[opensuse] Picture login system
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Feb 26, 2008 at 6:46 PM, John Meyer
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
One of the keys to keeping passwords not breakable is to have a massive number of possibilities. Not sure how you do that with a multiple choice solution. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 26 February 2008 18:51, Greg Freemyer wrote:
On Tue, Feb 26, 2008 at 6:46 PM, John Meyer
wrote: I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
One of the keys to keeping passwords not breakable is to have a massive number of possibilities. Not sure how you do that with a multiple choice solution.
Greg -- Greg Freemyer
Well, if the picture was one you create yourself, with a million pixels or so, it might be fairly secure, so long as it was never published on the net. Digital cameras have wonderful possibilities. Scrambling the image using some kind of standard encoding would make it almost impossible to recreate. (Who would know that it was an image, or what kind of encoding was in use?) Just an idea. . . . --doug Blessed are the peacemakers ... for they shall be shot at from both sides. --A.M. Greeley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Feb 26, 2008 at 7:46 PM, Doug McGarrett
On Tuesday 26 February 2008 18:51, Greg Freemyer wrote:
On Tue, Feb 26, 2008 at 6:46 PM, John Meyer
wrote: I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
One of the keys to keeping passwords not breakable is to have a massive number of possibilities. Not sure how you do that with a multiple choice solution.
Greg -- Greg Freemyer
Well, if the picture was one you create yourself, with a million pixels or so, it might be fairly secure, so long as it was never published on the net. Digital cameras have wonderful possibilities. Scrambling the image using some kind of standard encoding would make it almost impossible to recreate. (Who would know that it was an image, or what kind of encoding was in use?) Just an idea. . . .
--doug
Not sure why, but that makes me think of using a private / public key to authenticate. I've seen that done where the user is asked to draw a bunch of squiggles. Those are used in the creation process of the key pair. Standard ssh type key-based login follows from there. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Doug McGarrett wrote:
On Tuesday 26 February 2008 18:51, Greg Freemyer wrote:
On Tue, Feb 26, 2008 at 6:46 PM, John Meyer
wrote: I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance). One of the keys to keeping passwords not breakable is to have a massive number of possibilities. Not sure how you do that with a multiple choice solution.
Greg -- Greg Freemyer
Well, if the picture was one you create yourself, with a million pixels or so, it might be fairly secure, so long as it was never published on the net. Digital cameras have wonderful possibilities. Scrambling the image using some kind of standard encoding would make it almost impossible to recreate. (Who would know that it was an image, or what kind of encoding was in use?) Just an idea. . . .
How does that help when the "correct answer" is one of the multiple-guess choices? It's an invitation to having your system used by an unauthorized user. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2008-02-26 at 16:46 -0700, John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
Could you expand on that? I have my system set up that you can click on a picture and then enter the user password in order to log-in. I've been doing it that way since at least 10.0. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2008-02-26 at 16:46 -0700, John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
Could you expand on that? I have my system set up that you can click on a picture and then enter the user password in order to log-in. I've been doing it that way since at least 10.0.
The picture password is an idea that has been around for a very long time. There are variations from selecting several images in the correct order from a "wall" of images to selecting one correct image from a stack of images to selecting points on a single image in the correct order. Some link from the past few years... http://news.bbc.co.uk/2/hi/science/nature/1986713.stm http://www.theregister.co.uk/2002/03/25/picture_this_imagebased_passwords/ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1000783,... http://www.youtube.com/watch?v=45p1Er4H8h0 C -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Clayton wrote:
On Tue, 2008-02-26 at 16:46 -0700, John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
<snip>
The picture password is an idea that has been around for a very long time. There are variations from selecting several images in the
<snip>
Some link from the past few years... http://news.bbc.co.uk/2/hi/science/nature/1986713.stm http://www.theregister.co.uk/2002/03/25/picture_this_imagebased_passwords/ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1000783,... http://www.youtube.com/watch?v=45p1Er4H8h0
C
Of the references above the earliest is about 2002, IIRC I came across some research in the area in the late 1980s and early 1990s, and it was not new then. So the idea has been around a very long time... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHxTNPasN0sSnLmgIRAuXwAJ9YqgzUe2JoNrL0xCEag8OI12pMKQCg9f8L 5ZjetNX58IigE2TxQ9rmoy0= =bgT1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Clayton wrote:
On Tue, 2008-02-26 at 16:46 -0700, John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
<snip>
The picture password is an idea that has been around for a very long time. There are variations from selecting several images in the
<snip>
Some link from the past few years... http://news.bbc.co.uk/2/hi/science/nature/1986713.stm http://www.theregister.co.uk/2002/03/25/picture_this_imagebased_passwords/ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1000783,... http://www.youtube.com/watch?v=45p1Er4H8h0
C
Of the references above the earliest is about 2002, IIRC I came across some research in the area in the late 1980s and early 1990s, and it was not new then. So the idea has been around a very long time...
And not implemented because it's inherently insecure. Unless you put the screen in a booth where nobody else can see it, users just might as well announce what they're doing on an advertising billboard. -- ARK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Magic Nose Goblin wrote:
G T Smith wrote:
<snip>
Clayton wrote: Of the references above the earliest is about 2002, IIRC I came across some research in the area in the late 1980s and early 1990s, and it was not new then. So the idea has been around a very long time...
And not implemented because it's inherently insecure.
Unless you put the screen in a booth where nobody else can see it, users just might as well announce what they're doing on an advertising billboard.
This goes for any form of password entry, there are people with the ability to memorise keystrokes, and with the advent on the camera phone the data entry process can be videoed, or one acquire such information from things like CCTV. (A lot of card fraud uses such techniques). Most password/passphrase/certificate/biometric security mechanisms involve some collection and exchange of data between client and server. Though the protocols for transmission are very strong the point of entry is a often a vulnerable area. There are schemes where you only supply the characters at designated points (e.g. the first and third characters of the password), but many people struggle with this and it does have the unfortunate side effect of encouraging some people to note down the password. The methods suggested in the articles are somewhat over complex to use. The semantic content of images is rather high so any pattern would be easy to discern and things like password changing or its equivalent would be complex and unwieldy. So the mechanisms as described would be security weak. Also they seem to be targeted at mobile devices. An image based entry system does have the potential advantage that information on the image that should be selected does not need to leave the authenticating server, and the method of selecting the image can be independent of the image actually selected and should not leave any trace at the access point. At its simplest this only requires the display of a group of simple geometric images of different colours. The password really being a rule to find an image to select which can be a route to the image or a spacial relationship, or a combination of the two. The actual content of the image to be selected is in itself unimportant. e.g One can have a rule which says the image to be selected is three positions to the right of the second blue image below the highest star. This can be rather difficult to deduce for a third party observer the first time round. One would have to observe an individual several times to work out what such a rule was. The larger the number of images displayed and the greater range of images the more difficult such a task would be. So in some circumstance this could be more secure than a password or certificate based mechanism. While people religiously go on about strong passwords, the uncomfortable issue is the that often the stronger a password is the more difficult it is for an individual to remember. Written language and numeracy are in the main cultural constructs which people have to learn to apply, and some are better at this than others. What people are very good at is recognising and retaining patterns (something which computers are still comparatively weak at), When we human attempts to catch a ball the human brain is unlikely to do the math to calculate the trajectory, what is more likely is that the brain extrapolates a sequence of pattern changes based on passed experience. Image based pattern finding rules can possibly be tied to other things (week, month, year, phase of moon etc), so the object selected can only be worked out using meta-knowledge that should only be known to the user. The weakness with such systems is they are only good for security entry by human beings via GUI interfaces. The image grids would need to be partly randomised which implies a processing overhead in generating the image (which is probably more of factor in the adoption of such a strategy than any inherent security weakness in the method, 2000 people logging on at 9 in the morning could cause a bit of a performance blip with this approach). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHxoFnasN0sSnLmgIRAixvAJ9T3QhYGe0tm3q+CakwbJPooBvQPQCg01vl 0HL4AMC20PdcfO5EAAbEGrk= =lGzj -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Clayton wrote:
On Tue, 2008-02-26 at 16:46 -0700, John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
Could you expand on that? I have my system set up that you can click on a picture and then enter the user password in order to log-in. I've been doing it that way since at least 10.0.
The picture password is an idea that has been around for a very long time. There are variations from selecting several images in the correct order from a "wall" of images to selecting one correct image from a stack of images to selecting points on a single image in the correct order.
EXTREMELY weak security. If I just look over your shoulder, from nearly anywhere in the room where I can view the screen, I have your "password" in one observation. At least to get your password off a keyboard, someone would have to observe you typing it several times (unless you are a REALLY slow hunt-and-peck type). Some ideas just aren't that good. This is one of them.
Some link from the past few years... http://news.bbc.co.uk/2/hi/science/nature/1986713.stm http://www.theregister.co.uk/2002/03/25/picture_this_imagebased_passwords/ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1000783,... http://www.youtube.com/watch?v=45p1Er4H8h0
C
-- ARK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Clayton wrote:
On Tue, 2008-02-26 at 16:46 -0700, John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
Could you expand on that? I have my system set up that you can click on a picture and then enter the user password in order to log-in. I've been doing it that way since at least 10.0.
The picture password is an idea that has been around for a very long time. There are variations from selecting several images in the correct order from a "wall" of images to selecting one correct image from a stack of images to selecting points on a single image in the correct order.
Of course, this is next to impossible to hide from anyone looking over your shoulder. Pass-phrases are a far better idea.
Some link from the past few years... http://news.bbc.co.uk/2/hi/science/nature/1986713.stm http://www.theregister.co.uk/2002/03/25/picture_this_imagebased_passwords/ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1000783,... http://www.youtube.com/watch?v=45p1Er4H8h0
C
-- ARK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike McMullin wrote:
On Tue, 2008-02-26 at 16:46 -0700, John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
Could you expand on that? I have my system set up that you can click on a picture and then enter the user password in order to log-in. I've been doing it that way since at least 10.0.
What I was thinking about was one of two: 1. Either inserting the picture into a database and having the person choose from that picture and a bunch of random pictures. 2. I thought I saw a web site do this where you had six pictures and clicked on the three that could fly or something of that nature. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
That is yet another dumb, security-violation wy of doing things brought to you by those cretins at MickeyMousesoft. Just say no to stupid ideas. -- ARK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 27 February 2008 05:22, The Magic Nose Goblin wrote:
John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
That is yet another dumb, security-violation wy of doing things brought to you by those cretins at MickeyMousesoft.
Just say no to stupid ideas.
-- ARK
You're hardly making it hard to figure out who you are, though it took me only two of the three MNG posts I read before this one to spot the pattern. RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2008-02-27 at 10:21 -0800, Randall R Schulz wrote:
On Wednesday 27 February 2008 05:22, The Magic Nose Goblin wrote:
John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
That is yet another dumb, security-violation wy of doing things brought to you by those cretins at MickeyMousesoft.
Just say no to stupid ideas.
-- ARK
You're hardly making it hard to figure out who you are, though it took me only two of the three MNG posts I read before this one to spot the pattern.
You mean the initials didn't give it away? ;) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike McMullin wrote:
On Wed, 2008-02-27 at 10:21 -0800, Randall R Schulz wrote:
John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance). That is yet another dumb, security-violation wy of doing things brought to you by those cretins at MickeyMousesoft.
Just say no to stupid ideas.
-- ARK You're hardly making it hard to figure out who you are, though it took me only two of the three MNG posts I read before this one to spot the
On Wednesday 27 February 2008 05:22, The Magic Nose Goblin wrote: pattern.
You mean the initials didn't give it away? ;) ]
hahahahaha -- ARK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
The Magic Nose Goblin wrote: <snip>
That is yet another dumb, security-violation wy of doing things brought to you by those cretins at MickeyMousesoft.
Just say no to stupid ideas.
Aaron, are you trying to be stealthy with your new user name? -- Tony Alfrey tonyalfrey@earthlink.net "I'd Rather Be Sailing" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 27 February 2008 08:22, The Magic Nose Goblin wrote:
John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance).
That is yet another dumb, security-violation wy of doing things brought to you by those cretins at MickeyMousesoft.
Just say no to stupid ideas.
-- ARK
I responded to this once before, but I don't think I expressed the idea well. If you take a picture with a digital camera--say 5 megapixels--and put the image, even without any encyphering, on a camera card, and let a card-reader read the image for login purposes, you've got a code that's 5 million pixels-- however they are encoded--long. Let's see someone crack that! Anyone looking over your shoulder when you login would see a picture of your dog, or something, but he could never duplicate it, even if he photographed your monitor. And it would not have to appear on the monitor, just be entered as a login code. Of course, the card could be physically stolen, but so could the hard drive. And with conventional passwords, they can be tortured out of anyone. Nothing is fool proof. --doug Blessed are the peacemakers ... for they shall be shot at from both sides. --A.M. Greeley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Doug McGarrett wrote:
On Wednesday 27 February 2008 08:22, The Magic Nose Goblin wrote:
John Meyer wrote:
I'm wondering if anybody's working on a system to replace the traditional username/password with something like a picture. (you pick which one out of a table of pictures, for instance). That is yet another dumb, security-violation wy of doing things brought to you by those cretins at MickeyMousesoft.
Just say no to stupid ideas.
-- ARK
I responded to this once before, but I don't think I expressed the idea well. If you take a picture with a digital camera--say 5 megapixels--and put the image, even without any encyphering, on a camera card, and let a card-reader read the image for login purposes, you've got a code that's 5 million pixels-- however they are encoded--long. Let's see someone crack that!
So in other words, you're just talking about physical-key based authorization system.
Anyone looking over your shoulder when you login would see a picture of your dog, or something, but he could never duplicate it, even if he photographed your monitor.
Why even use this picture thing, if it's entirely reliant upon being under your control all the time anyways. Or how about this...I "borrow" your USB key, and having watched you previously, I know how WHICH picture to copy.
And it would not have to appear on the monitor, just be entered as a login code. Of course, the card could be physically stolen, but so could the hard drive. And with conventional passwords, they can be tortured out of anyone. Nothing is fool proof.
It's inherently weak. IF you want to use a physical device, CIK keys are far better, because they can't be duplicated.
--doug
Blessed are the peacemakers ... for they shall be shot at from both sides. --A.M. Greeley
-- ARK -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Doug McGarrett a écrit :
however they are encoded--long. Let's see someone crack that!
but the computer know about the image only by it's name, so only the name is the key... Anyone
looking over your shoulder when you login would see a picture of your dog, or something, but he could never duplicate it
he can enter your computer as soon as you are out... if you mean using the image binary as key, it's a 5Meg key, quite a lot to share... jdd -- http://www.dodin.net http://clairedodin.voices.com/ http://www.clairedodin.com/ http://claire.dodin.net/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (10)
-
Clayton
-
Doug McGarrett
-
G T Smith
-
Greg Freemyer
-
jdd
-
John Meyer
-
Mike McMullin
-
Randall R Schulz
-
The Magic Nose Goblin
-
Tony Alfrey