Log in

View Full Version : Picturing Painless Passwords


Janak Parekh
07-27-2003, 01:00 AM
<div class='os_post_top_link'><a href='http://abcnews.go.com/sections/scitech/TechTV/techtv_passwordpics030521.html' target='_blank'>http://abcnews.go.com/sections/scit...pics030521.html</a><br /><br /></div>"How many passwords or numerical combinations do you need to remember on a given day? You probably have one for each gadget or service you come into contact with: one to withdraw cash from the ATM, another to check your answering machine when away from home. You have one for your cellphone, another for your work voice mail, a different one for your gym locker, and access to your bank account. The list goes on and on, and it's downright overwhelming.<br /><br />During a very unscientific survey on the streets of San Francisco, people said they have, on average, seven passwords and PINs — some of which they frequently forget. But one company thinks it has an innovative solution to this ever-difficult game of memory. And if it catches on, pictures — not numbers and obscure codes — could be your pass to your private, personal information."<br /><br />Pointsec, which specializes in mobile device security, has developed a image-based password solution that works on, amongst other platforms, Pocket PCs. I'm glad to see this as well as biometric security being worked on -- I have to use eWallet to memorize all my passwords, but that's still a huge hassle -- if they can develop a solution that makes it easier to memorize, I'll be all over it. :)

ctmagnus
07-27-2003, 01:59 AM
This strikes me as being not very secure.

10 pictures * 10 possible locations * [something I forgot] * [something else I forgot] gives you 10,000 possible passwords. However, a simple three-letter non-case-sensitive password with no numbers or punctuation or alt-characters produces 17, 576 possibilities. With just three letters!

Brad Adrian
07-27-2003, 03:05 AM
10 pictures * 10 possible locations * [something I forgot] * [something else I forgot] gives you 10,000 possible passwords.
Here's how my math comes out...

Using three of twenty-six alphabetic characters as a code yields 17,550 permutations. Using only three numerical characters offers 720.

Ten icons, taken ten at a time yields 3,628,800 possible permutations. Add to that the fact that the icons are rearranged and the number of possibilities is even higher (sorry, not sure how to calculate that).

GoldKey
07-27-2003, 03:11 AM
The fact that they rearrange the icons does not change the number of permutations. You still have 10 things to choose from whether they are pictures or numbers does not really matter. The examples they use have 4 choices. So 10X10x10x10 = 10,000. This does not add any security, it is only a neumonic (sp?) device.

Ed Hansberry
07-27-2003, 03:32 AM
The fact that they rearrange the icons does not change the number of permutations.
No, but it changes the number of *patterns* which makes looking over someones shouder worthless unless you can see the icons very clearly. It is pattern based.

GoldKey
07-27-2003, 03:37 AM
It is just like taking a 10 digit keypad and rearranging the keys every time. You are absolutely right, in that it may help with shoulder surfing. But I would not really call it patterned based. They are just replacing the numbers with pictures. Kind of like McDonalds does on their cash registers.

This is more of a pattern based solution (http://www.usenix.org/publications/library/proceedings/sec99/full_papers/jermyn/jermyn_html/node4.html) which I think would be ideal on a PPC. Basically, you draw a picture and that is your password. Probably works along the lines of handwritting recognition.

This link is one level deep in the site and has an example of use on a PDA. (http://www.usenix.org/publications/library/proceedings/sec99/full_papers/jermyn/jermyn_html/node6.html#SECTION00032000000000000000)

Brad Adrian
07-27-2003, 03:42 AM
...in that it may help with shoulder surfing...
Right. That's what I was trying to find the right words to say. It doesn't change the number of possible "PINs," but makes it harder to guess the sequence.

GoldKey
07-27-2003, 03:43 AM
Only harder to guess via shoulder surfing. If you just found the device and had to try and guess the password, it would be the same as trying to guess a numeric.

Ed Hansberry
07-27-2003, 03:46 AM
Only harder to guess via shoulder surfing. If you just found the device and had to try and guess the password, it would be the same as trying to guess a numeric.
It would be harder for a person to guess. If you have 10 images and you are trying to do them in order and in an increasing sequence, having them move all of the time means you have to memorize previous patterns, so in a non-moving 10 keypad pattern, you have one less possibility with each try.

When it moves though, you essentially have to guess from the whole pot again, unless you have a photographic memory.

GoldKey
07-27-2003, 03:52 AM
Maybe I am missing something. There are 10 images — an envelope, a plane, a laptop computer, a woman, flowers, a heart, a duck, a dog, the sun, and a man. I want to try and brute force it (forget the fact that it locks after three invalid attempts). First try envelope envelope envelope envelope (they then rearrange) try envelope envelope envelope plane (they then rearrange) try envelope envelope envelope laptop.....(9997 more combinations)......... Their position on the screen is irrelevant.

Janak Parekh
07-27-2003, 03:54 AM
Unless you make an automated tool, it becomes a royal pain in the neck to brute force.

That said, yes, this is not utterly foolproof. However, it's a step up over many situations, where people just give up on memorizing a password entry and either don't use one or use something very short or typical (like their name).

--janak

GoldKey
07-27-2003, 03:58 AM
Agreed, I just laugh when we do any testing of the strenght of user passwords. For probably 10-20% of people, you can try their spouse/kids/pets name (or the infamous password of "password").

Janak Parekh
07-27-2003, 04:00 AM
For probably 10-20% of people
It's that low where you work!? Impressive! (And no, I'm not being sarcastic...) I'm fortunate in that I administer small networks, so I can explain policy to individuals, but I've heard of much worse rates...

What I like about pictures is that, to some extent, you have to invent a "story", i.e., unique password combo... you can't spell out someone's name.

--janak

Ed Hansberry
07-27-2003, 04:08 AM
Maybe I am missing something. There are 10 images — an envelope, a plane, a laptop computer, a woman, flowers, a heart, a duck, a dog, the sun, and a man. I want to try and brute force it (forget the fact that it locks after three invalid attempts). First try envelope envelope envelope envelope (they then rearrange) try envelope envelope envelope plane (they then rearrange) try envelope envelope envelope laptop.....(9997 more combinations)......... Their position on the screen is irrelevant.

Right, but when it is envelope, heart, duck, duck, dog, sun, man, duck, man, flowers, and then it shuffles, what is next? Close your eyes and rapidly tell me what is next.

That is the point. The patterns don't mathematically increase the permuttations, but it does add to the complexity for a person. A computer couldn't care less, but on a PPC, a computer means an optical eye with a robotic arm and a stylus trying to crack it, and that isn't very practical.

Brad Adrian
07-27-2003, 04:12 AM
But my bigger problem is that I have SOOOOOO many passwords for SOOOOO many Web sites, servers, etc. What I need is a way to eliminate my need for all of the 75 entries I have in CodeWallet Pro under "Passwords."

GoldKey
07-27-2003, 04:31 AM
For probably 10-20% of people
It's that low where you work!? Impressive! (And no, I'm not being sarcastic...) I'm fortunate in that I administer small networks, so I can explain policy to individuals, but I've heard of much worse rates...

What I like about pictures is that, to some extent, you have to invent a "story", i.e., unique password combo... you can't spell out someone's name.

--janak

Only becaue I work at an organization of IT auditors. I really like the picture drawing example I posted earlier. Some things I see at organizations we audit are just horrendous..

GoldKey
07-27-2003, 04:34 AM
But my bigger problem is that I have SOOOOOO many passwords for SOOOOO many Web sites, servers, etc. What I need is a way to eliminate my need for all of the 75 entries I have in CodeWallet Pro under "Passwords."

I have over two pages of excel spreadsheet of passwords. I keep it on a floppy locked in a safe and a printed copy in a separate lockbox at my desk. I have been too lazy to enter it all into flexwallet. I wish they had an option on that software to import a tab delimited file into it's database.

Gerard
07-27-2003, 05:05 AM
VisKeyCE is dramatically more secure, I think.

http://www.viskey.com/viskeyce/index.html

ctmagnus
07-27-2003, 05:07 AM
I wish they had an option on that software to import a tab delimited file into it's database.

I concur. My other beef with FlexWallet is I occasionally get a crash when I create a new card and click OK (in the desktop version).

Gremmie
07-27-2003, 05:55 AM
It is just like taking a 10 digit keypad and rearranging the keys every time.

There is kind of a point in that, anymore the combination of numbers I chose isn't of numerical significance (i.e. birthday, address, etc.), but is more of making a pattern on the 10 key (i.e. 1 then 9 because 9 is diagonally furthest away from the 1).

hollis_f
07-27-2003, 10:08 AM
VisKeyCE is dramatically more secure, I think.

http://www.viskey.com/viskeyce/index.html
I read this on the front page and immediately thought of VisKey. I'm amazed that this great piece of software doesn't get more exposure. The possible combinations on here must be close to infinte (well, not infinite, but my calculator runs out of powers of 10 before I get anywhere near finishing the calculation). And because it uses a picture that the user can choose (and change) it's very memorable.

joechen
07-27-2003, 03:42 PM
Agreed, I just laugh when we do any testing of the strenght of user passwords. For probably 10-20% of people, you can try their spouse/kids/pets name (or the infamous password of "password").

8O Good guess! Time for me to change my password.

Does anyone know of a SECURE and TRUSTWORTHY online service for keeping passwords?

GoldKey
07-27-2003, 04:06 PM
Does anyone know of a SECURE and TRUSTWORTHY online service for keeping passwords?

I don't think any such thing exists. Even if it did, it would take alot of convincing for me to even think about trusting it.

Ed Hansberry
07-27-2003, 07:24 PM
Does anyone know of a SECURE and TRUSTWORTHY online service for keeping passwords?
Sure. Passport. :rotfl:

Seriously, I'm with Goldkey on this. I don't even like the fact that Amazon keeps my CC# on file, which is why I got a credit card pretty much just for Amazon. No other online store would cause me to even consider doing that.

And I'd never let any online service keep my passwords. I'll continue to trust in eWallet - www.iliumsoft.com

ctmagnus
07-27-2003, 10:28 PM
I figured the layout of pictures would be like VisKeyCE: the points are not in a grid formation. However, I just read a review of this in Information Security magazine and the pictures are in a grid formation. Kinda seems like it would compromise security for ease-of-use this way.

http://www.pointsec.com/news/images_products/pre_ipaq_ppc.jpg

Demo here (http://www.pointsec.com/solutions/solutions_pocketpc.asp#).

scargill
07-28-2003, 11:27 AM
I use a simple (too simple) 4 digit password for my PocketPC - reason? Because I let my housemates use it and I don't have any data on there which I actually NEED to be that secure.
When it comes to passwords I don't think that theres ever going to be anything more secure than a real password including special characters (at work all our passwords have lots of &*!£$= and things like that.

My PC at work isn't secure - again my housemates use it, but its nice to be password protected, I thought that my password was simple but I didn't think anyone would actually guess it or anything. Until I realised that one of my housemates had exactly the same password as me!

GoldKey
07-28-2003, 12:53 PM
I use a simple (too simple) 4 digit password for my PocketPC - reason? Because I let my housemates use it and I don't have any data on there which I actually NEED to be that secure.
When it comes to passwords I don't think that theres ever going to be anything more secure than a real password including special characters (at work all our passwords have lots of &*!£$= and things like that.


Password composition is only one part of password security. There needs to be an effective lockout for invalid passwords and passwords need to be changed periodically, not to mention the physical security over a system. Even then you have the human problem - you can put the best security in place, but people will tend to write down their passwords or share them with coworkers. I really believe biometrics are the solution to the human problem.

edwinolson
07-28-2003, 07:12 PM
Hi folks,

About a week ago I whipped out a password generating/remembering utility for pocketpc.

It's my first pocketpc application (and uses .NET CF) so be kind :) Comments solicited! Check it out and let me know how to improve it.

Its design is pretty solid from a security standpoint, and addresses all/most of the concerns you've been discussing. Essentially, it computes cryptographic hashes of strings formed from your username, machinename, a "master seed", and a PIN. Losing your pocketpc only marginally threatens security.

http://www.blisstonia.com/software
(look for "PassMan" down at the bottom.)

-Ed