I think that just shoulder surfing if a very realistic threat model. I don’t have to write down the coordinates - the same thing that makes it easy for the user to remember makes it easy for me to remember. If I watch you click five points, and making the reasonable assumption that you’re not just clicking coordinates in a blank field, I can associate the objects in the picture and likely remember them. At the least, much easier than I could remember even a halfway decent password. This entry method does not seem extendable to any meaningful variant of password masking.

For phishing and the like it is probably better. It is probably also stronger against being cracked on/offline (then again…the entropy is relatively low if just the point coordinates are used in the hash…I think you’d want to hash the points along with the entire picture…elsewise a single dictionary of coordinate hashes would map to all pictures of equiv size). For remote login it depends somewhat on the response to my above inquiry and who is doing the attack, but it is probably better more often than it is worse. I think for the local attack model this scheme is actually less secure than a relatively well-chosen conventional password.

Personal pictures introduce a couple of additional problems. For one, it is possible that the user may select pictures that are waaaaay too predictable.

But how is the attacker going to get the picture? The scheme described in this post uses a user-selected picture stored only on the user’s computer, rather than a common or server-supplied picture.

If you don’t have a camera and you don’t have the picture, shoulder-surfing someone’s PassPoints coordinates is going to be non-trivial. You can’t easily write down the coordinates on a piece of paper, for example.

I think you have to start with a realistic threat model. If your threat model includes an attacker standing nearby making a video recording of me interacting with my computer, that’s a significantly higher bar than most situations in which people use passwords. I agree that, given that threat, you are going to need to take some more serious protection measures. But I think the scheme described here could offer some interesting advantages over passwords (at a cost, of course).

Personal pictures introduce a couple of additional problems. For one, it is possible that the user may select pictures that are waaaaay too predictable. I can see countless mothers and fathers bringing in family pictures and then just clicking on the heads of their family members and the like. Or how about this: http://www.freepoollessons.com/lessons/lessons1/L1images/img_P1010087.JPG
Wanna bet that just about everybody clicks on the numbers on the pool balls?

Also, there is the danger of co-workers, even without having observed a login, knowing enough about the user to make a reasonably educated guess at the sorts of things the user would click on.

Over at Usable Security, Ping is blogging about the SOUPS conference, which I’m unfortunately missing. Alan Schiffman is also blogging a little. However, Ping is posting so much that his first posts today have already scrolled off the top…