Monday, November 5, 2007

Graffiti Passwords: Secure and Memorable

Via arstechnica.com -

One of the largest security challenges many organizations face come from the most basic aspect of security: user passwords. Humans simply have a limited capacity to remember otherwise insignificant streams of letters and digits; as a result, they often choose passwords that are easier to remember. Those memorable passwords, however, can fail in the face of dictionary attacks or guesses based on information such as birth dates or the names of family members. This week's meeting of the Computer and Communications Security interest group of the Association for Computing Machinery saw the description of the latest attempt to balance security and obscurity: an improved form of the "Draw a Secret" method.

The basic concept behind Draw a Secret (DAS) is that humans excel at image recognition and memory, so "passwords" should be designed to leverage that ability. Initial implementations simply tracked the ability of people to use a stylus to draw a free-form shape on a touch-sensitive screen. But the people behind the new work have previously refined the technique by parsing the shapes with a flexible grid, which allowed them to more accurately recognize key features such as changes in the stroke's direction. The primary limitation of this DAS system is the user's ability to accurately redraw a complex shape from memory.

The improvement discussed this week involved a simple idea that improves essentially all aspects of DAS: drawing accuracy, complexity of the drawings, and memorability. The authors suggest that simply providing a background image to draw on—essentially making password entry an act akin to graffiti—handles all three of these concerns. The use of an image as part of the password process is something that many companies are turning to in an attempt to limit the effect of phishing attacks. Here, it additionally prompts users to recall their password via associative memory.

The picture also helps improve users' ability to accurately redo a freehand drawing, as features of the drawing can be made to fit within confines of the image. Finally, the improvements in memorability and drawing enable users to use more elaborate drawings with multiple line endings as their passwords, improving the security of the system.

The revised version of DAS, which the authors termed Background Draw a Secret, seems to work. In tests, users created BDAS passwords that contained an extra 10 bits of extractable data compared to those who did not use a background image. A week later, 95 percent of the subjects were able to recall their password drawings within three attempts.

Right now, the system is limited to devices with a touch-sensitive input device, which means many ATMs are out. But, in the mobile device space, where styluses, touchpads, and touch screens are prevalent, all the pieces appear to be in place. Hopefully, the authors will move on to create some software that works on these low-powered devices and expose BDAS to a wider test audience.

No comments:

Post a Comment