THMMY.gr

http://www.sciencedaily.com/releases/2007/10/071030091438.htm

An inventive way of improving password security for handheld devices such as iPhones, Blackberry and Smartphone has been developed at Newcastle University.

The software, which uses pictures instead of letters and numbers, has been initially designed for handheld devices, but could soon be expanded to other areas.

Those who took part in testing this system created passwords that were a thousand times more secure than ordinary textual passwords. Most testers also found them easy to remember.

Researchers now want to examine the system’s potential for helping people with language difficulties, such as dyslexia.

Today, the use of passwords is commonplace in everything from mobile phones to cash machines and computers. But in the wake of growing concerns about traditional ‘weak’ passwords created from words and numbers, Newcastle University computer scientists have been developing alternative software which lets the user draw a picture password, known as a ‘graphical password’.

“Many people find it difficult to remember a password so choose words that are easy to remember and therefore more susceptible to hackers,” explained computer scientist Jeff Yan, a lecturer at Newcastle University.

Along with his PhD student Paul Dunphy, Dr Yan has taken the emerging Draw a Secret (DAS) technology, a graphical password scheme where users draw their secret password as a free-form image on a grid, and taken this a step further.

In DAS, the user draws an image, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted.

By superimposing a background over the blank DAS grid, the Newcastle University researchers have created a system called BDAS: Background Draw a Secret. This helps users remember where they began the drawing they are using as a password and also leads to graphical passwords that are less predictable, longer and more complex.

The BDAS software encouraged people to draw more complicated password images e.g. with a larger stroke count or length, that were less symmetrical and didn’t start in the centre. This makes them much harder for people or automated hacker programs to guess. 'In essence, this is a very simple idea as it’s intuitive,” said Mr Yan. 'It may take longer to create the password initially but it’s easier to remember and more secure as a result.'

For example, if a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. It is recognised as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly.

'Most of us have forgotten a pin number or a password at least once, which is why we tend to make them so easy to guess,” said Mr Yan. “However, the human mind has a much greater capacity for remembering images, and it’s certainly true that a picture is worth a thousand words in this instance.'

People who took part in the Newcastle University study, which compared DAS and BDAS use, had to choose their own background from a selection of five images – stars, map detail, playing card, crowd and flower.

After creating their secret password images on the grid, they were asked to repeat what they had initially drawn. One week later, they were asked to re-create the same image and 95% BDAS users were able to do so within three attempts.

'The recalled BDAS passwords were, on average, more complicated than their DAS counterparts by more than 10 bits,' said Dr Yan. 'This means that the memorable BDAS passwords improved security by a factor of more than 1024. They were also more secure than current textual passwords by an even larger factor.'

He added that, of those who attempted to draw something, the creations were very much dependent on the participants’ artistic ability. 'Most people drew simple everyday objects such as cars, cups and houses, although one participant did write their name in Persian script,' said Mr Yan.

Mr Yan will be presenting these findings in the opening lecture at Association for Computing Machinery Conference (ACM)’s flagship conference on Computer and Communications Security in Washington next week. He received a £66,000 grant from Microsoft Research (MSR) to support his research into designing novel systems that are both secure and usable.

The MSR grant will also enable Mr Yan to carry out further research into how easily the BDAS system can be used by people who traditionally have difficulty with textual systems, such as those with dyslexia.

'The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security,' concluded Mr Yan.

The full paper: Do Background Images Improve “Draw a Secret” Graphical Passwords?, will be published at the Association for Computing Machinery Conference on Computer and Communications Security in Washington on 30th October.

Αυτό που αναρωτιέμαι, χωρίς να έχω διαβάσει κάτι παραπάνω από αυτό το άρθρο είναι:
Αν ουσιαστικά το background είναι χωρισμένο σε τετράγωνα, το λογισμικό αναγνωρίζει μονάχα ποιά τετράγωνα πατήθηκαν και με ποιά σειρά. Δεν καταλαβαίνω τι πλεονέκτημα υπάρχει, αφού αν υποθέσουμε πως το κάθε τετραγωνάκι είναι ένα σύμβολο, τότε έχουμε απλώς ένα πληκτρολόγιο. Ας πούμε ότι σχεδιάζουμε έναν κύκλο. Θα είναι το ίδιο να "ακουμπήσουμε" με την κατάλληλη σειρά τα τετράγωνα από τα οποία περνάει ο κύκλος;

Προφανώς όμως υπάρχει κάτι πιό πολύπλοκο αλλά σε αυτήν την περίπτωση μάλλον δυσκολεύει η πιθανότητα να σχεδιάσεις σχεδόν ίδιο κάθε φορά το σχέδιο.

Αν κάποιος έχει διαβάσει κάτι παραπάνω ας απαντήσει!

Δεν επιλέγεις τετραγωνάκι... Ζωγραφίζεις κάτι με οδηγό τα τετραγωνάκια και το background..! :)

Το κατάλαβα αυτό, αλλά ζωγραφίζοντας έχει καμιά σημασία τι σχεδιάζεις? Δες το παράδειγμα του κύκλου, θα είναι το ίδιο;
Π.χ. αν κάποιος κάνει ένα τετράγωνο αντί για κύκλο αλλά περάσει από τα ίδια τετράγωνα με την ίδια σειρά, θα έχει το ίδιο αποτέλεσμα; Αν όχι, το λογισμικό πως αναγνωρίζει την διαφορά και ποιά η χρησιμότητα των τετραγώνων εκτός από την διευκόλυνση του χρήστη;

Από τα παραπάνω φαίνεται ότι ενθαρύνεται ο χρήστης να σχεδιάσει πιο πολύπλοκα σχήματα (κατά μέσο όρο). Επίσης παίζει στη δεύτερη περίπτωση (με το φόντο) να λαμβάνεται υπ όψιν και από που ξεκινάει το γράφημα (δηλαδή η ακριβής θέση του στην οθόνη) ενώ χωρίς το φόντο πιστεύω ότι αυτή δεν θα έχει σημασία (αν και δεν είναι ξεκάθαρο).

Πιστεύω ότι είναι κάτι πιο περίπλοκο από απλή ανάγνωση των pixels.
Πρόκειται για μια περίπτωση pattern recognition όπως λειτουργούν δλδ και τα προγράμματα OCR.
Άλλωστε εάν διαβάσεις λέει κάπου ότι υπάρχουν αλγόριθμοι διόρθωσης και αναγνώρισης
αφού δεν είναι δυνατόν ο χρήστης να σχεδιάσει κάθε φορά ακριβώς το ίδιο σχέδιο.

Προφανώς όμως η τεχνολογία αυτή, όπως επισημαίνει και ο σχεδιαστής της,
δεν φτιάχτηκε για πιο ασφαλή passwords αλλά για να κάνει πιο
απλή την απομνημόνευσή τους.