×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Wants To Give You A Rorschach

ScuttleMonkey posted more than 6 years ago | from the sticky-note-to-put-on-your-monitor dept.

223

Preedit writes "Microsoft has set up a website that uses inkblot images to help users create passwords. The site asks users view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password. Microsoft claims it's a way to create passwords that are easy to remember but hard to crack. But a word of warning, the story notes that Microsoft is collecting and storing users' word associations."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

223 comments

this can't be a first post (-1, Offtopic)

hotair (600117) | more than 6 years ago | (#21589775)

this can't be a first post, can it? How dumb,but I figured I'd try for one since I got lucky.

Not sure this will help (5, Funny)

Qzukk (229616) | more than 6 years ago | (#21589781)

view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password.

I got vavavapsva.

More seriously, if they're saving the word associations, doesn't that mean that they have the password you've just generated?

P**n (1, Funny)

EmbeddedJanitor (597831) | more than 6 years ago | (#21589803)

It all looks like porn to me!

Re:P**n (5, Interesting)

ShieldW0lf (601553) | more than 6 years ago | (#21590263)

I usually suggest to people that they come up with a positive self talk phrase, take the first letter of each word, then replace a letter with a number that resembles it.

Something like "I am a happy person who loves their life." turns into "Iaahpwlt1", which is long, contains numbers and letters and no dictionary words whatsoever.

You end up repeating it to yourself every time you log in, which serves double duty as both a mnemonic device and a way to preserve your positive attitude.

I get it (2, Funny)

EmbeddedJanitor (597831) | more than 6 years ago | (#21590495)

WIuVIftWGA2p0:"When I use Vista I feel the Windows Genuine Advantage 2 point 0"

You're right I feel better already! Wow everything feels faster! Any more exclamaitions and I'd be using Yahoo!!

Re:Not sure this will help (3, Funny)

skeevy (926052) | more than 6 years ago | (#21589829)

vulva vulva vulva penis vulva?

I'm not sure whether I should be afraid of your mind or the site...

Re:Not sure this will help (5, Funny)

BarryJacobsen (526926) | more than 6 years ago | (#21589889)

vulva vulva vulva penis vulva? I'm not sure whether I should be afraid of your mind or the site...
Really? I'm not sure whether I should be afraid of his mind or immediately go to the site...

Re:Not sure this will help (2, Funny)

DeepHurtn! (773713) | more than 6 years ago | (#21590595)

A /.er, scared of genitalia...? I guess this proves the saying about people being scared of the unknown!

Re:Not sure this will help (2, Funny)

Chapter80 (926879) | more than 6 years ago | (#21590059)

view a series of inkblots and write down the first and last letters of whatever word they associate with each inkblot. Then they combine the letters to form a password.

I got ********.

Mine is h2h2h2h2. [bash.org]

Re:Not sure this will help (0)

icepick72 (834363) | more than 6 years ago | (#21590395)

doesn't that mean that they have the password you've just generated?


No because the article says the user uses the first and last letters of the words for the password.

Re:Not sure this will help (1)

ceoyoyo (59147) | more than 6 years ago | (#21590549)

And how is that easier to remember than another password? It's also less secure... words in any particular language will preferentially start and end with certain letters.

Obligatory Emo Philips (4, Funny)

LoverOfJoy (820058) | more than 6 years ago | (#21590643)

"Emo, what does this inkblot look like to you?"

I said, "Oh, it's kind of embarrassing."

He said, "Emo, everyone sees something, so don't be embarrassed. Tell me what the inkblot looks like to you."

I said, "Well, to me it looks like standard pattern #3 in the Rorschach series to test obsessive compulsiveness." And he gets kind of depressed.

I said, "Okay, it's a butterfly." And he cheers up.

He said, "What does this inkblot look like?"

I said, "It looks like a horrible ugly blob of pure evil that sucks the souls of man into a vortex of sin and degradation."

He said, "No, um, the inkblot's over there. That's a photo of my wife you're looking at."

"Oh," I said, "was I far off?" He said, "No. That's the sad part."

I'm shocked!!! (4, Funny)

b17bmbr (608864) | more than 6 years ago | (#21589785)

microsoft is collecting and storing the data. holy crap, batman, what next. the joker has plans to take over gotham city?

Re:I'm shocked!!! (2, Insightful)

calebt3 (1098475) | more than 6 years ago | (#21590267)

Even if MS said that they weren't keeping the data, I'm not sure anybody would believe them.

Re:I'm shocked!!! (0)

Anonymous Coward | more than 6 years ago | (#21590503)

microsoft is collecting and storing the data. holy crap, batman, what next. the joker has plans to take over gotham city?

OMFG! And they intend to do EEEEVIL things with it, right, "Clueless Parent"?!?!

What evil things, you might ask?

Um... I don't really know, but I read a web article on ASP.NET once, and I happen to *hate* (HATE!!!) neo-cons, so I'm guessing that they're going to use it (somehow) to create a machine that grinds up helpless homeless Democrats into dust and uses that dust to clog up the exhaust fans of Linux-based server machines to further their goal of creating a Global NeoConservative Microsoft Conglomerate Hate-ocracy!

(heh. The funny thing is that if this comment wasn't satiric, and only like one iota less ridiculous, it would get modded +5 Insightful.)

Slight problem with this approach (4, Insightful)

Enlarged to Show Tex (911413) | more than 6 years ago | (#21589795)

This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:

Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)

Every password I use has at least three, even for free-registration-required sites...

Re:Slight problem with this approach (5, Funny)

oahazmatt (868057) | more than 6 years ago | (#21589967)

This method will not create passwords that are strong enough.
That's why I use the inkblot test, run it through a script that converts random letter combinations to MD5, convert 25% of that end result to l33t, and then randomly add a non-latin character at two locations within that result. I then write it down on my desk calendar.

Re:Slight problem with this approach (0)

Anonymous Coward | more than 6 years ago | (#21589981)

Present user with a randomized virtual keyboard that maps clicked letters to other letters/symbols/numbers. The keyboard functions as a one time key.

Re:Slight problem with this approach (4, Insightful)

TubeSteak (669689) | more than 6 years ago | (#21589999)

A truly strong password should have at least three of the following, if not all four:
Only if there's a maximum character limit on the password.

Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?

I'm not suggesting everyone should use such a long pass, but what's so hard about implementing passphrases instead of passwords?

Re:Slight problem with this approach (1)

DoubleRing (908390) | more than 6 years ago | (#21590449)

Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?

You know, now that you've said that, everyone is going to use it.

On another note, it would be entertaining wouldn't it. Kind of like making your password "OMFG, how did you guess my password!?"

Re:Slight problem with this approach (1)

ChrisMounce (1096567) | more than 6 years ago | (#21590499)

Or are you going to tell me that
"atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour"
is not a strong password?


Well, no, now that you've publicly posted it as an example of a strong password.

Re:Slight problem with this approach (5, Interesting)

zsouthboy (1136757) | more than 6 years ago | (#21590541)

I also highly suggest, right now, that everyone change your passwords to currentpassword x 3 or 4, or more:

For example, is passwordpasswordpassword any harder to remember than just password?

But it greatly expands the key space to be searched for anyone trying to brute force...

Re:Slight problem with this approach (1)

master5o1 (1068594) | more than 6 years ago | (#21590627)

atrulystrongpasswordshouldhaveatleastthreeofthefollowingifnotallfour
ATR_ULYstrongpass_wordSHOULDha_veATleast3ofTHEfoll_owingifnotall4 Much better?

Re:Slight problem with this approach (1)

Asm-Coder (929671) | more than 6 years ago | (#21590689)

Sometimes though, only the first 8 characters actually mean anything, which results in your password being very weak.
 
(Try it, it really works on some websites!)

Re:Slight problem with this approach (2, Insightful)

Rakishi (759894) | more than 6 years ago | (#21590009)

A truly strong password should have at least three of the following, if not all four:
Not really, you can just make you password longer and you are just as secure.

Re:Slight problem with this approach (2, Informative)

eldavojohn (898314) | more than 6 years ago | (#21590027)

That's not the only problem. If you read the research paper [microsoft.com][PDF Warning] from 2004 (pretty old stuff actually), they state:

In both experiments, users missed at most one association, even after having not used the system for one week. Thus it may be advisable to modify the system to allow for successful authentications when k out of a possible n associations are correct. Assuming that all blots produce an equal distribution on responses, this reduces the security of passwords to the level of the original system with only k blots. Therefore, it might be advantageous for users to have to enter associations for more blots. A disadvantage of this approach, however, is that authentication would take longer.
As of interest may also be their conclusion:

Our preliminary data suggest that inkblot authentication offers a potentially significant improvement over existing widely-deployed user authentication mechanisms. In addition to gathering our quantitative results, we also asked users who had taken part in our experiments for their comments on the system. In almost all cases we received the same response: the users were happily shocked that they could remember such a "huge password." In fact, many users asked if there were any plans to allow the use of the system in their production environment. This kind of positive user experience is arguably as important to the eventual adoption, acceptance and scrupulous use of an alternative password system as any measure of security. More experiments would help confirm or discount our security and memorability results, and could answer such questions as: How many inkblots (that is, how much entropy) can be used before the resulting passwords are no longer memorable? What is the best way to help users retain their inkblot associations? What inkblot-to-character hash function generates the most entropy without sacrificing ease of use? And what inkblot generation algorithms create inkblots with the highest-entropy (or the fewest low-entropy) association spaces?
While inkblot authentication should be quite easy to deploy in a wide variety of settings, there exist some environments (such as devices with tiny screens) where it is unworkable, and alternatives are needed. Adapting the inkblot password scheme to other password-using contexts, such as those in which the user interface is under the control of a (possibly uncooperative or legacy) application, may also require some innovative thinking.

Re:Slight problem with this approach (2, Insightful)

PresidentEnder (849024) | more than 6 years ago | (#21590043)

26^10 > 95^5. Even if you restrict your password to only a few characters, you can get the same level of security as with many characters. You just need far more of them. Think about it: when we strip off all of our abstractions, everything is stored as 1s and 0s, right? (Note: Parent's point is good and right, if your password must be short, or you don't want to spend time doing the inkblot test, or you don't want to have to remember 90 characters.)

Re:Slight problem with this approach (3, Insightful)

ChatHuant (801522) | more than 6 years ago | (#21590241)

This method will not create passwords that are strong enough. A truly strong password should have at least three of the following, if not all four:
Uppercase letters
Lowercase letters
Numbers
Non-Latin characters (i.e. symbols)


That's just not true. Admins request this kind of nonsense to force a bigger password space with shorter passwords. Informally, the security of your password is given by the number of random bits you have. With ASCII passwords using only lowercase letters, you're adding less than 5 bits of randomness per character. Even worse, most people use real words as passwords, so they can remember them easily. That reduces the randomness even more and makes dictionary attacks feasible. Adding uppercase, numbers and symbols gives you an extra bit or two of randomness per character, but makes the password much more difficult to remember.

Microsoft's method works around the password memorization by using the inkblots. The security is given by the much larger size of the resulting password. They get a password of 20 lowercase characters, say about 100 bits of randomness (less than that, because not all letter combinations are equiprobable - very few words I know begin and end with a q for example). A totally random password consisting of a mix of 10 symbols, numbers and different cased letters only gives you a bit less than 70 bits of randomness.

Re:Slight problem with this approach (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21590351)

To expand on what another user said, your post is ignorant at best. Methinks you should buy and read Simon Singh's The Code Book. Pay particular attention to some of the reasons the Brits were able to break the daily encryption on the Enigma over and over.

Any restrictions on what can go in any "slot" (e.g. character number 3) in a password seriously weakens the password of that length, by extension saying that a password must have at least one character from a restricted set of normally allowed characters likewise weakens it, not strengthens.

Like another respondent said, if you want a stronger password, make it longer. Your approach, as common wisdom so often is, is flawed.

Re:Slight problem with this approach (1)

davidsyes (765062) | more than 6 years ago | (#21590407)

Turn the entire, pulse-thumpin' body into the password.

Or, derive the password password from one of those machine kids dance to in malls. Lens overhead, objects move, then feet keep up. How you jiggle and wiggle structures your password. This might be safe for OLPC.

But, adult-oriented password/action access can be derived from thrust-n-strut gyrations, maybe in a chair. Sorta like responding to a lapdance (without touching the computer) to eventually gain access to the computer's ass sets. This might be safe for cubicle workers. But, not for musical-chairs workers in lobbies...

Now, anyone trying to break (or break dance to) someone else's password will have to grind away...), with the best passwords deriving for wholly unholy, undiginified umm ndignified origins.

OTOH, maybe mshaft can come up with "Poke-a-dot to access your computer"...

Re:Slight problem with this approach (1)

ceoyoyo (59147) | more than 6 years ago | (#21590589)

Thank you, you've just weakened your password.

A truly strong password MAY have all of those. If you REQUIRE that it do so, then you weaken the password.

Re:Slight problem with this approach (0)

Anonymous Coward | more than 6 years ago | (#21590675)

And of course then you have to write down the password or store it somewhere on your computer to remember it, which is how a lot of passwords are stolen in the first place.

Hmmmm .... (4, Interesting)

gstoddart (321705) | more than 6 years ago | (#21589805)

From TFA:

"A century of psychological literature indicates that inkblot associations are intimately personal, and our own user studies verify that users almost always describe the same inkblots quite differently"

So, psyche 101 was a long time ago, and that's the extent of my exposure to it.

Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it? If there's drift over time, this wouldn't be such a good idea.

Anyone with a better schooling in human psychology care to chime in?

Cheers

Re:Hmmmm .... (1)

foobsr (693224) | more than 6 years ago | (#21590119)

inkblot associations are intimately personal, and our own user studies verify that users almost always describe the same inkblots quite differently

Rohrschach = crap if considered as a psychological test (reliability, validity near to non-existent).

Do individual people respond to the same inkblots, the same way over time?

No (low retest reliability).

Only for those who practice psychology like a religion.

CC.

Re:Hmmmm .... (2, Interesting)

dgatwood (11270) | more than 6 years ago | (#21590147)

I don't know, but about three years ago, I recall suggesting the use of non-abstract images and measuring the brain's electrical response to determine a map of the user's response to a given stimulus. After the system was trained properly, you could use that to be a really, really solid passphrase; while your brain may react a bit differently to images over time, it isn't likely to react dramatically differently for the most part (except maybe after head trauma or something similarly extreme). This seems like a somewhat more practical way of doing the same basic thing.

I would expect your reactions to differ over time, but I would not expect them to change dramatically in a short period of time, and that's the key to such a system. As I said way back then, as long as you log in periodically, such a system can use a learning algorithm to conclude with a high degree of probability whether it is the same person and then adjust its notion of the password as it goes along. Whether Microsoft will do this or not remains to be seen.

Re:Hmmmm .... (1)

s.bots (1099921) | more than 6 years ago | (#21590149)

If it's straight, it's a penis. If there are curves, it's a vagina. If you see neither a penis nor a vagina, see a psychiatrist.

Re:Hmmmm .... (1)

hhr (909621) | more than 6 years ago | (#21590221)

Your questions are their questions. This is a research project and not a production service. They are collecting data to find the answers.

Re:Hmmmm .... (1)

pluther (647209) | more than 6 years ago | (#21590319)

Do individual people respond to the same inkblots, the same way over time? Or might I see the same splotch in 3 months and associate something else with it?

Yes, they change over time. It is common to use the same test several months apart to gauge the effectiveness of ongoing therapy.

In the actual Rorschach ink blot test, what you see is almost immaterial compared to how you see it. If this system uses its own inkblots it is likely that some of them are particularly evocative of specific images (even the "official" Rorschach blots have that problem, even after being specifically chosen not to). In that case, many users may come up with the same characters, which would further reduce the effectiveness.

Disclaimer: IANAP, either.

Don't do it... (5, Funny)

daninspokane (1198749) | more than 6 years ago | (#21589815)

The blots are coded to shut your brain down if you don't have a valid regkey.

Re:Don't do it... (1)

sm62704 (957197) | more than 6 years ago | (#21589933)

Holy shit, you're right! They all look like women [slashdot.org] (or their private parts) to me!

-mcgrew

Re:Don't do it... (1)

Arcane_Rhino (769339) | more than 6 years ago | (#21590207)

Yeah. But don't feel bad. They're the ones who are showing you all the dirty pictures.

I have actually always been more intrigued as to whether or not an amalgamation of responses would indicate a physiological predisposition in humans to see particular images, rather than indicating what any particular individual might see. Especially since, anecdotally, everyone but the crazies always see sexual images or butterflies.

I believe, however, that other research has already demonstrated this with more precision due to better factors of control. Describing the responses to ink-blot tests would likely be more for fun and interest than valid scientific evidence.

And zees one? (1)

spun (1352) | more than 6 years ago | (#21589841)

For those who haven't seen it, Perry Bible Fellowship's [pbfcomics.com] take on this. [pbfcomics.com]

Re:And zees one? (1)

sm62704 (957197) | more than 6 years ago | (#21590011)

You should have warned us that the cartoon linked, although funny and on-topic, is NSFW.

BEWARE the breasts of DOOM! (1)

spun (1352) | more than 6 years ago | (#21590031)

It's not THAT unsafe. It shows cartoon breasts. Anyway, sorry if I got anyone fired.

Re:BEWARE the breasts of DOOM! (1)

sm62704 (957197) | more than 6 years ago | (#21590117)

Lets hope nobody did. It doesn't "just show breasts" it shows graphic fucking. I'm sure some PHB somewhere will take offense. When in doubt, add a "NSFW"!

another spam submission from informationweak (0)

Anonymous Coward | more than 6 years ago | (#21589849)

why keep sending us to a crappy site like information-weak dot com its just a page of adverts and sales promotions information weak is certainly thats sites name

Hmm... (1)

graviplana (1160181) | more than 6 years ago | (#21589857)

"Get out of my mind!" I think that the association data is much more valuable, or at least informative, than the utility of the particular password scheme they are touting. I wonder to what extent they will implement this? One to watch, IMO.

So uh - (0)

Anonymous Coward | more than 6 years ago | (#21589875)

where's the easy to remember part of it? Inkblots are so freaking random I think of something different every time I see one - course maybe that saying something...

Ballmer's unencrypted file (5, Funny)

Eberlin (570874) | more than 6 years ago | (#21589885)

Anyone wanna bet Ballmer's word list looks a bit like this:
chair
developers
chair
banana
ooohshiny
developers!
developers!
developers!

Microsoft wants to give you an Arseache?!?!? (0)

Anonymous Coward | more than 6 years ago | (#21589887)

ouch

Storing and insecure (5, Informative)

tkdtaylor (1039822) | more than 6 years ago | (#21589891)

It's a research project so of course it's storing the responses.
From the actual site:

Security and privacy of this service

InkblotPassword.com is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.

Wait... (4, Interesting)

ucblockhead (63650) | more than 6 years ago | (#21589895)

So they have created a method for creating hard to crack passwords while simultaneously collecting the data to more easily crack them?

Oblig Watchmen (1)

cthulu_mt (1124113) | more than 6 years ago | (#21589897)

MS wants to give me a cool mask and let me eat beans from a can? Do I have to keep the journal too?

That not Obligitory..... (1)

StressGuy (472374) | more than 6 years ago | (#21590265)

That's a TV Guide description for the Made-for-TV movie version

Watchmen - 74 minutes

"Guy with black and white mask eats beans from a can"

Re:Oblig Watchmen (2, Funny)

Lurker2288 (995635) | more than 6 years ago | (#21590527)

It looks like a pretty butterfly. Or maybe some nice flowers. Or a dog with a cleaved brain, either way.

No way.... (2, Funny)

Bobfrankly1 (1043848) | more than 6 years ago | (#21589913)

Microsoft Wants To Give You A Rorschach


If this is anything like a wet willy, I don't want one, and you can't make me.
*runs away screaming*

use password agent to store all your password (1)

Max4400 (1154375) | more than 6 years ago | (#21589923)

I recommend using password agent software to generate and store all your passwords. It also keep password file 256 bit encrypted so no one else will be able to see or know your passwords withouts master passwords. It also provides autofill option so no keyloger will be able to capture the password. Its the best program. btw, i generate my password by typing randome characters on keyboard.

Same password for different sites == bad security (1)

adminstring (608310) | more than 6 years ago | (#21589945)

From TFA:

Given that many Internet users employ the same password to gain access to dozens of Web sites, for everything from banking and shopping to socializing, it's more important than ever that they create passwords that are at once highly secure and easy to remember.

It's even more important that people not do this. If your password is the same for 15 different sites, and one of those sites gets hacked (or even phished, or someone keylogs your password) suddenly that hacker has access to your account at 15 different sites. This could ruin your whole day.

Amazon Netblock - Debian Powered (-1, Offtopic)

westyvw (653833) | more than 6 years ago | (#21589959)

SO says Netcraft. Apache/1.3.34 (Debian) mod_python/2.7.11 Python/2.4.4c0 mod_ssl/2.8.25 OpenSSL/0.9.8c

Reusing the password (4, Insightful)

Culture20 (968837) | more than 6 years ago | (#21589965)

"Nothing prevents a user from learning a strong password on Inkblotpassword.com and then reusing it at other sites," Microsoft's researchers said.

Common sense might.

All I keep seeing... (4, Funny)

Cytlid (95255) | more than 6 years ago | (#21589975)

...is penguins.

Re:All I keep seeing... (0)

Anonymous Coward | more than 6 years ago | (#21590291)

70% tits, 25% pussy, 5% ass.

Always has been, always will be.

HTTP Error 500: Too many slashdotters (0)

Anonymous Coward | more than 6 years ago | (#21589989)

IIS has performed an illegal operation and will be shut down.

Passwords tell you a lot (1)

DiceRoller (1178315) | more than 6 years ago | (#21589995)

I find it interesting when looking at passwords because it tells you a lot about the person. A computer person will have something like H2xkls23. Where as kid might have MyFavoritePony.

Re:Passwords tell you a lot (1)

Peyna (14792) | more than 6 years ago | (#21590175)

I find it interesting when looking at passwords because it tells you a lot about the person.

Most passwords tell you one or two things, not "a lot." They tell you whether the person has a clue about security or not. If they have a clue, their password will either be unintelligible to you or pure nonsense. If they don't have a clue, their password will be a word or phrase that is familiar to them and likely reveal very little to you other than their dog's name.

Re:Passwords tell you a lot (0)

Anonymous Coward | more than 6 years ago | (#21590633)

That's just because you named your pony H2xkls23.

Captcha (4, Interesting)

GreggBz (777373) | more than 6 years ago | (#21590019)

That site [inkblotpassword.com] has one of the best captcha's I've ever seen.

Please select all the cats. Pictures supplied (and sponsored) by petfinder.com. Brilliant. Even HAL-9000 might not be able to do that.

Here I thought Microsoft were Watchmen fans (1)

Tragedy4u (690579) | more than 6 years ago | (#21590037)

After reading the headline I got excited thinking Microsoft was helping to boost Watchmen popularity, damn.

Character randomization (1)

courteaudotbiz (1191083) | more than 6 years ago | (#21590049)

I think it would have been a little more clever if Microsoft did it in respect of their own password strenght good practices... If at least their algorythm randomized characters, like sometimes using an "i", sometimes using a "1", sometimes using capital letters. It's a classic, but it would have been a little more secure to have "trA1nIng" as a password, than to have "tgfryrmd". Brute forcing is a lot easier with only one character class...

Insecure? (1)

Brit_in_the_USA (936704) | more than 6 years ago | (#21590073)

I thought strong passwords avoided the use of words as they are subject to brute force dictionary attacks. An e.g. 8 character output of this method may be marginally more secure than one or two words that total 8 characters, but it is also very susceptible to a dictionary attack, maybe even more so as there is a good chance that animals and shapes would be the words chosen (not colours, names of people, verbs etc.).

Rorschach's Journal (0)

Anonymous Coward | more than 6 years ago | (#21590097)

Dog carcass in alley this morning, tire tread on burst stomach. This city is afraid of me. I have seen its true face.
The streets are extended gutters and the gutters are full of blood and when the drains finally scab over, all the vermin will drown.:
The accumulated filth of all their sex and murder will foam up about their waists and all the whores and politicians will look up and shout "Save Us!"...: ...and I'll look down, and whisper, "No".:

Several flaws immediately come to mind (1)

_Hellfire_ (170113) | more than 6 years ago | (#21590145)

The image associations are not only unique to the user, they're also "hard to forget," the researchers said. "After typing her password several times, a user develops 'muscle memory' and can log in quickly without referring to the inkblot images," they said.

No shit. Type any password enough times your fingers learn where the keys are, even if you're not consciously thinking about what you're typing.

So their aim is to have you look at the inkblots, work out your passwords, type the password until your fingers get it, and then you don't have to look at the inkblots any more No numbers, no mix of uppercase and lowercase, and no punctuation. Doesn't sound particularly

Running APG [nursat.kz] over a web interface and getting pronouncable, strong passwords which will develop into muscle memory just as easily sounds like a much better solution.

Not to mention the the whole "oh btw, we're storing your associations" bit. It should be painfully obvious that when it comes to security, Microsoft simply doesn't "get it".

dead site (1)

DangerousDriver (752795) | more than 6 years ago | (#21590187)

Looks like it's been /.'d. Strange as I thought it was an MS site (although IP 72.44.41.236 goes to Amazon.com). Thought: why doesn't /. get /.'d?

Horseradish (1)

r0b!n (1009159) | more than 6 years ago | (#21590247)

First time i read the subject, my brain interpreted it as "Microsoft Wants To Give You A Horseradish" http://en.wikipedia.org/wiki/Horseradish [wikipedia.org] "The horseradish root itself has hardly any aroma. When cut or grated, however, enzymes from the damaged plant cells break down sinigrin (a glucosinolate) to produce allyl isothiocyanate (mustard oil), which irritates the sinuses and eyes. Once grated, if not used immediately or mixed in vinegar, the root darkens and loses its pungency and becomes unpleasantly bitter when exposed to air and heat." Seems somehow appropriate...

Enter the... (1)

davidsyes (765062) | more than 6 years ago | (#21590307)

Dot Matrix...

Is this really new?

Eventually it'll be something done by Open Source from the future SeaCode employees...

But, also, hasn't this been show in Sci-Fi shows? (No, I'm not talking about "cheating" to make a result/action appear on screen). It would be ghastly if a patent is "awarded" for this...

Since Microsoft knows Rorschach what could be more (1)

deweycheetham (1124655) | more than 6 years ago | (#21590325)

secure?

An Ink Blot Test, brought to you by the folks who help protect and secure us of from the past, present, and future evil hackers. (The Ink Blot Test is obviously the best way to secure an operating system. Just see your physiotherapist today and "Poof" you are secure.)

Go figure...

AKA Pain In the Ass (1)

curmudgeon99 (1040054) | more than 6 years ago | (#21590369)

Oh great. I have to match my wild-ass guess of a past time with the precise values I chose in my WAG. Sounds like a nightmare.

I have the strangest picture in my head of.... (1)

Hanging By A Thread (906564) | more than 6 years ago | (#21590381)

Bill Gates sitting in a wooden school desk with his arm raised yelling "OOhhhh, OOOOhhh, OOOOOhhh, Mista Kahttah, Mista Kahttah!".

I use a keyboard patern nemonic (1)

OldHawk777 (19923) | more than 6 years ago | (#21590537)

I use a keyboard pattern mnemonic for all my passwords that I change every six months (work-pattern, bank-pattern, overseas accounts pattern ...).

Any 12 characters (1a...!A...) I never repeat, but I always recall, because of the pattern matching I must always recall the first character to enter, then I follow the appropriate pattern-match.

When I take vacation and return to the office two weeks later ... I sometimes forget the pwd, but I always guess right by the third time (most on second try).

Example: c6b8g7j9C^B*J( [works everytime 4me]

!HAVEFUN!

Note:I use a keyboard patern nemonic (1)

OldHawk777 (19923) | more than 6 years ago | (#21590571)

I was told that I am not allowed to teach this method to my colleagues, but I think most know it already.

Resistance is futile... (1)

fahrbot-bot (874524) | more than 6 years ago | (#21590561)

The phrase "Microsoft Genuine Password Advantage" scrolled through my mind and I was afraid.

Possible Microsoft ink-blot results:

  • A woman with large breasts
  • A woman with small breasts
  • Steve Ballmer with breasts
  • Harry telling me I'm not good enough
  • Harry telling me I can't marry his daughter

phishing (1)

clarkn0va (807617) | more than 6 years ago | (#21590565)

Microsoft is collecting and storing users' word associations
So essentially this is a phishing site, and they're telling you that up front. Of course MS is aware that if you take a sample 1000 people who have fallen for a phishing scam in the past and send them to this inkblot password site with a disclosure that their password will be recorded, 1000 of these will go ahead and use it anyway. It's a great way to do as the criminals do, and through a simple legal disclosure it's no longer a crime.

db

Easy ways to get random pass-foo from books. (1)

BlueParrot (965239) | more than 6 years ago | (#21590673)

Pin numbers:
Open a large book on random pages and note down the LAST digit. Repeat until the pin is long enough.

For passphrases:
Pick a book, open it on a random page and note down the first word on that page longer than 3 characters. Generate 2 pass phrases this way and insert the acronym of one of them into the other. Add some random special characters and numbers at random places (i.e chosen as for pin numbers ).

May well be vulnerabilities in there, but if you know enough about computer security to avoid exposing yourself to orders of magnitude greater ones, then chances are you are able to generate a good pass phrase.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...