One of the largest security challenges many organizations face come from the most basic aspect of security: user passwords. Humans simply have a limited capacity to remember otherwise insignificant streams of letters and digits; as a result, they often choose passwords that are easier to remember. Those memorable passwords, however, can fail in the face of dictionary attacks or guesses based on information such as birth dates or the names of family members. This week's meeting of the Computer and Communications Security interest group of the Association for Computing Machinery saw the description of the latest attempt to balance security and obscurity: an improved form of the "Draw a Secret" method.
It seems like every week that I read something about making passwords easier to remember or something similar. The majority of these are woefully insecure and promote a hands-off security policy. However, I think this could seriously be a plausible alternative to traditional text passwords for a number of reasons. First off, in order to have different passwords on every site today, you might use a password storage program or website (like this one I posted about previously). However, with this system, at least in theory, you should be able to get by with only several "passwords". Secondly, I don't see brute force being a feasible means of guessing your picture. For one, in an ideal implementation, you would be able to make a password picture as long or as short as you wanted to, with as much detail as you wish. There would be no limit to how complex your password picture could be. Secondly, it's fairly difficult (one would assume) to automate drawing a random picture that means anything.
However, I see some downsides to this system. As with traditional passwords, I see patterns developing in the passwords people choose. For instance, drawing a simple smiley face or the numbers "1 2 3" would probably be common passwords which could be guessed by brute force. Also like traditional passwords, these are forgettable, and when it's time to recover your password, it may be difficult or impossible to reproduce a picture generated for you by a computer. Despite these few flaws, I'm eager to start seeing some real implementations of this idea and the results they produced. Who knows, we may all be drawing pretty pictures to log into our banks accounts before long.
March 11th, 2008 at 5:45 pm
the program used to recognize the picture would have to be a fairly lenient OCR program. Since OCRing takes into account that the picture may not be perfect, it will run a script to make sure the picture is "close." how close will determin how annoying it is to get the pass pic right (strict OCR), or how easy it would be (lenient OCR). since it's new, the developers would want to err on the lenient side, because they want people to pick up their product without much hassle.
so bruting the pass/pic may be something like taking leters that look like other leters (e.g. N looks pretty close to V, W, M, and A; 3 can be made to look like 8, B, and D)–this limits the character set needed. and going through a few cycles (who'd want to draw more than a hand-full of characters?), and move the letters up and down a bit. some letters would even look like pics (OUO with the U a little lower may pass for a smiley face).
additionally, since it's new, there would need to be a back-up in case the drawing didn't work, and they may prove to be the weak point.
all in all i don't think this is the answer to the problem.