Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Picture Passwords More Secure than Text

CowboyNeal posted more than 6 years ago | from the my-scribble-is-my-password dept.

Security 261

Hugh Pickens writes "People possess a remarkable ability for recalling pictures and researchers at Newcastle University are exploiting this characteristic to create graphical passwords that they say are a thousand times more secure than ordinary textual passwords. With Draw a Secret (DAS) technology, users draw an image over a background, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted. If a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. The "passpicture" is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly. The software has been initially designed for handheld devices such as iPhones, Blackberry and Smartphone, but could soon be expanded to other areas. "The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security," says computer scientist Jeff Yan."

Sorry! There are no comments related to the filter you selected.

Meh. (3, Insightful)

mingot (665080) | more than 6 years ago | (#21205411)

I'd have to train myself to remember the strokes to draw something with the same movements and pen lifts. Sounds like a pain in the nuts to me.

Easier in Asia... (4, Interesting)

Anonymous Coward | more than 6 years ago | (#21205493)

You say that, but it's EXACTLY what you have to do to learn kanji or kana... or hanzi, for the Chinese.

That's right, there's a proper way to write every one of the thousands of characters, right down to stroke order and placement.

Re:Easier in Asia... (2, Insightful)

mingot (665080) | more than 6 years ago | (#21205667)

I'll bet they'll just pick a character instead of drawing a picture.

Re:Easier in Asia... (4, Interesting)

Nexx (75873) | more than 6 years ago | (#21205769)

Not only that, but people who learn it the "wrong" way quite often write it the wrong way throughout their lives. I experience this a lot with my parents -- the stroke order they learned is different from the stroke order I learned, so anytime I watch them write, it looks a bit odd.

Re:Easier in Asia... (1)

hansamurai (907719) | more than 6 years ago | (#21206467)

I learned to write a few of my hiragana and katakana characters in the wrong stroke order, and native readers could tell just by glancing at my handwriting that I was doing it wrong. I concentrated much harder on this aspect when I was learning kanji, but I'm sure I still do many of them wrong.

And "shoulder surfing". (4, Insightful)

khasim (1285) | more than 6 years ago | (#21205515)

If you have to draw a picture to login, it's going to be very easy for people to see what you're drawing just by being near you.

With typed passwords that is a lot more difficult.

Re:And "shoulder surfing". (5, Funny)

Karl0Erik (1138443) | more than 6 years ago | (#21205533)

Well, they could just cover the drawing in asterisks.

Oh, wait.

Re:And "shoulder surfing". (1)

mstahl (701501) | more than 6 years ago | (#21205689)

Really? I disagree. Though it's easy to watch someone's fingers and see which keys they're hitting, it's far more difficult to watch someone's hand and imagine exactly how they typically draw a password. Though this can't have too much subtlety to it because then no one would ever be able to remember their password exactly enough to reproduce it, it can be fine-grained enough that no one but you can draw your password like you do.

Re:And "shoulder surfing". (5, Funny)

megaditto (982598) | more than 6 years ago | (#21205871)

Draw the goatse man. That'll teach them to spy on you!

Now if only I could figure out how to paste that troll's ascii in here...

Re:And "shoulder surfing". (3, Funny)

TheGeneration (228855) | more than 6 years ago | (#21205935)

Okay, so something like 99% of users are going to use happy faces for their drawn password. That'd be so difficult to crack.

Re:And "shoulder surfing". (1)

somersault (912633) | more than 6 years ago | (#21205995)

I must be one of the 1%, hadn't thought of that. It sounded more like each person would draw a random shape depending on what the backdrop was.. >_>

Re:Meh. (1)

king-manic (409855) | more than 6 years ago | (#21205675)

I'd have to train myself to remember the strokes to draw something with the same movements and pen lifts. Sounds like a pain in the nuts to me.
Unless you're Chinese, in which case the swollen knuckles you still have (from being swatted with a chopstick when you learned to write Chinese) will be ample reminder of how to remember stroke order.

Re:Meh. (1)

megaditto (982598) | more than 6 years ago | (#21205927)

Won't they all have the exactly same drawing order? So much for a unique, hard to replicate password.

But then again, who would ever need to have a strong password in China?

Re:Meh. (1)

Plutonite (999141) | more than 6 years ago | (#21205683)

Welcome to the world of pattern classification. I do not think all systems have to be implemented in the way you imply.

Re:Meh. (1)

Plutonite (999141) | more than 6 years ago | (#21205731)

Clarification: GP statement is correct in terms of this particular implementation. I was just pointing out that although I agree it wont work and it's silly to think that people draw the same strokes every time, there are other ways to do this.

Re:Meh. (1)

Kingrames (858416) | more than 6 years ago | (#21205741)

Yeah right. You'd just have to draw ascii goatse and it'd be more secure than your current password.

Re:Meh. (1)

Joe U (443617) | more than 6 years ago | (#21205893)

As long as you don't draw the non-ascii version, it's OK.

Re:Meh. (5, Insightful)

wish bot (265150) | more than 6 years ago | (#21205785)

Ordinary people have been doing this for hundreds of years. It's called a SIGNATURE.

Re:Meh. (2, Insightful)

X0563511 (793323) | more than 6 years ago | (#21206067)

Hmm, thats an idea. You COULD draw a picture, but if you "sign" a password, that only adds to the complexity of what an intruder must duplicate.

After a long time doing it, you would get damn fast at it too.

One problem however is disability. If I had a horrible accident and became a quadrapole, I could still recite my password to someone if need be... good luck doing that with this kind of authentication.

Re:Meh. (2, Informative)

rossdee (243626) | more than 6 years ago | (#21206283)

"If I had a horrible accident and became a quadrapole, I could still recite my password to someone if need be... good luck doing that with this kind of authentication."

I think you mean quadraplegic. According to Wikipedia:

A quadrupole is one of a sequence of configurations of electric charge or gravitational mass that can exist in ideal form, but it is usually just part of a multipole expansion of a more complex structure reflecting various orders of complexity.

Re:Meh. (5, Funny)

heinousjay (683506) | more than 6 years ago | (#21206469)

That doesn't really change the original statement. It would indeed be a horrific accident that turned him into a quadrupole, and it would probably be hard to draw stuff afterwards.

password expired (2, Funny)

dfries (466073) | more than 6 years ago | (#21206507)

Ordinary people have been doing this for hundreds of years. It's called a SIGNATURE.

That might be a good idea until you get one of these messages.
Password expired, please change your name.

Re:Meh. (0)

Anonymous Coward | more than 6 years ago | (#21206011)

Yeah, also thousands of times more difficult to remember.

Back to the drawing board guys...

Re:Meh. (5, Funny)

B3ryllium (571199) | more than 6 years ago | (#21206031)

Sounds like a pain in the nuts to me.

You're doing it wrong.

Prior Art (2, Informative)

mlwmohawk (801821) | more than 6 years ago | (#21205413)

The movie "Safe House" with Patrick Stewart had something similar.

Re:Prior Art (1)

Dishevel (1105119) | more than 6 years ago | (#21205473)

It had to be hard on you to admit knowledge of that. :) Just havin fun.

Re:Prior Art (1)

mlwmohawk (801821) | more than 6 years ago | (#21205725)

What hard? I have it on DVD. What's not to like?

Re:Prior Art (1)

somersault (912633) | more than 6 years ago | (#21206055)

Well, apparently Patrick Stewart's naked butt is on there.. I don't really need to see that :o and if I did I'd just draw a line down his head.

Re:Prior Art (0)

Anonymous Coward | more than 6 years ago | (#21205793)

Loading...

Here's my visual password (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21205445)

Up, up, down, down, left, right, left, right, B, A.

Here's mine, faggot: (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21206345)

Loading...

fap-fap-fap-fap-fap-fap...

I've heard this before (5, Funny)

ShawnCplus (1083617) | more than 6 years ago | (#21205447)

From Article:

graphical passwords that they say are a thousand times more secure than ordinary textual passwords.
Someone a long time ago:

A picture is worth a thousand words

Re:I've heard this before (0)

Anonymous Coward | more than 6 years ago | (#21206003)

A thousand words? That's only 2000 bytes! What image-format was he using?

I don't belive it. (0)

Anonymous Coward | more than 6 years ago | (#21205461)

I don't belive it. Most of the pictures can only be drawn in a order, which everybody will use, so it isn't safe. Also, if the begining cell is part of the pass, you have to always start exactly on the same place, which is harder than a pass.

And.... why is it safer? a pass with chars a-zA-Z0-9 has 36^lenght combinations... randomly distributed...

Re:I don't belive it. (1)

dreamchaser (49529) | more than 6 years ago | (#21205501)

You didn't read carefully enough. You draw whatever picture you want. The background image is just to give you a frame of reference so you know where you started.

It still sounds like a bad idea to me for the second reason you mentioned. I do not see this as being any more secure than enforcing strong passwords. I can see it maybe being useful for touch/stylus devices, but that's a different matter than overall security.

Re:I don't belive it. (2, Insightful)

JackieBrown (987087) | more than 6 years ago | (#21205551)

Will we need to draw a new picture every 90 days?

Re:I don't belive it. (3, Insightful)

Anonymous Coward | more than 6 years ago | (#21205579)

You draw whatever picture you want. The background image is just to give you a frame of reference so you know where you started.

I think most people will associate the same things to the same background (eg. flowers->bee) resulting in even less combinations... also, the universe of "drawable things" is smaller than the universe of words, and that is smaller than the universe of pass...

Why am I having nightmares... (2, Funny)

cliveholloway (132299) | more than 6 years ago | (#21205467)

...about drawing penises on goatse photographs?

That would be one way to keep things secure though - it's hard for someone to guess your pass picture if they can't bring themselves to look at the background... :)

I dont think so (5, Interesting)

Pazy (1169639) | more than 6 years ago | (#21205471)

I doubt this will really work, most people when they draw and write so it slightly diffrent each time. They may have to sit down and aim exactly and prepare which will take too much effort for most people. I doubt this will take off its the old security vs convenience. At this point ill take the convenience of a text password.

"Fuzz factor" already included. (1)

khasim (1285) | more than 6 years ago | (#21205739)

From TFA:

For example, if a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. It is recognised as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly.

So you don't even have to hit the same points. And this is supposedly "more secure"?

Imagine a password program that allowed for "close enough" typing. Would you consider it "more secure"?

If your password was "peach", would you want the system to accept "apple" as being "close enough"?

Re:I dont think so (0)

Anonymous Coward | more than 6 years ago | (#21206005)

That's probably the number one question that everyone asks. I asked it too. From the paragraph above,

The "passpicture" is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly.

Re:I dont think so (1)

schmiddy (599730) | more than 6 years ago | (#21206047)

Actually, somewhat counter intuitively, ballistic motions [slyengineer.net] such as scribbling a signature or swinging a baseball bat are actually more accurate when you perform it quickly and without hesitation (because they're ingrained in muscle memory). I'm not sure if the picture drawing described in TFA would qualify, as it would take a great number of repetitions (1,000+ perhaps) to get ingrained in one's muscle memory.

Sounds hard (5, Insightful)

dontthink (1106407) | more than 6 years ago | (#21205475)

I can't even consistently write my signature, let alone some arbitrary picture.

Re:Sounds hard (1)

webmaster404 (1148909) | more than 6 years ago | (#21205511)

Not to mention how easy it would be to make a program to guess it, as most people wouldn't be able to totally reproduce it fully all the time, that means more tries it would allow. Plus, what if theres a flaw in Flash/AJAX/JavaScript/Canvas or whatever your drawing in? At least HTTPS is hard to break and HTML is rather secure.

Re:Sounds hard (2, Insightful)

Feanturi (99866) | more than 6 years ago | (#21206505)

I have the same problem with my signature. At one time, it used to be very consistant, and quite legible. Enough people remarked that it looked just like regular handwriting, so I started doing it much more quickly and carelessly since that appears to be the normal way of doing a signature. Now, no matter how I try, I can't make it quite the same way twice, except maybe the capitals. I generally don't get all the letters into the last name either, and which ones make it in changes from one attempt to the next.

That's a terrible idea! (1)

dkf (304284) | more than 6 years ago | (#21205479)

I can't draw...

Normal signature (5, Insightful)

LiquidCoooled (634315) | more than 6 years ago | (#21205481)

A normal signature is a picture drawn in a certain fashion with a specific flow and strokes.
We have had signature recognition for a while.
Whats new?

Re:Normal signature (2, Interesting)

schmiddy (599730) | more than 6 years ago | (#21205907)

Yeah.. different methods of signature recognition have been around for quite some time, and never really caught on. A friend just did his senior undergrad thesis on a survey of techniques for signature detection [slyengineer.net] , and it's actually a pretty informative read. Long story short.. even the advanced models have too high false-positive rates, especially from skilled forgers who have time to practice copying your signature at home, or even casual over-the-shoulder copying.

The only real future use of this I see is as one component in a highly secure, long-term, yet convenient, authentication mechanism.. perhaps for accessing a lockbox at a bank, something you'd need to have around for many years without remembering and changing a password. And even then, they'd have to additionally use at least "something you know" (name,SSN, etc that you won't forget) and possibly another "something you have" (fingerprint reading, perhaps) in order to get the false positive and false negative rates acceptably low.

Re:Normal signature (1)

fastest fascist (1086001) | more than 6 years ago | (#21206159)

And that is why you use a picture you don't let anyone else in on, not your signature.

Re:Normal signature (1)

Torvaun (1040898) | more than 6 years ago | (#21206177)

Fingerprint reading isn't "something you have" it's "something you are". A key is something you have.

Re:Normal signature (0)

Anonymous Coward | more than 6 years ago | (#21206133)

Where is that used, pray tell?

There's plenty of POS cardreaders performing signature _capture_. No recognition being used at all.

I for one try to give them a different scribble everytime as there are no requirements in place to protect your scanned signature.

Damnable Security! (5, Insightful)

roguetrick (1147853) | more than 6 years ago | (#21205505)

I wonder how many users will just end up drawing Stars, Hearts, and Smiley Faces?

Re:Damnable Security! (2)

Enderandrew (866215) | more than 6 years ago | (#21205573)

Exactly what I was thinking.

I have trouble drawing stick figures.

Re:Damnable Security! (1)

Kingrames (858416) | more than 6 years ago | (#21205831)

How many ways do you suppose you can draw flowers, hearts and smiley faces though? recording where you start, where you end, and the position on the screen, and the size, and the shape...

It's bound to be more complex than a password the average user can create. And might be less susceptible to keylogger-type software.

Re:Damnable Security! (5, Funny)

insertwackynamehere (891357) | more than 6 years ago | (#21206019)

I smell pictionary attacks!!

Imagine pictures of common passwords/objects being drawn everywhere on the screen at different rotations and scales in rapid succession.. or just a brute forcer which didn't even make legible images 99% of the time

Re:Damnable Security! (1)

Dragonslicer (991472) | more than 6 years ago | (#21206395)

I wonder how many users will just end up drawing Stars, Hearts, and Smiley Faces?
Depends on how many of them had Lucky Charms for breakfast.

Re:Damnable Security! (1)

JonathanR (852748) | more than 6 years ago | (#21206455)

At least people with poor drawing skills won't be so keen to use a sticky note on their monitor to display their talents.

2 characters. (5, Insightful)

Kaenneth (82978) | more than 6 years ago | (#21205517)

Or you could add 2 alpha-numeric characters to an existing text password, for more than 1000 times security.

Re:2 characters. (1)

Faylone (880739) | more than 6 years ago | (#21205737)

assuming the system actually cares what the password entered is past the 8th or so character...

Re:2 characters. (1)

Bryan Ischo (893) | more than 6 years ago | (#21206071)

That's implied in what he said.

Re:2 characters. (3, Insightful)

Dirtside (91468) | more than 6 years ago | (#21205809)

Adding two alphanumeric characters (a-z, A-Z, 0-9, for 62 characters) would increase the keyspace by a lot (a factor of 3,844, to be precise), but it doesn't increase overall security by that much except against brute force attackers. It certainly doesn't make it a thousand times harder to shoulder-surf, or keylog, or social engineer, or...

hey apple fags! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21205523)

you guys like sucking that steve jobs dick don't you? what a bunch of dumb faggots. hehehehehehe

More Secure? (2, Insightful)

56 (527333) | more than 6 years ago | (#21205527)

It seems to me that this would drastically increase the security of passwords from attack by machines but would make them more susceptible to attack from humans.

There are only so many places to start drawing your password on a picture and a human would recognize that. People would probably draw birds in the sky and dogs on the ground, right? Also, I would guess that people would make linear leaps with their pictures: someone will draw a bird, and not a fish, in a picture of a tree.

That said, I'm not saying that this isn't a worthwhile endeavor, just that it wouldn't necessarily be as secure as it looks at first glance.

Re:More Secure? (1)

springbox (853816) | more than 6 years ago | (#21206165)

Maybe that's the case for your average user who uses "1111" for their password, but other people (hopefully people on here) know the value of using varied, long, and unique passwords. That's why I plan to draw a rocket train blasting out of a hole in the bottom with a kitty cat for a conductor in each of my picture passwords.

Easy dictionary attack (3, Insightful)

Doppler00 (534739) | more than 6 years ago | (#21205557)

How many people will use a picture password of a stick man, tree, or a happy sun?

A thousand times huh? (0)

Anonymous Coward | more than 6 years ago | (#21205563)

Yeah right. Maybe a thousand times better than a Joe Sixpack "god/sex" password but no way this is better than a good text password. The key-space is way smaller than a regular text password.

This isn't good... (0)

Anonymous Coward | more than 6 years ago | (#21205565)

for those of us who couldn't draw Tippy to get into the Art school.

good for some, bad for some? (1, Redundant)

siddesu (698447) | more than 6 years ago | (#21205575)

IMHO this is pretty good for people who can do calligraphy reasonably well.

For example, to write Chinese characters properly, you need to remember the correct "stroke order" for each dash or dot in the character, and repeat it every time you write. The position where each stroke begins and ends is also fixed. It takes some training, discipline and drilling to learn writing like this though. For sloppy writers like me (I even had trouble writing pretty letters in school, mostly due to lazitude), this may not be such a good idea after all.

Especially if you have to do it with a mouse on a shiny surface ;)

As nice as this sounds... (5, Funny)

John Pfeiffer (454131) | more than 6 years ago | (#21205577)

...the reality is that this story should probably be tagged 'security through never-being-able-to-access-your-stuff-again'

lazy people (1)

Turn-X Alphonse (789240) | more than 6 years ago | (#21205595)

People would just use lines for their picture, cracking will become a game of battleships at best and at worst a program will play it for you.

Two serious problems (5, Interesting)

adminstring (608310) | more than 6 years ago | (#21205621)

1. An artistically-inclined person looking over your shoulder might be able to draw your image about as well as you can. With a conventional keyboard password, I can block the keyboard with my body so others can't see what I'm typing, and I can pretend to press keys that aren't in my password so even if they can see, they are thrown off. There is less you can do to block a screen you have to look at to draw properly.

2. Some people's hands shake when they've had too much caffeine, most people's fingers get stiff when they've been out in the cold, and some people have degenerative diseases which make typing a one-letter-at-a-time proposition. Drawing would be very difficult in all of these circumstances. Perhaps this is why TFA says that 5% of users couldn't recreate their image within three attempts a week after first coming up with it.

I don't think this technology is going anywhere any time soon.

New password == old password? (5, Funny)

Rodyland (947093) | more than 6 years ago | (#21205645)

8==D


Who'd have guessed you could use the same password in both systems?

Re:New password == old password? (5, Funny)

VGPowerlord (621254) | more than 6 years ago | (#21205799)

Password isn't long enough.

And that's from the graphical login system! :P

I HAVE A BETTER IDEA (0)

TheBearBear (1103771) | more than 6 years ago | (#21205649)

How about a little mini game, where your actions make up the password...like...jumping on X car and shooting a sign at X height and dragging the sweater under a sign, when the timer hits X:XX....or some crazy combination like that. You know, just like how we would unlock stuff or get extra lives by doin weird random things in Super Mario Brothers or any other kind of video game. I think this is WAAAY MORE secure if you add this on top of a text password. With what I just described above you can do things so many different ways!!

Re:I HAVE A BETTER IDEA (0)

Anonymous Coward | more than 6 years ago | (#21206079)

what sweater?

Re:I HAVE A BETTER IDEA (1)

EEBaum (520514) | more than 6 years ago | (#21206473)

What if you're having an off day and can't manage to get 5000 points on the flag?

DDR Passwords (5, Funny)

iago (4917) | more than 6 years ago | (#21205707)

At least my idea for a Dance, Dance, Revolution password authentication scheme is still intact.

Patent pending, patent pending, patent pending.

How to reset? (0)

Anonymous Coward | more than 6 years ago | (#21205721)

I'm a sysadmin. A user calls me and says "I forgot my password". How do I reset it? After confirming the person's identity yada yada, saying "I've reset your password to 'somepassword'" is easy. How do you say "Your new password is a flower. No, not a daisy - more like a poppy, or maybe a droopy rose. The stamen is just a little squiggle. Maybe a couple of squiggles - not very large. Little dots on top. Don't forget the stem. I added a little flourish of wild grasses because I thought that would look nice. OK, let's give up on that one. Do you like monster trucks?"

What would the image equivalent of 'pwgen -s -y' create for me?

Johnny Neumonic (1)

Dr Floppy (898439) | more than 6 years ago | (#21205727)

Anyone remember that they used pictures as passkeys in Johnny Neumonic, that crazy movie with Keanu Reeves?

A couple of problems (1)

mutex_lock (1183099) | more than 6 years ago | (#21205729)

1. "People possess a remarkable ability for recalling pictures": If anybody ever accidentally sees you drawing your passgraphics it will be easy from him/her to remember what you drew. 2. People are not good at recreating the exact same movements every time. While different versions of my natural signature look similar they are never exactly the same. The software will need to be able to cope with that. How well that works you can experience with any device using a stylus detecting handwritten characters. It typically takes me two to three attempts to enter my password on my handheld correctly that way. What's so new about the concept? It's not really different from zig-zagging over a keyboard creating an arbitrary password.

Silly Mr. Powers... (0)

Anonymous Coward | more than 6 years ago | (#21205735)

Sharks with frickin' laser beam are one MILLION times more secure.

Great... (0)

Anonymous Coward | more than 6 years ago | (#21205753)

Because "penis" wasn't a common enough password before...

Pictures without doodling (1)

taybay (935207) | more than 6 years ago | (#21205767)

I've seen other instances of picture passwords, but instead of doodling on them, a series of points were clicked on the picture. The user would have to remember the areas clicked and the order in which they were selected. This seems faster, more secure and less prone to error than drawing a picture just to log in to something.

Is it that bloody hard to remember "1 2 3 4 5"? (1)

jpellino (202698) | more than 6 years ago | (#21205779)

All this hifalutin tech to solve a simple problem. Sheesh.

Just a thought ... (1)

CoderDog (782544) | more than 6 years ago | (#21205795)

How many ways are there to sign in with an X?

Doesn't the iphone have accelerometers? It's no great feat to foresee that becoming very popular. Why not have the phone/pda/plamtop differentiate dance moves? If you can't do the Fox Trot, maybe master hopping on one foot. Of course, it oughta be smart enough to tell which foot, jump height etc.

The hopping password might be really handy. When someone tries to mug you and your iphone won't accept your sign-on to transfer the extortion amount to their account, you can say ... oh something like, "Oops! I'm a little short today", with total confidence.

Been there. Done that. (3, Interesting)

Kainaw (676073) | more than 6 years ago | (#21205883)

If you remove the background picture and the act of displaying what you draw to everyone within eye-shot, I've already done that at http://shaunwagner.com/index.html?page=Projects%2FJavascript%2FMouse+Password [shaunwagner.com]

Does it work? No. It is far too difficult to draw the same image twice without seeing what you are drawing. If you can see what you are drawing, so can everyone else - then they can draw the same image.

I call bullshit (1, Funny)

Anonymous Coward | more than 6 years ago | (#21205959)

I bet I could crack 75% of these right off the bat by drawing a cock or boobs.

Similar Idea for PalmOS - Prior Art? (2, Informative)

jerel (112066) | more than 6 years ago | (#21205963)

Back when I depended on my Palm III for keeping track of my schedule and contacts, I also stored credit card numbers and passcodes etc. that needed to be secure. I purchased a product called OnlyMe [tranzoa.com] which allowed pseudo-graphical entry of passwords. They encouraged you to enter a password using a series of strokes without lifting your stylus. From their site:

To allow extremely quick and easy password input, OnlyMe's keys allow you to "press" them without lifting your stylus from the surface of the device! You may choose a password composed of keys that allow you to enter the password as one, quick sweep of the stylus - a single gesture of your own design. This quick sweep of the stylus may start from or go outside the bounds of the OnlyMe "window." ... For a high level of security, we recommend that you use two gestures of at least four keys each. With this level of security, an intruder's best bet for accessing your data is to contract with someone with specialized knowledge to access the device's memory.
FWIW, IANAC but I estimate that using their two-gesture recommendation would result in something over 2 million possible passwords. This is a great piece of software and well worth $20 for anybody still using one of these for anything important.

It's a small conceptual leap to go from this 1998 stroke-based password idea to the present idea of drawing a picture to capture strokes which are then turned into a password. Looks like prior art to me!

25+KB vs 9-18 bytes, no #$@$ shirlock.. (1)

plasmacutter (901737) | more than 6 years ago | (#21205981)

your average forum avatar is 25kilobytes

your average good alphanumeric password is 9-18 bytes

guess which one would be harder to crack, even with a "fuzzy" range

Re:25+KB vs 9-18 bytes, no #$@$ shirlock.. (1)

mcpkaaos (449561) | more than 6 years ago | (#21206439)

How many of those KB are for color?

So many problems (1)

Bryan Ischo (893) | more than 6 years ago | (#21206039)

"The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security."

I fail to see how this idea could even *remotely* be construed as providing "significantly enhanced useability". The security aspect is at least arguable (and I actually don't buy that either), but in no way shape or form could such an idea *ever* be called "more useable." Consider:

* It takes me about a second to type a password. How long would it take me to move my mouse pointer to the appropriate spot on the screen to start my "picture" and then draw it? Wouldn't a more secure "password" require more strokes? An extra character or two in your password takes a fraction of a second to type. A couple of extra strokes in a picture would necessarily take *much* longer to complete.

* What happens if I make a stroke in the picture wrong? I can't just delete it. *Maybe* I could if I was provided some kind of eraser, and the stroke that I messed up on didn't intersect any other strokes. I've erased pen strokes with the Gimp and other such tools; it's no fun. You have to zoom way in and carefully and slowly erase all of the pixels you touched without disturbing any others. What a pain. Or maybe the password-picture input system would have a stroke-by-stroke undo kind of like the Gimp has? My god, what a complex piece of software one's password input route has just become!

* Just about every human-computer interface ever invented has the ability to take text input from the user. So typed passwords are *always* an option. Not every interface allows you do draw pictures however. How am I going to enter my SSH password (or its picture equivalent) from a VT100 terminal?

I could go on and on. This is basically a really, really stupid idea, which I think is obvious to just about everyone. This will absolutely never catch on, and never make it past this guy's thesis or whatever academic setting it came from.

Sounds like Kanji (1)

MBHkewl (807459) | more than 6 years ago | (#21206073)

Their idea sounds like a rip-off from Kanji, the Chinese characters; Those learning the calligraphy must draw the words according to certain strokes in a certain order & way.
But seriously, the basic Kanjis are around 3000! So, unless we all start using that "new" password method from kindergarten to train ourselves, it would just result in way too many locked accounts & miserable users & support teams!

Most idiots will still just draw an X. (1)

jon287 (977520) | more than 6 years ago | (#21206075)

Idiots will still just draw an X. Most passes will be easy to brute force with simple dictionary-like lists.

Duh.. (1)

zcat_NZ (267672) | more than 6 years ago | (#21206115)

Here's a headline for you;

"Public Key Authentication more secure than Picture Passwords"

Besides picture passwords are as annoying as hell, require a GUI and mouse, and aren't really all that much more secure than plain text passwords. You can still brute-force the picture sequence. You can still pick them up sniffing the network, you just need to be about three times smarter than a rock instead of barely smarter than a rock.

I'll take ssh authorized_keys over picture passwords any day.

No Asterisks! (1)

MBHkewl (807459) | more than 6 years ago | (#21206141)

In current password fields, we at least get asterisks to hide the text we're writing, but with a picture to be drawn: People can see the pictrue, the background & the way you're drawing that picture!

You call this security enhancement?!?

The "new" method only works if you only login from your house, away from prying eyes, and never ever use it outside. Add to that, it makes social engineering hacking attempts much easier.

Stupid idea.

Such marketing bullshit. (1)

ACK!! (10229) | more than 6 years ago | (#21206203)

"thousand times more secure than ordinary textual passwords. "

Sure, but like a half the poster have already said you are going to have a 80% of end luser drawing happy faces, smileys and stick figures with giant cocks. Easy to dup and a thousand times less secure than a regular pass.

Plus the problem with the signature recognition people have talked about in other posts is that the tools already available at retail stores all suck nuts. You ever try signing your name for a credit card transaction?

It never looks right or feels right and it always looks screwed up different every single time.

Whatever happened to Wizard Codes? (1)

rrohbeck (944847) | more than 6 years ago | (#21206267)

Many years ago we did authentication this way:
The system displays a long random number (e.g. 40 digits) plus some tick marks. You pick certain digits, do a simple operation with them, and enter the result. E.g. ( 5th digit + 2nd digit) * 12th digit. We did that after a normal password.

Let Me Guess ... (1)

jetpack (22743) | more than 6 years ago | (#21206491)

So, according to the movie "Hackers", the most common passwords are "god," "sex," "love" and "secret."

With this pass-image scheme, the favorite pass-images will be what? Boobs, penises, and goatse.cx?

Post-it factor.... (1)

whatevah (1130459) | more than 6 years ago | (#21206499)

I fail to see how this eliminates the "post-it" factor.

After all, I thought that was the biggest problem with passwords.

First there were letters, now there will be ... drawings?

hmmm....

Picture Passwords (1)

the_tsi (19767) | more than 6 years ago | (#21206501)

... wasn't that a show on Nickelodeon with Bill Cosby? He'd show you his password for various systems, and make silly sound effects to go with whatever sort of line he was drawing. It had a theme song: Picture Passwords, Picture Passwords, lots of fun with Picture Passwords, lots of fun with crayons and with pencils!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?