Seemingly Fatal Drawbacks of Pictorial Password – Shoulder Surfing & Low Entropy
We have been advocating Expanded Password System that accepts images as well as texts from 2001. We have since kept hearing our proposition blamed for two major ‘drawbacks’ of using images – Shoulder Surfing and Low Entropy. So many people are still misguided to take it for granted as if it were the case.
The fact is that threats of shoulder surfing can be mitigated with ease by some simple techniques - images to get shrunk prior to tapping, texts allocated to images for quiet typing and so on at the end of developers, with the simplest solution being just looking around you before tapping the images at the end of users. How can it be a fatal drawback?
Another seemingly serious problem of low entropy can be eliminated at the end of developers without giving any extra burden on users.
With Expanded Password System, each image or character is presented by the image identifier data which can be of any length. Assume that your password is “CBA123” and that the image ‘C’ is identified as X4s& eI0w, and so on.
When you input CBA123, the authentication data that the server receives is not the easy-to-break“CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk…………..” which could be automatically altered periodically or at each access where desired, all without involving users.
Passwords of sufficient entropy, if properly hashed, can stand fierce brute force attacks. How can it be a fatal drawback?
PS
As for amplifying the entropy on the network, we could think about a very simple case as a reference.
You have two passwords - one that you can easily recall and the other that is too long for you to recall and needs to be stored on a paper or your device. You recall the first password and put it at the front or end of the second password before sending it off.
The authentication server obtains its hashed value and get it matched with the stored hash value. This hashed value has a very high entropy unless the hash program is compromised. Our proposition is not too far away in principle from this simple case.
Incidentally, the idea of combining a remembered password and a memo with a password on it could be viewed as an improvised 2-factor authentication that everyone can deploy right away at no cost for much better security than now.
#identity #authentication #password #security #safety #biometrics #ethic #privacy #civilrights #democracy
Hitoshi Kokumaiの記事
ブログを見る
Bad guys, who have a quantum computer at hand, would still have to break the part of user authentica ...
The quantum computer held in a bad guy’s hand is indeed a big threat. So is the artificial intellige ...
I would like to take up this somewhat puzzling report - “Google advises passwords are good, spear ph ...
関連プロフェッショナル
Debesh Choudhury
Solution Architect ➤ Biometrics, InfoSecurity, Data Privacy, Distributed Ledger, 3D Imaging, GDPR · ♦ Work on 3D Imaging ♦ Laser Metrology ♦ DSP. · ♦ Discovered "Microwave Color Perception" · ♦ Teach ...
この職種に興味がある方はこちら
-
大型車運転手
2日前
公開範囲1.等を含む求人情報を公開する Noheji, 日本 フルタイム仕事内容 · ◇大型車運転業務(ダンプ・粉粒体運搬車・けん引)に従事してい · ただきます。 · ・大型車及び大型トレーラで顧客先に建設資材、骨材(砂、砕石、 · 残土)等を運搬 · ・大型ダンプによる建設現場内での運搬作業 · ・車両の軽微なメンテナンス(点検整備・洗車等) · ・その他付随する業務 · *是非、当社のHPをご覧ください。工事実績や作業風景等を確認 · できます。 雇用形態 正社員以外 正社員以外の名称 準社員 正社員登用の有無 あり 正社員登用の実績(過去3年間) あり 派遣・請負等 就業形態 派遣 ...
-
Lian Connect Kyotanabe, 日本お仕事情報 · お仕事内容 スマホや自動車に使われる部品製造のお仕事です · ご希望の勤務地、月収などに合わせてお仕事をご紹介いたします · カンタンなお仕事ばかりなので、未経験スタートでも全く問題ナシ · 《お仕事詳細》 · *機械に部品をセットして、ボタン操作をするだけマシンオペレーター業務 · *完成した製品にキズや破損、へこみがないかをチェックする検品業務 · *電動ドライバーなどの工具を使ってカンタンなネジ締めなどをする組立業務 · などなど、お仕事内容は様々 · 基本的に難しい作業はほとんどなく、カンタンな業務ばかりです · スマホや自動 ...
-
MPC Moving Picture Company Tokyo, 日本 正規雇用会社概要 · コリアーズ・インターナショナル・グループ(N A S DAQ :CIGI, TSX :CIGI)は世界66カ国で不動産サービスを提供する業界トップクラスの不動産サービス会社です。当社は世界の主たるマーケットで19,000人以上の経験豊富な専門家を擁し顧客企業へサービスを提供しております。起業家精神に長けた弊社の専門家が、グローバル企業・不動産オーナーおよび投資家へ不動産売買、不動産賃貸借に関する戦略的なアドバイスを提供しており、また、不動産マーケット調査、プロジェクトマネージメント、ワークプレス・ソリューション、不動産鑑定、ポートフォリオ ...
コメント
Debesh Choudhury
4年前 #1