« Privacy Guidelines for Location Disclosure
Should Grandma be on the Internet? »

User-Selected PassPoints Images

July 7, 2005 by Ping

During the talk on PassPoints, it occurred to me that it might be interesting to combine some of those ideas with user-selected images (inspired by the work on Dynamic Security Skins).

One concern that was mentioned about PassPoints was that the images may guide people to commonly choose the same points, leading to guessable passwords.  Also, while the use of a graphical password system may address the problem of password recall, it doesn’t address spoofing: a malicious party can still masquerade as a trusted site.

Under the assumption that you can change the client login mechanism, as PassPoints and DSS do, and that there is some reason to avoid just auto-filling all passwords, here’s a rough shot at addressing the above problems.

1.  For each site, the user selects a personal PassPoints image.

2.  The image does not leave the machine.  Instead, the browser associates the image with the site’s key.

3.  When you log in to a site, the browser presents you with the image you selected for that site, and you click on a sequence of points in the image.

4.  To authenticate you, the browser sends a hash of the coordinates of the points using the site’s key as a salt.

This scheme probably has flaws, but I think it has an interesting property: since the image prompts the user’s selection of points, the user is actually unable to give away a password to a site unless it has the right key.  Your thoughts?

This entry was posted on Thursday, July 7, 2005 at 11:27 under Ideas. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.

Emergent Chaos wrote:
July 7th, 2005 at 01:44

Ping Flood

Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top…

Reply to this comment
 
Richard M. Conlan wrote:
July 7th, 2005 at 06:19

I don’t think that addresses the problems I pointed out during the discussion. In general, I still see this approach as being very susceptible to shoulder-surfing or being surreptitiously recorded, either by something tracking the mouse, doing rapid screen grabs, or a video camera. In these regards it is much less secure than a password, because the image is visible from a distance the same memory properties that make it appealing to the user also make it appealing to the attacker.

Personal pictures introduce a couple of additional problems. For one, it is possible that the user may select pictures that are waaaaay too predictable. I can see countless mothers and fathers bringing in family pictures and then just clicking on the heads of their family members and the like. Or how about this: http://www.freepoollessons.com/lessons/lessons1/L1images/img_P1010087.JPG
Wanna bet that just about everybody clicks on the numbers on the pool balls?

Also, there is the danger of co-workers, even without having observed a login, knowing enough about the user to make a reasonably educated guess at the sorts of things the user would click on.

Reply to this comment
Ping wrote:
July 7th, 2005 at 06:42

Personal pictures introduce a couple of additional problems. For one, it is possible that the user may select pictures that are waaaaay too predictable.

But how is the attacker going to get the picture? The scheme described in this post uses a user-selected picture stored only on the user’s computer, rather than a common or server-supplied picture.

If you don’t have a camera and you don’t have the picture, shoulder-surfing someone’s PassPoints coordinates is going to be non-trivial. You can’t easily write down the coordinates on a piece of paper, for example.

I think you have to start with a realistic threat model. If your threat model includes an attacker standing nearby making a video recording of me interacting with my computer, that’s a significantly higher bar than most situations in which people use passwords. I agree that, given that threat, you are going to need to take some more serious protection measures. But I think the scheme described here could offer some interesting advantages over passwords (at a cost, of course).

Reply to this comment
 
 
Richard M. Conlan wrote:
July 7th, 2005 at 07:07

The attacker gets the picture by attempting a single login on the user’s computer. Given, this assumes a local attacker, but that is clearly a threat. Will the system support remote login? If so then the remote login window would present the picture to the attacker as well. Otherwise the user would have to somehow validate against the remote login before seeing the picture…but that’d take another password or PIN…though perhaps that is an acceptable complication for a remote login.

I think that just shoulder surfing if a very realistic threat model. I don’t have to write down the coordinates - the same thing that makes it easy for the user to remember makes it easy for me to remember. If I watch you click five points, and making the reasonable assumption that you’re not just clicking coordinates in a blank field, I can associate the objects in the picture and likely remember them. At the least, much easier than I could remember even a halfway decent password. This entry method does not seem extendable to any meaningful variant of password masking.

For phishing and the like it is probably better. It is probably also stronger against being cracked on/offline (then again…the entropy is relatively low if just the point coordinates are used in the hash…I think you’d want to hash the points along with the entire picture…elsewise a single dictionary of coordinate hashes would map to all pictures of equiv size). For remote login it depends somewhat on the response to my above inquiry and who is doing the attack, but it is probably better more often than it is worse. I think for the local attack model this scheme is actually less secure than a relatively well-chosen conventional password.

Reply to this comment