Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Using Images as Passwords

CmdrTaco posted more than 12 years ago | from the please-select-15-images dept.

Security 268

TekkenLaw writes "According to this news on Reuters, MS is looking at images rather than plain old text for enhancing security. The key - images, which tend to make more of an impression on people than strings of text characters. This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back." So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?

cancel ×

268 comments

Sorry! There are no comments related to the filter you selected.

um (1, Insightful)

mar1no (559482) | more than 12 years ago | (#3213023)

did they not run this same story a couple weeks ago?

Re:um (4, Informative)

asavage (548758) | more than 12 years ago | (#3213067)

did they not run this same story a couple weeks ago?

yeah, here is the link http://slashdot.org/article.pl?sid=01/12/28/134821 7 [slashdot.org]

Re:um (4, Insightful)

dj28 (212815) | more than 12 years ago | (#3213156)

Yea, and the funny part is that in that article, the majority of the posts were praising the technology. Now that it's about Microsoft, eveyone is quick to critisize it. Gotta love the bias here.

Yes, they did (2, Insightful)

torqer (538711) | more than 12 years ago | (#3213070)

The first article can be seen here [slashdot.org]

Re:um (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3213112)

hey
don't write yourself off yet
it's only in your head you feel left out or looked down on
just try your best
try everything you can
and don't you worry what they tell themselves when you're away

hey you know they're all the same
you know you're doing better on your own so don't buy in
live right now
just be yourself
it doesn't matter if that's good enough for someone else

it just takes some time
little girl, you're in the middle of the ride
everything everything will be just fine
everything everything will be all right

do your best
do everything you can
don't you worry what thier bitter hearts are going to say

Knock My Karma (FP) (-1, Offtopic)

EricKrout.com (559698) | more than 12 years ago | (#3213025)

I don't care!

(2 accounts capped at 50)

:-/

Re:Knock My Karma (FP) (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3213044)

Done and done.

Re:Knock My Karma (FP) (-1, Offtopic)

Pancake Lizard (568459) | more than 12 years ago | (#3213053)

2 accounts capped at 50

w00-fucking-h00t. u r real frigging leet d00d.

fp (-1, Offtopic)

xannik (534808) | more than 12 years ago | (#3213026)

fp!

thumb (4, Interesting)

zephc (225327) | more than 12 years ago | (#3213031)

a friend of mine has a cool USB device that reads his thumb print, and he uses that to unlock his Windoze box.

Re:thumb (0)

Anonymous Coward | more than 12 years ago | (#3213050)

by unlock, of course, i meant log in to. From what I saw, he can use it with other applications too.

Re:thumb (5, Funny)

Phosphor3k (542747) | more than 12 years ago | (#3213095)

It will be pretty cool when I cut off his thumb to get into his box. Or cheese grate his thumbs so he cant get in.

Three Words (1)

great throwdini (118430) | more than 12 years ago | (#3213036)

Johnny Mnemonic [imdb.com]

Whoa!

Re:Three Words (2, Interesting)

bleckywelcky (518520) | more than 12 years ago | (#3213080)


Yes, Johnny Mnemonic.

You stole my post as I was trying to remember the name of the movie, lol. This was really cool though. For anyone who doesn't know, Johnny (played by Keanu Reeves) is an information courier. He had information uploaded into his mind (needed some sort of implant, I can't completely recall) and then they randomly grabbed 3 screen shots off of the TV from random channels. One copy was kept for the initiators of the carry, another was faxed (tried to be faxed) to the recipient. The screen shots were used to retrieve the information as a password. Very cool.

If I can't remember... (2, Funny)

Papyrus (226791) | more than 12 years ago | (#3213037)

a string of characters as a password how am I going to remember exactly which points and which sequence of points/graphics to click???

I don't get it - call me flummoxed.

simple? (1)

Account 10 (565119) | more than 12 years ago | (#3213046)

Users simply remember exactly where on the images they clicked and in what order.

If this really down to the pixel level as the story says, then this is not simple it is impossible.

Even having it sensitive to with 10 pixels say is going to be difficult with the pictures they used. Most country flags consist of large blocks of colour. To have a chance of reproducing a password, people are going to have to pick points near edges and corners - similar to not using uppercase and punctuation in passwords.

Re:simple? (2, Insightful)

pmatthews (305579) | more than 12 years ago | (#3213177)

Exactly...Simple??

The random number generation from the clicks would have to use a combination of both position and the colour of the pixel that the user clicked and then don't forget order.
If they used only the colour of the pixel that could potentially be more insecure that characters as in their example they use countries flags which generally have 3 or less colours. If people are going to have images they're going to use familiar images (favourite cartoon characters, g/f's etc) which will be in digital form and probably on that persons web site anyways. (then again I suppose there are some bragging rights from being able to say my is the image at the of my page ...good luck)

Thats doesn't even get into trying to remember the data e.g. with 8 images

[1] First click image 3 at position 238x34.
[2] then click image 7 at position 12x67.
[3] then click image 1 at position 134x164.
[4] then click image 6 at position 34x241.

I think most people would have trouble remembering one clicks data. Let alone that fact that when they go to enter their 'password' they have to get the mouse on the exact position, meaning they are going to have to coordinates on the screen so they can line up (unless their position is an obvious point (bright spot?) on the image (more vunerability)), which takes time and someone could look over your shoulder trying to hone in on your point. I mean if you had a few piccies of bikini clad chicks, would you consider these images les secure?(think about it)
Personally I prefer characters. I don't think it is such a stretch to remember one 8 character random string, but thats me....

my 2.5 cents...

This works (1)

Kizzle (555439) | more than 12 years ago | (#3213047)

I remember this freeware app awile ago that would remember your passwords for you (it was'nt gator). Instead of you putting in a password it would show you a picture of a bedroom or somthing. Then to access your passwords you would click on series of objects in the room. It worked quite nicely.

Re:This works (1)

great throwdini (118430) | more than 12 years ago | (#3213079)

I remember this freeware app [...] Instead of you putting in a password it would show you a picture of a bedroom or somthing.

V-GO Universal Password, crafted by Passlogix [passlogix.com] ? I don't see it offered by the company anymore, but it looks like it was a $30 shareware app for Windows (likely mirrored out there, somewhere).

Re:This works (2)

bero-rh (98815) | more than 12 years ago | (#3213254)

And if someone is looking at your screen, he'll know your password...

Transforming mouse events to *s while "typing" doesn't work.

Interesting password scheme (2, Funny)

s4ltyd0g (452701) | more than 12 years ago | (#3213049)

for pr0n site access ;-)

Yes they did (1)

torqer (538711) | more than 12 years ago | (#3213054)

It can be seen here [slashdot.org]

AfterDark (3, Interesting)

mlknowle (175506) | more than 12 years ago | (#3213055)

AfterDark for Mac OS used to have a feature like this; you could select an image, and you would have to click on a certain part of it, optionally holding down a control-key combo, to unlock the screen saver, rather than type a password.

This is absolutely crappy.... (1)

Numair (77943) | more than 12 years ago | (#3213057)

You have to click on a number of pictures in the right area in the right order. This is easier to remember than a bunch of keys in order (which is what happens after you've typed your password enough times)?

I'll stick to my text-based pass *phrases* while the Wal-Mart XP crowd sits and clicks on images like a 3 year old, thank you very much...

Eyes, nose, mouth (5, Insightful)

Anonymous Coward | more than 12 years ago | (#3213058)

Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth.

People don't select lousy passwords ONLY because they are lazy. They also select them because they don't think there is a credible threat to their accounts. They don't BELIEVE in hackers who would target them.

Without an increase in paranoia among average people, I don't see how a user-selected secret will ever provide security.

Re:Eyes, nose, mouth (5, Funny)

andyh1978 (173377) | more than 12 years ago | (#3213270)

Can you guess which points a typical person would click on that image of a face? That's right - Eye, eye, nostril, mouth.
user@server:~$ passwd
Changing password for user
Old password:
click click click
New password: click click click
Bad password, too simple. Try again.
Password must be at least 5 pictures long, and include one body part, one mammal and one reptile.
New password:

Interesting, but.. (2, Interesting)

zapfie (560589) | more than 12 years ago | (#3213060)

Novel idea, but I can see a lot of practical problems arising. For example, how do you determine how much room for error there is in clicking on certain parts of an image? Someone might choose to click on the sky, then a boat for their password. Will positions be based on something like +-5 pixels from where you originally clicked, or something smarter like using a magic-wand kind of algorithm? Also, what about people who are blind, or visually impaired? How will people sitting down at a computer figure this system out when they are presented with a picture? If you wish to share your password with someone remotely, how do you do it? (e.g. your mom forgets the password to the family computer and calls you up). Don't get me wrong, it's a novel idea, but I can see a lot of issues coming out of this.

Re:Interesting, but.. (0)

Anonymous Coward | more than 12 years ago | (#3213154)

Thank you for adding ideas I hadn't thought of while contemplating what problems might arise. As stupid as it might seem, I never even considered visually impaired people, because I was so caught up in how hard memorizing precise pixel locations in arbitrary images would be for my not-so-visually impaired family members.

Something like this: (5, Funny)

qslack (239825) | more than 12 years ago | (#3213062)

Welcome to Microsoft Windows .NET 2005

In order to log in, please choose the One who you will truly worship, for He is the Supreme leader.

[ LINUS TORVALDS ] [ BILL GATES ] [ ROB MALDA ] [ LARRY WALL ]

Note: According to the EULA you agreed to unknowingly, choosing the wrong password could result in death and/or excommunication.

Re:Something like this: (1)

56ker (566853) | more than 12 years ago | (#3213146)

P.S. Here's a clue - their initials are B.G. and their first name is William.

Re:Something like this: (1, Funny)

Anonymous Coward | more than 12 years ago | (#3213173)

Where's the cowboyneal option?

Re:Something like this: (2, Troll)

garcia (6573) | more than 12 years ago | (#3213298)

so that's how the fucker is going to force us to subscribe.

Re:Something like this: (2)

TedCheshireAcad (311748) | more than 12 years ago | (#3213323)

Make it more complex:

Add Case and Ellison.

~my $.02.

Not exactly cutting edge (0)

Anonymous Coward | more than 12 years ago | (#3213063)

Check out this Slashdot story [slashdot.org] from last December, and the Real User site [realuser.com] with "passfaces", which have been around for a long time.

The future (3, Funny)

wrinkledshirt (228541) | more than 12 years ago | (#3213065)

"Thank you for participating in the required MS Passport sign-up verification to get your latest reinstall of XP2005 to work. We're sorry, but the image of a closed fist lifting the middle finger has already been taken. Others you may want to consider: You lifting your middle finger while wearing gloves; you lifting your middle finger while wearing a Cracker Jack ring..."

Dumbed-down (4, Interesting)

zecg (521666) | more than 12 years ago | (#3213066)

From the news story: "Even with such a system, people would still be susceptible to "shoulder surfing," in which someone watches a computer user type in their password."

Users would have to be fools to "click" their password unless they are positively alone in the room. The current standard at least has masked text on screen, and the order of keys on the keyboard is VERY difficult to track even when the user is moderately good at typing.

Let's not forget that in the case of the new photo passwords, with 50% of users you would only have to know the "Lenny Bruce sequence" in their Playboy passphotos: T'n'A

~zecg.

The Hard Way (5, Funny)

maggard (5579) | more than 12 years ago | (#3213071)

Great, legions of office workers poking the their boss's eyes out to log in every morning, doubtlessly from left to right.

Next up will be the "Tapping System" where folks will rap out "Haircut & A Shave" on their desk to log in.

What other quirks of human nature will next be put to use trying to identify folks? The "Mictation Flex Rate"? The "Eyebrow Lift/Tongue Roll"? How about the "Tell the Same Stupid Joke" one; I've had co-workers who've been able to do those hundreds of times over & over without a single variation.

Or just teach folks how to use good paswords, put in some really good acceptance tests, and make it clear that if security is compromised by their poor password choice they'll be held responsable, same as leaving the door to the safe open.

Nahhh, there's gotta be a technolgy fix...

Re:The Hard Way (1)

56ker (566853) | more than 12 years ago | (#3213128)

Oh there's more - the retina scan, the facial recognition scan, the palm print, handwriting recognition - the list just goes on and on! As to the people who use their favourite football team or a popular name as a password well they deserve to have their account compromised and their network privileges revoked for being so stupid!

Presentation dependent (3, Interesting)

1984 (56406) | more than 12 years ago | (#3213074)

This is kindof interesting. A couple of things spring immediately to mind.

First, presentation of the image will (may) vary in different situations. The visual presentation of a password is pretty irrelevant: as long as you can understand and input the right symbols the font, colour size etc. in which they are presented isn't relevant. On the other hand an image must look substantially like the crib image. Sounds obvious, but consider differences in resolution, colour depth etc. You can divide the image into regions (a grid, perhaps) but ultimately there will be a limit to the resolution of the grid that you can rely on (not to mention input errors limiting the viable grid resolution.) To get more possible regions, you'd need a plain bigger image to get around the input resolution issue. All of which complicates the implementation (of course, you could break each image down semantically somehow, but that sounds like a further adventure altogether.)

And, after all that, prople may turn out to have pattern preferences that are "as crappy" as poorly chosen passwords? Always use a photo of your daughter and click on both eyes and outline her cute smile? Ooops. Use your country flag and click where regions of colour meet?

Default image : (1)

doru (541245) | more than 12 years ago | (#3213075)

the BSD !

Re:Default image : (1)

great throwdini (118430) | more than 12 years ago | (#3213090)

Default image: the BSD !

In case you haven't heard, *BSD is dying. I think you meant the BSOD.

fin

It reminds me of a film (1)

56ker (566853) | more than 12 years ago | (#3213076)

with Patrick Stewart in where each day he had to put these strange Chinese characters into a picture otherwise the government secrets he knew would be e-mailed to hundreds of newspapers. Can anyone remember what it was called? As for thumbprint technology the hardware is still very expensive. :o\

Re:It reminds me of a film (1)

great throwdini (118430) | more than 12 years ago | (#3213122)

It reminds me of a film [...] with Patrick Stewart [...] where each day he had to put these strange Chinese characters into a picture[.]

Safe House [imdb.com] ?

Re:It reminds me of a film (1)

56ker (566853) | more than 12 years ago | (#3213137)

Yes that was it. When that's the most thrilling part of the film - watching somebody move Chinese characters into a picture - that purports to be a thriller it says a lot about the film!

Re:It reminds me of a film (1)

ari_j (90255) | more than 12 years ago | (#3213135)

It's called Safe House, if it's the one I'm thinking of. 1998 film, his character is Mace Sowell. I've only seen the first bit of it, but it sounds like a match.

Re:It reminds me of a film (1)

56ker (566853) | more than 12 years ago | (#3213165)

The great throwdini beat you by 7 minutes in naming it though - can't remember whether I watched the whole film now or not. As to remembering the characters name - well it was so long ago I saw it I really have no idea.

Faces (1)

Economist (466965) | more than 12 years ago | (#3213077)

"The basic idea is that the brain can remember faces better than it can remember letters and numbers."
Unless you're like me, i seem to forget faces constantly. When i'm at the store to buy meat, and the lady who serves me is away 2 seconds, i already forgot what she looked like.

And i think that i'm not the only one, i'm not THAT much of a freak :-)

Then the govnernment (2)

tcd004 (134130) | more than 12 years ago | (#3213081)

Then the government can check to see where you like clicking pictures.

Did you use the Iraqi flag as your password?

Are you clicking on suggestive areas of that picutre of Natalie Portman?

I much prefer just having a city-wide network of surveillance cameras to verify my identity at all times.(/sarcasm)

Read Lostbrain's Oscar Predicitions! [lostbrain.com]

tcd004

Re:Then the govnernment (1)

Boone^ (151057) | more than 12 years ago | (#3213097)

Eventually people have to chill out about the gov't conspiracies. If they wanted to spy on you, they'd need a lot more compute resources and a lot more analysts. They don't have either.

Re:Then the govnernment (2)

aardvarkjoe (156801) | more than 12 years ago | (#3213134)

More importantly, the government would also have to care. I haven't seen any evidence that they do. It's marketing corporations that want personal info.

Re:Then the govnernment (1)

Da Web Guru (215458) | more than 12 years ago | (#3213266)

Yeah, but then the government would just "borrow" the information from the marketing corporations...

Hmmm (1)

EricKrout.com (559698) | more than 12 years ago | (#3213085)

Did everyone forget about this [realuser.com] already?

Peace, Love, Linux [monolinux.com]

Re:Hmmm (2)

cygnusx (193092) | more than 12 years ago | (#3213116)

I wrote this in my weblog [chaoszone.org] today...

This'll never work with the "techie" crowd because they remember letters/numbers much better than they remember pictures. (ever wondered how unix fans can remember all of tar's options? :-)) On the other hand, for people who "think graphically" (designers, artists, etc), this may help. But I wouldn't bet on it, passwords are too deeply entrenched in our lives already -- ATM PINs, Phonebanking PINs, the whole nine yards.

And yes, I too don't see how this is different from Passface's Realuser [realuser.com] , which uses faces in lieu of passphrases. I've tried Realuser, and I found it was far more difficult to remember their faces than it was to remember my passwords. And I could choose only 5 faces -- not too good, it's too easy for over-the-shoulder attacks, and it's a pain to change "faces" like I change passwords. I imagine a face-changing session would go this way: "Let's see, I chose a caucasian male last time, this time, I'll pick an asian female...". Uh huh, too much work.

Pictures as passwords (1)

NetGyver (201322) | more than 12 years ago | (#3213101)

Sounds interesting, though I'm not sure i see how much a difference this would make. What's the difference between remembering certian details in the image you selected as your password vs remembering a text password?? You *Still* have to remember something. I've been very fond of the fingerprint scanning system and other simular devices that allow you to access your data without having to *remember* anything.

But in any case, where there's picture passwords there's bound to be some strange tech support calls. I'd use one of those "magic eye" pictures where you have to make your eyes blurry, and cross them funky so you can see the hidden image. That way if he's a real *STUPID* tech, he'll look like it too. :)

...anyway...

A penny for my thoughts? Here's my two cents. I got ripped off.

Neo Already Did This (1)

Shuh (13578) | more than 12 years ago | (#3213106)



Back in the day, before The Matrix [imdb.com] , Keanu made another sci-fi show predicated on just this idea. It was called Johnny Mnemonic [imdb.com] !

I would choose a picture of (5, Funny)

Scratch-O-Matic (245992) | more than 12 years ago | (#3213111)

a keyboard. It would be easy to remember where to click, because I could remember it as a string of alphanumeric characters. I think this technology has promise.

Re:I would choose a picture of [a keyboard] (1)

mortenf (191503) | more than 12 years ago | (#3213174)

Actually, this might not be as stupid as it sounds.

If the keyboard picture had the keys swapped to new positions every time, it would be impossible for anything but a camera to deduct the password (as opposed to the vulnerability that makes snooping passwords possible because of the timing between keytrokes).

Of course, it would still be vulnerable to attacks from the person standing behind you...

Re:I would choose a picture of [a keyboard] (2)

dattaway (3088) | more than 12 years ago | (#3213318)

Just because it is a mouse, doesn't mean it can't be snooped. Mice and keyboards both use serial communications and can be captured by many means.

The Microsoft Mouse(tm) protocol sends out a three byte sequence to signal a mouse movement. The current from the wires of a serial mouse can be picked up remotely with a good antenna that can sense the large RS232 voltage transitions at a slow 1200 baud. From another room, you could track mouse activity just as with a keyboard.

Re:I would choose a picture of (2)

Alsee (515537) | more than 12 years ago | (#3213322)

a keyboard

Actually that would be pretty cool, and I'd be particularly secure. I'd probably click in between the keys just because I can :)

-

I can see it now..... (-1, Redundant)

philj (13777) | more than 12 years ago | (#3213123)

Hundreds of trolls scaring the crap out of people by using the goatse.cx image [goatse.cx] as their password.

What if the image is stolen? (1)

Drakker (89038) | more than 12 years ago | (#3213125)

Say, I need to log in from different stations, do I have to carry my password on a floppy/cd/whatever? What if someone steals my storing device? How do you log using an image via telnet? =)

Re:What if the image is stolen? (4, Funny)

blang (450736) | more than 12 years ago | (#3213133)

And how are blind people going to log in?

This must be president Bush's idea.

Re:What if the image is stolen? (3, Informative)

Account 10 (565119) | more than 12 years ago | (#3213207)

Blind people continue to use the keyboard. You can have alternatives in life, you know.

Re:What if the image is stolen? (2)

blang (450736) | more than 12 years ago | (#3213233)

Right. As long as the user has control ofer those options.

However, most authentication are outside the user's control. Online banking, Web sites, you name it.

It's like saying blind people can use ascii to get around on the web. Except that most sites do not have text-only versions anymore. Add Flash to the mix, and I think I've made my point.

Aeasy answers make for easy rebuttals.

Re:What if the image is stolen? (2)

BlueUnderwear (73957) | more than 12 years ago | (#3213239)

Blind people continue to use the keyboard.

But what if Micro$oft removes the possibility of logging in via the keyboard?

And what if this spreads to web sites as well, and it becomes very hip to log in to your favorite weblog via clicks on an image, rather than HTTP passwords?

You can have alternatives in life, you know

Correct. But certain companies are striving very hard to remove the privilege of choice, at least as far as computers are concerned ;-)

Re:What if the image is stolen? (-1)

OsamaBinLager (532628) | more than 12 years ago | (#3213304)

Fuck you asshole.

Hey Wait!!! (2)

Dutchmaan (442553) | more than 12 years ago | (#3213139)

MS figured out that it can gather more than just boring ol' text information... It can gather images or sounds, or almost anything.

How about DNA security, where you sign your contract in blood!!!???

Why does that sound familiar?

Check me (4, Interesting)

blixel (158224) | more than 12 years ago | (#3213141)

If an image is 1280x1024 and is sensative to a 10x10 pixel area, that gives the user a grid of 128x102 to click in. A total of 13,056 clickable squares. If the user's password was 5 clicks long, that would give them 379,359,275,350,832,971,776 possible passwords. Is my math correct?

I'll use (4, Funny)

segfault7375 (135849) | more than 12 years ago | (#3213142)


I'll use that guy from goat.cx... That'll keep people out of my computer :)

Stupid idea (2, Insightful)

Pedrito (94783) | more than 12 years ago | (#3213149)

So now you have to remember the order in which you click on an image? Maybe that's easier for some people, but certainly not for me. I have one password that I've used for the past 15 years or so. It's 8 characters (9 if I need to mix numbers with it), and it appears completely random.

I've been using it for 15 years an nobody has ever hacked it. All you have to do is have one of these and remember it. Almost anyone can remember a single 8-10 digit password, if that's all they use. Just make one and stick with it. Maybe you'll need to change it every couple of years, but even so, once you have it down, it's pretty easy to remember.

Is it hack-proof? Of course not. Not even close, but for most applications where a password is needed, it's more than sufficient. I doubt anyone will take the time to try to hack my hotmail account when there are so many that can easily be dictionary attacked. I'll always be the last one someone tries to hack because it will take too long to hack mine, compared to most.

Just my personal opinion. Obviously for some things, you simply need real encryption, but for most online stuff, a single 8 character/digit password is fine.

Re:Stupid idea (1)

kapella (3578) | more than 12 years ago | (#3213175)

... the problem with using one password is that it provides a single point of failure for everything you use.

All it takes is one password-capturing trojan website, or one hacked login(1), or even someone setting up a small, useful website requiring registration with a password explicitly to capture just these kind of reused passwords.

Worse idea. (0)

Anonymous Coward | more than 12 years ago | (#3213206)

Okay, so lemme guess: you picked a mental pattern on your keyboard to repeat as your password, and you use that password anywhere?
Getting your password would be trivial by shoulder surfing, and once it's obtained, every account you have is wide open. Yipee skipee!
That, and if you used your magic password on a system with an unscrupulous operator, that operator now has the key to every other account you own.

There's damn good reasons why you're told not to reuse passwords.

Re:Worse idea. (2)

Pedrito (94783) | more than 12 years ago | (#3213289)

If I've used it for 15 years without it every being compromised, why is it that nobody has ever hacked it, despite the fact that I use it in a number of places?

Like I said, for important things, I use a variation that's more difficult. As for shoulder surfing, again, 15 years (including 2 years using it daily in a wide-open internet cafe where anybody could have seen it), and nobody has ever hacked it.

And no, I didn't pick a mental pattern on the keyboard. I was assigned a random password by CompuServe 15 years ago and I've used it ever since.

You said, and I quote: "There's a damn good reasons why you're told not to reuse passwords." Show me why? 15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.

Re:Worse idea. (5, Insightful)

garett_spencley (193892) | more than 12 years ago | (#3213308)

You said, and I quote: "There's a damn good reasons why you're told not to reuse passwords." Show me why? 15 years and it's never been hacked. I'd say that's a damn good track record for a single password. I don't see a damn good reason to change it. Until it gets hacked, I probably won't.

I'm going to actually give you a real life example to help you understand why this is important.

Some time last year (you may remember if you've been around /. that long) someone cracked /.'s backup server where they got full access to the database including Rob's password. So they got everyone's password.

Now if you use that same password for /. then they got your password for everything. They didn't crack or guess your password instead they cracked something completely different and your password happened to be stored there.

So imagine if you use that password for your online banking, e-mail, work account etc. It's pretty serious.

The point is that it doesn't matter how secure or insecure your password is. You just don't use the same password for everything plain and simple.

The same could happen with hotmail. Your work's network etc.

--
Garett

Where have I heard about this before? (2)

image (13487) | more than 12 years ago | (#3213153)

"This is especially interesting in context of the crappy passwords story that ran on Slashdot that ran few days back."

And it is even more interesting in context of the the the using images as passwords story that ran on Slashdot [slashdot.org] that ran [sic] a few days back. :)

you can still have crappy passwords with this.. (1)

EMR (13768) | more than 12 years ago | (#3213159)

how about some modern art..
I visualize a blue circle on a which background.
Or a white line on a black background..

Images? (1)

JohnyDog (129809) | more than 12 years ago | (#3213162)

With images instead of passwords, the new Windows(TM)(R)(C) will now be fully average-monkey compatible.

Similar to this slashdot story. (2)

tswinzig (210999) | more than 12 years ago | (#3213166)

Pictoral Passwords [slashdot.org] (using abstract art)

(It isn't karma whoring when you're already at 50.)

Login with someone behind you? (5, Insightful)

aralin (107264) | more than 12 years ago | (#3213167)

Well, I've got this idea quite a few years ago, but honestly, did you ever try to login with someone watching? And its much easier to watch the monitor than your keyboard. And at least I can type my twenty something passwords reallllly fast and have some intentional typos in them, but - man - how can you click on pictures without someone seeing the pointer moving over the right pictures....

pixel password attack? (1)

Gord888 (445481) | more than 12 years ago | (#3213168)

Well, isn't it possible to still try and hack someones password simply by brute force? Someone could just emulate all combinations of the mouse click on all pixels of the picture. Also... how the heck is someone going to memorize pixel locations better than strings????

Passwords and Pictures (2)

NWT (540003) | more than 12 years ago | (#3213178)

I've seen something like that. You could coose an image (the more complicate, the better) and define some points, which you have to remember. To login, you have to click the points you selected before, with more or less accuracy in a predefined order.

Shhhhh! The password is (2, Funny)

BadThoughts (552188) | more than 12 years ago | (#3213179)

Monkey, Sheep, Sheep, Monkey, HORSE. you HAVE to remember horse! Because if you don't.... You'll have to click on all the images! or... or could just click clippy for help. . .

Better Idea (0)

Anonymous Coward | more than 12 years ago | (#3213185)

Instead of just clicking an image, how bout a setup where choosing an image is only the first step. Once the image is displayed, a user then has to click or move the mouse around the image in a certain manner. Much, much more secure then just choosing an image.

Re:Better Idea (1)

Account 10 (565119) | more than 12 years ago | (#3213193)

That's exactly what the article is about. Try moving your mouse over the story and clicking in a certain manner ... ie. on the link.

Jonny numonic (0)

Anonymous Coward | more than 12 years ago | (#3213191)

Did n't the password in that movie was images?

Lotus Notes, and social commentary (3, Insightful)

phillymjs (234426) | more than 12 years ago | (#3213210)

Lotus Note on the Mac (I've never seen or used the Windows version) has a little something kinda like this in their password dialog.

As you type in your password, small images in a 2 x 2 layout change according to what you've typed. Even though the password text is bulleted out, you eventually come to recognize the 'correct' four images and know when you've misyped your password before hitting Enter. IMHO, this is the best feature of Notes, which otherwise sucks-- Lotus might not have been the first to use this idea, but it's the first place I've seen it.

And now I'd like to complain about the increasing retard-ification of our society. How can people be unable to choose a few non-obvious passwords (hell, just some random sequences of alphanumeric characters will do) and remember them with a mnemonic device? Why must we create an authentication system geared to the stupid so they can easily exist among us? Maybe they'd smarten up if they chose "password" as their password and had their checking account cleaned out for the third time as a result.

Of course, I should have seen this coming when McDonald's started using cash registers that had photos of the food on the keys and spit out the customers' change automatically, without the operator having to overtax his/her brain thinking about how a quarter, a dime, a nickel and three pennies have to combine forces to make 43 cents.

~Philly

Re:Lotus Notes, and social commentary (2)

rbeattie (43187) | more than 12 years ago | (#3213288)


IMHO, this is the best feature of Notes

Yep, and they're getting rid of it... I'm too lazy to look for the link right now, but it's true.

-Russ

no keyboard (1)

BoRoG (566310) | more than 12 years ago | (#3213215)

Sweet, now I can log in and enter my password without even touching the keyboard!

Less security, not better security. (3, Insightful)

bartman (9863) | more than 12 years ago | (#3213219)

Not surprising that MS would come up with this knowing their track record with security...

Consider anyone standing behing you while you select the appropriate login. They are bound to see the images you are selecting as your login much more clearly then the key combination you would have typed.

Try telling this one to a friend (0)

Anonymous Coward | more than 12 years ago | (#3213225)

Can you imagine having an emergency in our future-tech age?

"No Bill, it's Black Guy, Asian Guy, Samoan Woman, Black Guy with the scar, White Guy with glasses! Hurry up before the Holodeck explodes!"

Let's hope they have a way of opt-ing out (4, Interesting)

merlyn (9918) | more than 12 years ago | (#3213226)

As I said in a previous thread two months back:
People are visually oriented, so remembering pictures is easy, especially compared to a mess of uppercase, lowercase and symbols.
Uh, some people. I'd have to name each picture to remember it, and then remember the names. I'm a part of the 5% of the population that doesn't deal well with picture recall, and a particularly bad case of that. Let's hope this system is never mandatory for any system I have to use. It's bad enough for icons without tooltips.

pamela anderson (0)

Anonymous Coward | more than 12 years ago | (#3213229)

the most widely used passpic

Color blind (1, Insightful)

Anonymous Coward | more than 12 years ago | (#3213236)

Seems like you'd have to be really careful not to exclude the color blind. And the actually blind. Or just those with bad vision, or really poor visual memories.

Shoulder surfing (0)

Anonymous Coward | more than 12 years ago | (#3213252)

It seems that a visual password would make it much easier for someone across the room to see and learn. One would have a hard time looking at my keyboard if they were behind me, but the whole reason any password login puts bullets on screen is so someone looking at the screen can't see it. Does this system use a mouse or is there some way to pick out the pictures using a keyboard with no on screen indicator? Of course, if that's the case, then this system may not be as idiot proof as they hope.

How much more sophisticated? (0)

Anonymous Coward | more than 12 years ago | (#3213263)

Picture this:
The Mona Lisa by Leonardo Di Vinci
The Scream by Edvard Munch
A picture of David by Michelangelo
A picture of a not quite so cute dog with a caption underneith it that says, "Fluffy".

I wonder which one of those would be the password. Hmmmmm.

wrong example ? (1)

mirko (198274) | more than 12 years ago | (#3213268)

So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?

Today's is now 25 years after the Punk explosion in England (1977) so I believe it would be a bad idea to ask today's 25'ers about which color their mother could have painted her hairs :-D

apparent problems... (1, Interesting)

Anonymous Coward | more than 12 years ago | (#3213273)

one of the problems that many people have with "strong passwords" is not their lack of a strong kinesthetic memory - I can "remember" any password simply by typing it: sound familiar?

Problem is that this has nothing at all to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you always use the same password... more on this later)

What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.

This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?

Some "realistic solutions" to these problems include: biometrics - which don't require any memory, single login - which limit the number of cues needed, asymmetric key - which relies on math, etc, etc.

I say "realistic" because people have used them and they do work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person :) )

Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.

Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes way too much emphesis on only one cue.

With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)

I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies :D)

My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of what we remember is less important than changing the cues by which we do remember.

Embarrassment from lost password.. (1)

sewagemaster (466124) | more than 12 years ago | (#3213306)

So when you call support to get your lost password, will they ask you what your mothers maiden hair color was?

... or the size of my "structrual beam", which of course i can't exaggerate because the wood just isnt big enough :)

ok. it's... the password is ONE - as in ONE foot...

another crippled website... (2)

h4x0r-3l337 (219532) | more than 12 years ago | (#3213327)

Reuters: "We're sorry, but your browser is not compatible with our site."

Oh well, it's not like we haven't seen this before [slashdot.org]

is it better? (1)

torrey (41764) | more than 12 years ago | (#3213332)

people are just clicking on key points in a picture.
To me it seems that is not much different from anything else, you have a picture of a face, there are probably 5 or 6 key points, the eyes, mouth, ears, and possible the top and bottom of the head. People would key in to the same features of the picture, after that, it just become an order of what is clicked, and people would tend to be predictable about that, forming geometric patterns, like going in a clockwize or counter clockwise pattern.

In the end, things might be safer in the short term, but it jsut means that the hackers jsut need to read up on a new set of psychology books, Once they got that down, you are back to where you started
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>