Inblot passwords

manadren_it · Post by **manadren_it** » Fri Jul 18, 2003 3:42 pm

link

Is It Just My Imagination?
by Suzanne Ross

Are inkblots meaningless smears of ink, or the secret key to your personality? Though most psychologists no longer use inkblots to determine the twists and turns of your psyche, sometimes they pay attention to the stories you tell yourself about the blobs.

Adam Stubblefield, an intern with Microsoft Research, thought that our ability to tell ourselves unique stories about inkblots might be a secret key to a strong digital lock - the online password.

Stubblefield, and his manager at MSR, Dan Simon, knew that people are the weakest link in secure computing environments. They knew that users generally pick weak passwords because they can remember them. They tend to use birthdays, pet's names, spouse's names or birthdays, or a favorite hobby. If a computer system forces us to pick a strong password, we often write it on a post-it note and stick it to the side of our computer, where it can be read and used by any passerby.

Give Me A Hint
"Good passwords are hard to remember. And easy to remember passwords are easy for other people to guess. What we wanted to do is give people a hint to help them remember a good password," said Simon.

They needed a hint that would mean something to the user, but not to anyone else. They wanted to use some type of image-based authentication. But there were problems. Most of the methods had what they considered to be a fatal flaw.

"All used a pointing device rather than a keyboard for input," explained Stubblefield. "This limited the rate at which the password could be entered, and exposed the password to anyone looking over the user's shoulder. We realized that a better scheme would provide some way for users to somehow construct a private textual entry from an image displayed on their monitor."

What Do You See?
Stubblefield used his imagination to come up with a solution. "I realized that a child accomplishes a very similar task when he points at an oddly shaped cloud and announces that there is a moose in the sky. There are not, unfortunately, huge amounts of published data on this cloud naming phenomenon." But there are volumes of information on the Rorschach Inkblot test. They decided to use inkblots to help users remember their passwords.

Sound too odd to be true? Even Simon was a bit skeptical at first. "I thought people wouldn't remember what they had seen in the blots. My first reaction was, 'oh, come on,' but it turned out well."

Stubblefield said the users had a similar initial reaction. "When we first explained the task to the users in the studies, the users were almost uniformly incredulous. Even after using the inkblot passwords, they were amazed that such an unconventional scheme actually works."

Computer Generated Inkblots
To make the system work, they developed a program that can generate an infinite amount of random inkblots.

"We show you a bunch of computer generated inkblots," said Simon. "We ask you to look at the inkblot, see whatever you see in the inkblot, and type a short abbreviation of what you see. The first and last letter works well. We do that for a sequence of inkblots. At the end of all that we take you through it a few more times, but we scramble it in a random order first to make sure you haven't just typed in whatever you wanted to and ignored the inkblots altogether. We run it a few more times to make sure you have it in your memory, and thereafter whenever you try and log in we'll give you that second order of your inkblots. Eventually you'll just commit it to muscle memory and you'll learn it. And the inkblots will trigger the same memory."

Stubblefield and Simon found out that once we've identified the inkblot we see it the same way every time. And even though people sometimes see similar things in inkblots, they describe it in different ways. For instance, almost all the users in their study identified an inkblot as some type of flying person. But the users described their flying person differently, such as 'evil flying henchman' or 'flying gardener.' (Except one person who thought it was a man at a football game in Minnesota wearing a mascot moose hat and ear muffs - but writers are not your average user).

"We did a study of 25 people and it worked very well. Twenty out of 25 people remembered their password the next day. That's with a very strong password, with ten images. Something like 50 to 80 bit passwords, which is much stronger than your typical password. Eighteen out of 25 people remembered the entire password a week later. That's very unusual. Moreover, everybody who did not remember the passwords remembered nine out of ten of their images. So if you weaken the password slightly, you could have 100% recall of the password," said Simon.

"Basically, you're typing in twenty characters by looking at ten inkblots. The idea is that eventually you just type in the twenty characters, because by the umpteenth time you've logged in, you've remembered these twenty characters," said Simon.

"Many of the users said that, if given the choice, they would use the inkblot passwords in their production environments," said Stubblefield.

Inkblots not only help users create a strong password, but people also seem to enjoy using them. Occasionally a user might look at an inkblot and see nothing. "That's easy to deal with, because you can just have them press the return key and go on to the next inkblot," said Simon.

Archived topic from Iceteks, old topic ID:1111, old post ID:9695

Red Squirrel · Post by **Red Squirrel** » Fri Jul 18, 2003 4:20 pm

Intersting. But I would not want this forced though, but have it as an option. For example, I have a 19 character password here for admin login, and use it for a few other things that require high security. I remember it easly. Though, I should consider changing it more often though.

I used a 1000+ character password for my router, because someone threaten me that he would try to get in. But it turned out it crashed the router when I set it.

This was obviously a copy and paste from a floppy though.

Something I thought that would be cool to come up with (for online logins only though) would be a php script that makes the user upload a file, and that file would be a "key" to get in. It would be encrypted (nothing too fancy here though) and it would then be matched with a server side password and it would check if it's correct. This key could be something such as an image file for example.

Archived topic from Iceteks, old topic ID:1111, old post ID:9696

wldkos · Post by **wldkos** » Sat Jul 19, 2003 1:54 am

test

Archived topic from Iceteks, old topic ID:1111, old post ID:9715

Red Squirrel · Post by **Red Squirrel** » Sat Jul 19, 2003 3:39 pm

Still having problems with cookies on this site? Is anyone else having problems? I used to have issues with it but it seems to have stopped. At least at my end...

But I don't use IE anymore so I could not tell I guess.

Archived topic from Iceteks, old topic ID:1111, old post ID:9724

Wren · Post by **Wren** » Sat Jul 19, 2003 8:29 pm

I'm running IE and my cookie doesn't work here or anywhere else either, so I don't know what the deal is.

Archived topic from Iceteks, old topic ID:1111, old post ID:9728

Red Squirrel · Post by **Red Squirrel** » Sat Jul 19, 2003 10:01 pm

Hmm so if it's anywhere else than at least I know here's not the problem. I used to always have problems with IE too.

I did notice though that some SQL errors will boot everyone off, but we did not get an SQL error in quite a while (24+ hours is considered "quite a while").

Archived topic from Iceteks, old topic ID:1111, old post ID:9738

Red Squirrel · Post by **Red Squirrel** » Sun Jul 20, 2003 1:39 pm

I know how it is, it's ennoying when that happends! I hope you'll get it to work

Archived topic from Iceteks, old topic ID:1111, old post ID:9748