Photos as Visual Passwords Could Foil Hackers?

Use Netsparker


I’ve tried out a few of these visual recognition password technique things, and to tell you the truth they didn’t work for me, not at all.

I clicked the requisite 3-4 spots on the image, and remembered them, but when I tried to login it wouldn’t accept it.

A password that uses images instead of numbers could give some people access to secure information on personal electronic devices or at ATMs within the next year.

The image authentication system uses a pair of digital images instead of a string of numbers to make logging in simple for the legitimate user, but difficult for impersonators.

“It is expected that many of the conventional user authentication systems would be able to be replaced with our scheme, since recognition of images is significantly easier for human beings than precise recall of passwords,” said team leader Masakatsu Nishigaki, a professor of informatics at Shizuoka University in Japan, where the system is being developed.

Source: Discovery Channel


There is a simple implementation of it I saw called Passclicks over at mininova

http://labs.mininova.org/passclicks/

Passclicks is a new way to login to websites without users having to remember thir old style textual password. Studies have revealed that humans are way better in remembering visual things than textual things. With passclicks your normal textual passwords are replaced with a sequence of clicks on an image.

It is true most people remember things a lot better visually.

I think the Japanese 4 ‘digit’ icon type password might be pretty good though, as a different form of pin number.

Posted in: Hacking News

, ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


4 Responses to Photos as Visual Passwords Could Foil Hackers?

  1. Mariam Ayyash April 18, 2006 at 9:22 am #

    I tried it, i remembered only four clicks! it is very possible for me to keep forgetting one click :s so it doesnt always work, does it?

  2. Navaho Gunleg April 18, 2006 at 12:09 pm #

    I think the concept itself is original and pretty neat: the more happening on the image, the more possible locations one could click on, so the harder it will be to brute-force the password. Sure the demo is just a proof-of-concept, and it’s probably configurable in the end, but one shouldn’t even limit it to only 5 clicks.

    It could even be a bit ‘stronger’ if the person that wants to log-in has to choose one image out of many, first, and not always show the same scenic image of Amsterdam in the Netherlands…

    Problems though are, like happened to Mariam, that one could easily forgetting a click. Or one does remember the clicks, but forgot in what exact order.

    Then again, people have even worse problems remembering an alpha-numeric password at least 12 characters in length.

    I can definately see this type of thing taking off. It would suck pretty badly for existing text-based services though (such as SSH). Don’t get me wrong, some ASCII art looks pretty cool, but there may be some problems there. ;)

    But for websites it could do the job perfectly.

    Though, if it’s only to prevent people from forgetting their passcodes, I do not think that’s going to be solved. I grew up in the age of PIN codes and passwords so I don’t have any problems with remembering them, as long as I frequently use them. Most people will forget them because of exactly that. So this authentication scheme could fail just as much…

    Just my two cents…

  3. Darknet April 19, 2006 at 4:06 am #

    Mariam: No password works if you forgot 20% of it ;)

    Navaho: Yah it’s definately an interesting concept, how are you going to brute force the image? I did think of that though, the backend has to have some kind of image map which sends the co-ordinates or something similar to the server, so theoretically can’t you just send all combinations of all co-ordinates to the backend, in time ‘brute-forcing’ the image verification? I guess the entropy would be increased hugely if you used multiple random images like you said. Definately good for websites and things like PDA/smart phones where they already have visual navigation aids.

  4. Navaho Gunleg April 19, 2006 at 6:22 am #

    Darknet: Well, if the image would only show, say, portrait of someone, it could be possible for somebody else to guess the clicks looking for obvious spots to click. That’s the type of brute-forcing I meant. (One could also attempt random clicks every time until one succeeds but that’s pretty tedious.)

    So, in that respect, images are a better solution than a password in text. For the sake of argument, lets assume a password, in text, can only consist of 255 different characters.

    An image of 250×250 dimensions would give far greater ‘randomness’ — more possible pixels than characters in a text-password, thus brute-forcing isn’t as trivial as with text.