>> Prior to subsequent logins, the user also predefines the sequence or > pattern criteria for selecting the objects positioned on the GUI, and > sequentially inputting the text associated with each. By employing this > pattern, and visually determining the objects, a number of which > sequentially correspond to the user-known pattern displayed on the GUI, an > authentication password is determined. The password is input by the user > typing the corresponding dynamic word string defined by the users > pre-defined words which are associated with the viewed objects in that > particular sequence. > > From I can surmise the user assigns a password with a picture, so when the > picture shows up, the user inputs the password.
I couldn't figure out how their system works just from attempting to login to the demo as "test", but this sounds quite a bit like my favorite password system, which I encountered doing a CUPS Lab study on mechanical turk about four years ago. I've never seen any mention of it since (and have looked a few times) so it may have turned out to not work well with users and they dropped it right away, but it worked like this: the system displays a grid of numbers where the numbers in each position are randomized and the thing you remember is the pattern but the thing you type is the numbers. There is a tradeoff between how large the grid is and how many grids with different patterns you need to remember. It is fairly complicated in a way (you might need several grids depending on the size and length of sequence), but used like I describe it means you can't recover the password just from what the user types but would need to observe the display. It could also allow an easy multi-input-mode password system, although touching or clicking the pattern might allow an audio recording to determine the pass-pattern (there I guess you would ideally want the opposite: remember a sequence of pictures or such and tap the locations). It looks like the nimbusid system isn't that close currently, but some of the pictures in the patent are quite a bit closer so it must be something along those lines. IMO, the real tragedy of passwords is that the average personal computer user is ever asked to remember more than two of them (a main one for almost everything and a second one for the most important things) and is allowed to choose them. For regular web usage, browsers should just generate passwords (or certificates) for the user and save them, no user interaction needed other than some way to indicate a "most important things" site. Provide a way for the user to access the password to write it down if they really need to use a friend's computer or internet cafe or whatever. Similarly, operating systems should allow access to multiple user accounts with one password entry (which also counts as the main password entry to access most stored web passwords) to make it easier to use the only effective privilege separation mechanism they provide. The same two passwords should also cover disk encryption, the main one for standard user or whole disk encryption and the second for less frequently used encryption. 21 base64 characters (three groups of seven) is 126 bits of entropy if randomly generated and doesn't even take that long to memorize if you copy it from a piece of paper for a while. Or just always refer to the paper. Current password usage encourages lots of weak passwords when what we should be aiming for is one or two strong passwords. -M _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
