

sensitiveartist:~ $ su

Drag password icons here: [iMac Chick.gif] [Ranting Steve Jobs on Hitler's podium.targa] [my favorite black turtleneck.psd] [amusing Windows crash bitmap.bmp] [under construction.gif] [mom.psd] [dogs playing poker.psd] [pencil.psd] [profesor Falken.jpg] [joshua.jpg]

sensitiveartist:/home/grafxDSignR #

technology vs. stupidity (0)

Anonymous Coward | more than 12 years ago | (#2758395)

if someone is so stupid, they can't remember an alphanumeric password and need to point out a picture instead, they have no business ever touching a computer, much less whatever sensitive data is being protected.

Brute forcing... (2)

Anixamander (448308) | more than 12 years ago | (#2758409)

Since they intend to use this as an ATM machine security system, its worth noting that since the beginning of ATM machines, generally three wrong PIN number entries in a row will cause it to eat your card. I suppose one could try a couple passwords, cancel the transaction and get the card back and repeat ad infinitum, but this seriously hampers the brute force effort.

jennifer 8. lee? (1)

nobody/incognito (63469) | more than 12 years ago | (#2758410)

isn't it a bit odd that the nyt reporter uses a number for her middle name?

nobody

Works ok now but... (1)

Diamon (13013) | more than 12 years ago | (#2758412)

I went through the RealUser demo and it seemed easy enough to remember the faces (and presumably any other image based system would be about the same). But I'm only remembering one unique series of faces. As soon as any system like this grows to the point where you have to remember you set of work computer faces, home computer faces, online computer, ATM faces, etc, etc, ad naseum. Not even to mention when work face #3 looks like one of the faces that's a choice for home face #3 but isn't. As soon as a system like this becomes commonplace it would become unusable.

INSECURE (1)

gnudutch (235983) | more than 12 years ago | (#2758418)

Anybody within viewing distance can watch you enter your password!

At least with typing your fingers obscure the keys, and most people can type their passwords fast enough to make it hard to see.

Similar system (1)

frunch (513023) | more than 12 years ago | (#2758421)

I saw a similar system once, where users were required to to choose a series of faces. I'm wondering what the degree of success for remembering a password like that would be... I'd think it'd be even higher, since it's easier to remember faces than abstract patterns.

Passphrase strength (3, Interesting)

Kirruth (544020) | more than 12 years ago | (#2758428)

The best article on passphrase strength I have seen is Randall Williams' document, Choosing a strong passphrase [stack.nl] .

This document contains a rough reckoner for calculating whether a passphrase is strong or weak. It makes the point that for a passphrase to be as strong as the encryption in PGP, it needs to be 30+ characters long. ! Remembering one or two paintings might not quite cut it.

For most systems, you can safely use shorter passphrases if you are only permitted a limited number of attempts or have no access to the machine (like at a bank) or the passphrase is changed frequently, or if the phrase is truly random.

Regardless, the strength of the passphrase is almost always the weakest link in any security system.

Keyboard-Logger Countermeasure? (1)

Izmunuti (461052) | more than 12 years ago | (#2758430)

Not only may it be easier to remember, but it would have the obvious advantage of being immune to keyboard loggers. Perhaps they could get a series of x,y coordinates of mouse clicks but presumably the location of the patterns is randomized so this would be of little use.

SSH & Co (2)

Rentar (168939) | more than 12 years ago | (#2758431)

So where do I enter this password in my old, trustworthy 10" monochrom vt220 (or my PuTTY at work if you're reaction to the former is "yuck! those should've died thousands of years ago").

How's this for a pass"word" ? (1)

Bake (2609) | more than 12 years ago | (#2758441)

A picture of a will,
a picture of hot grits,
a picture of pants,
and a picture of Natalie Portman?

PASSWORD! (0)

Anonymous Coward | more than 12 years ago | (#2758442)

[ hello.jpg ] [ green_eyes.jpg ] [ football.jpg ] [ mrs_tux.jpg ] [ slash..jpg ]

And thats easy to remember!

Shoulder surfing (4, Insightful)

Anixamander (448308) | more than 12 years ago | (#2758452)

It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.

Two thoughts: (1)

og_sh0x (520297) | more than 12 years ago | (#2758454)

1. When you type in a password, and someone is looking over your shoulder, all they'll see is ***** or XXXXX. Protecting from someone looking over your shoulder with this new system will be much harder. 2. Wouldn't gesture based passwords be better for applications where #1 is not a problem?

use labcolor spectrum (0)

Anonymous Coward | more than 12 years ago | (#2758456)

Why don't using the enterie lab color spectrum?
16,4 mil. times 5 combinations are far more difficulter than choicing 5 out 25 pieces...

DoD guidelines (2, Informative)

Roast Beef (2298) | more than 12 years ago | (#2758465)

The second article [nytimes.com] mentions the Department of Defense guidelines for passwords. They're an interesting read. [ncsc.mil]

one thing... (1)

zerOnIne (128186) | more than 12 years ago | (#2758479)

i'd just like to see this work on a console-only system... perhaps a return of ansi art? :)

Will (-1)

Genghis Troll (158585) | more than 12 years ago | (#2758481)

this [goatse.cx] be one of the pictures? Talk about unforgettable....and so frickin lickable.

How would this work? (1)

James Foster (226728) | more than 12 years ago | (#2758485)

How is this meant to be secure?!?
In the old days it was possible to say to someone "Don't look at my password!" as you typed it, and even if they did look they probably couldn't get it unless you typed it too slowly.
Now we're selecting pictures on the screen with a mouse? It just won't work!!

PINs (2, Insightful)

saint10 (248611) | more than 12 years ago | (#2758487)

However, there is a problem with it that I see: 5 images from a set of 25 means 53,130 potential combinations. This would be much easier to crack by brute force than a standard alphanumeric password with its billions of possibilities and millions of likely choices

What they dont mention is that pictoral passwords are intended to be used in an ATM enviornment, rather that on a LAN. The PIN for your ATM is only 4 numerics long, not even alpha-numeric. A brute forcer can do 2 million/sec on a 800mhz pc, it would brute the entire key space in a millisecond in ATMs.

The reason why PINs are only 4 digits is the other compensating controls you have in the banking enviornment.

1) There is an extremely limited interface to the ATM (just keypad and and a few multi-use keys).

2) The physical security of an ATM, these suckers are actually safes that are resistant to bomb blasts, rednecks trying to tow them away with their 1/2 ton chevys, etc.

3) The PINs are stored on a crypto device, not physically at the ATM, that destroys itself if it is pried open.

So, this would be good for banking applications, but not good on your LAN... for obvious reasons.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>