UK software developer Winfrasoft is pushing visual patterns as an alternative to traditional passwords. Users would select, or be allocated, a pattern of squares on a six-by-six grid. Each time they logged onto a system, they would be presented with a grid of numbers (as illustrated here), from which they would have to enter the …
So the thing i would like to know is
if the colours used on the grid and patterns help or hinder the colour blind and dyslexic.
Not entirely convinced I'd like to play sudoku eery time I want to log into a website.
So even if someone see's your keystrokes they cannot reverse the password.. ok. it might work.
but is changing your password as easy? a new pattern to remember every month could be problematic.. then again maybe not...
Bit of a fail though?
at first i though "this is not a bad idea... it may eliminate the problem of users forgetting their passwords after password reset policy" but looking at the picture of their login screen i noticed "AD Password" which i am assuming is Active Directory password... that being the case, it would just cause more problems for users and the IT staff that will be called to reset/assist there password problems as users have trouble remembering one password never mind a pattern also...
Have you seen how quick a computer can solve a sudoku?
Not a good idea
Not a bad idea...
Personally I find patterns easier to remember than most things, I remember phone numbers as patterns on a telephone keypad instead of the actual numbers.
Maybe having it as an alternative to standard AD logins would be a nice thing to do.
Only thing to watch is if its on a touch screen, you'd leave marks on the screen and it'd be easy to grab ur pattern (had this with my android device by a colleague for a prank once).
anyone remember Carrot Top for AT&T collect calling?
How many C A L L A T T passwords would be created?
It's not so much SODUKU as it is BINGO.
Oh, and with a cellphone video camera over the shoulder (which all good thieves have), grabbing the password will be a snap, or two.
Isn't this conceptually the same
as the idea I mentioned http://forums.theregister.co.uk/forum/containing/1031039 a while back ?
I've had a fair bit of success with shoulder surfing in the past. Working on phones I often needed to get from one part of a building to another then back again and so on. Frequently there were coed locks on doors and I never tired to watch what numbers were used but how the patterns went - even on the ones with a litte raised bit to block sight of finger tips. It was due to having to wait for ages each time and also getting staff pissed off at having to unlock doors for me - I discovered I could get patterns easily.
I've got a certain amount of dyslexia but I don't know if that has helped as I can't remember most number sequences anyway and my head has developed other ways of remembering them as tunes or patterns.
Maybe the developers need to check out if thier system works with other than 'normal' people.
I think you've missed the trick. With your situation the keyboard is a fixed layout, with this it is not.
Say for example my pass-shape is Green and top-left to bottom-right then up the vertical. Forget the colour for a moment, I'll come back to that. On a standard keyboard numpad that would be 75369 every time, easily shoulder surfed.
But with the example screen shot there are 4 different codes traced out by my shape. 10250, 01512, 50401 and 23420. I know the green squares are the correct ones so I enter 01512. Next time I need to authenticate there will be a different grid presented so my pass digits will be different.
Say someone did watch me type in 01512, the shape I typed on my numpad is a completely different shape to my pass-shape, if they tried that shape they'd get rejected. So say they have a video of me typing and of the screen, what now? Well they know my colour is not yellow because there's no yellow 1. They don't know the shape though because there are dozens of shapes I could be following to make that number sequence. The positions on the shape don't have to be joined up and unique like my example.
If they shoulder surfed me 2 or 3 times with a video of each they could probably work it out. No idea if this is the exact method of using the grid winsoft are promoting but hopefully it illustrates how using a shape or path over a non fixed grid makes life a bit harder for the shoulder surfer.
Hmm, it looks nice and user friendly, however...
A 6x6 grid is only 36 bits, so unless there's something else going on the 'secure' pattern is only as strong as a 4-5 character password, and the number of possible combinations is likely to be reduced by needing a certain proportion of the cells to be on or off to create memorable patterns.
it is an ordered pattern. Meaning that the order in which the grid cells are selected matters. This also means that a cell could be selected more than once. This would then produce 36^n possible combinations for a given length n. That's less than half the potential combinations of a keyboard (my US keyboard can represent 90 basic characters). But the ASCII password that gets entered will look random. So, anyone sniffing the characters gets garbled gook unless they also have the pattern shown on the screen.
Course, if it's not an ordered pattern, then the number of combinations is 2^36. Which is still pretty secure, unless the attacker is able to collect additional information. For a traditional password that would be about 5.5 characters long. It would be interesting to see what constitues a "simple" visual password and which patterns get used for dictionary attacks.
Personally, I couldn't think of a meaningful number when I was forced to generate a PIN for my debit card. So I just used an ordered visual pattern, which works great.
Sounds like a numberised version...
..of Android's gesture-unlock function. That one works fine until there's the tiniest bit of moisture on a capacitive screen, then all your accuracy goes to shit until you wipe it off.
Still, could work.
Ross Anderson's excellent book "Security engineering" has plenty of references in regards to patterns being recalled at higher rates than a string of characters. Having said that this approach would still be open to attacks as there have already been phishing attacks which take a screen capture of 20-30 pixels around the "clicked" area, thereby placing where the click has occurred in the grid.
As others have said already, a six by six grid doesn't really produce a great number of combinations.
If there is an advantage it would be a lower number of password resets so reduced helpdesk costs, but I don't see an improved added-value from a security perspective + the obvious measure of explaining to people how this "new" technology works. Most people are comfortable with passwords now... getting them to actually design and pick "strong" passwords is one of the main issues so you'd come across the same issues (people designing "easy" patterns to remember).
FAIL in . . .
Yes but mostly No
As a color-blind person who spends his free time, colour coding wikipedia tables I can attest that the colour don't cause issues. That's because they are on large enough swathes and with significant enough tonal differences that even a completely coloublind (very rare; most of us have trouble differentiating red/green hues) wouldn't worry about it.
And having the numbers duplicate along the grid makes identification harder.
However, how long before 90% of the peoples' patterns are a long enough straight line either on the first horizontal line or the the first vertical column?
And as a previous poster noted, don't try to change patterns regularly or it will be even worse than people recycling passwords.
Is there any knowledgeable security/encryption expert who could explain to me why do all systems start with the goal of un-doing mental patterns and habit evolved over millions of years? Let's face it the human tendency is always for a single sign-on approach. (Have just the one password, no matter how difficult or long). When all studies identify human factors as the no.1 vulnurability it's amazing that such systems have not adapted to accommodate this.
@Turtle_Fan: "Let's face it the human tendency is always for a single sign-on approach. (Have just the one password, no matter how difficult or long). When all studies identify human factors as the no.1 vulnurability it's amazing that such systems have not adapted to accommodate this."
Take a look at LastPass dot com.
"Why use LastPass?X
LastPass is a password manager that makes web browsing easier and more secure.
Oh the irony! A 'security product' you can't find out about unless you have the web's most insecure multi-platform orifice installed!
I like my Android pattern unlocker as well.
However,.for our admin passwords, we use the 10 word pass phrase approach.
for bank pin, I like the idea of displaying four faces you know amongst give strangers them you tap the faces you know.
You may not suffer from it, but a lot of us suffer from "face blindness", an inability to recognise people by face. Basically, we either get a lot of false negatives (treating Aunty Joan as a stranger) or false positives (going up to a stranger and kissing them, as in one of the Specsavers adverts). I've even recognised pictures of other men as myself!
And if, say, I put a picture of a female friend on there, chances are she'd change her hair or whatever (some women do that every week or so) and I'd get used to the new look and fail to recognise the older picture on the screen.
Plus, of course, you'd still need to have other non-visual systems for those who are sight-impaired, or you'd run foul of the Disability Discrimination legislation...
(Paris because I can't recognise her from any other blonde bimbo.)
Is this new?
Back in the stone age (the late '80s), my colleagues used to create passwords based on pattterns on the number pad. It's amazing how many people chose a simple guessable pattern - pretty much all start at top left (7) and ending at bottom right (3). Never took me more than 3 guesses to find their patterns and get access to their Systime accounts.....
Never allow users to choose their own patterns
Working for a company called Westhaven? Every pattern will be a "W". Guaranteed.
I think some are misunderstanding how this works.
From what I can see the user does not click on the grid at all (so no problem for touch screens) but merely "mentally" traces their pattern on the grid and enters the appropriate numbers. This would go some way to eliminating shoulder surfing too (provided users don't move the mouse to remember) since if I used the number 1 it may be found in many squares of the grid so even someone seeing the numbers and the grid wouldn't know for certain what the pattern is.
[Incidentally this reminds me of the advice a few years ago to use the same digit twice in PINs since an attack to find the PIN would only return the digits used in a PIN but not their order or frequency. Does anyone know if that is still applicable?]
Misunderstanding, or too lazy to read the article?
I think "misunderstanding" is rather generous, considering some of the brain-dead comments in this thread. There's no "Sudoku" element - the user isn't solving a puzzle. As you note, the user isn't supposed to click on the numbers, so it's not a gestural interface and recording mouse positions isn't a viable attack (if the user is careful).
Accessibility is still a problem. Shoulder-surfing is an issue if the user traces out the pattern with the mouse, a finger, etc; eye-tracking would likely leak some information too. Recording keystrokes is a viable attack, but it only reveals part of the key.
Combining recording keystrokes with some mechanism that can rank possible patterns based on probability (eg a HMM trained on a large set of known-used patterns, or even a MEMM that includes features developed from say physiological studies) might do quite well against this design, once sufficient training data was available.
Someone should tell these guys about the disabillity discrimination act.
Are blind or partially sighted users supported? Those with tunnel vision? etc. etc
So how do blind people use number generating tokens?
How do dyslexic or colour blind or visually impaired people use Capcha?
Answer those and you've answered your own question.
Have you ever noticed the little 'speaker' icon next to a capcha? That would be there to make them comply with the DDA.
I knew you'd get there in the end.
They use alternative methods -- much like this will likely allow "normal" passwords and a screen reader instead. Token systems also allow permanent passwords instead of tokens.
Most systems of authentication nowadays offer a couple of ways of doing things.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Microsoft refuses to nip 'Windows 9' unzip lip slip
- Tesla: YES – We'll build a network of free Superchargers in Oz
- US Copyright Office rules that monkeys CAN'T claim copyright over their selfies
- True fact: 1 in 4 Brits are now TERRORISTS