In a thought-provoking piece, Tzer2 wonders if it would be possible to replace hard-remember text passwords with a signature, a pictogram or even just a custom gesture. Moreover, you can apparently try the last technique yourself right now if you have a S60 5th Edition phone.
Read on in the full article.
Well a great article.those pictures will be less hackable than the cumbersome passwords too.nokia should employ touch on their feature phone os s40 to make touchscreens cheaper and increase their penetration in developing markets.
Nice article 😊
I would love to have finger-print reader on my cell to replace passwords! On touch-screen phones it will be fantastic!
I'm not much into tech-stuff but for non-touch phones, using the front-camera for eye-iris-detection can be good a good way to replace passwords and codes.
My recipe (OK, it's not really mine, as a matter of fact is fairly standard) for passwords which are at the same time easy to remember and difficult to guess:
1) Start with a line from your favourite poem or lyrics of a song you like.
2) Replace "for" with "4", "to" with 2, "you" with "U", etc. (this step is unnecessary for Prince songs 😊).
3) Your password is obtained by concatenating the first letter of each word, respecting capitalization. Include punctuation as well, if possible.
There you have it, a way to use the brain's ability to remember information within a context which doesn't require special input methods like a touchscreen or an accelerometer.
I mostly use letters, then transcribe them into their T9 variants, then alternate them, or place the numbers behind, or in front of the word.
(this step is unnecessary for Prince songs 😊).
LOL, I was just thinking that! 😊
Better not use a Prince track then, they'll be the first things that password thieves will try... 😉
Interesting method, thanks for posting it!
I would take the method even further and remove all the vowels to prevent a "dictionary attack". So for example "With Love From Me To You" would become wthlvfrmm2u which seems quite unguessable.
I mostly use letters, then transcribe them into their T9 variants, then alternate them, or place the numbers behind, or in front of the word.
So you mean A, B or C would become 2 etc? Interesting idea too...
Americans seem to use that a lot when advertising phone numbers, never really caught on in Europe though.
I tend to create collections of letters, numbers and symbols that can be read as little phrases like "Xs10shul-B33r!" (Existential Beer). 😃 I find that remembering the phrase, which is easy, I can remember how I put it together.
Thanks for the information that S60v5 does shortcuts. I hadn't twigged to that. I'll have to go off and play with that.
Tzer2 wrote:So you mean A, B or C would become 2 etc? Interesting idea too...Americans seem to use that a lot when advertising phone numbers, never really caught on in Europe though.
Yeah, like if I were to use "Tzer2" as a password, it might end up as "Tzer28937abc"/"T8z9e3r72abc"/"8937abcTzer2", with Tzer becoming 8937, and the 2 becoming either a, b, or c, depending on what tickles my fancy. Usually I put all 3 to aid memorizing.
Using pictographs or gestures as a security measure isn't new and was available way back in the nineties with the Newton.
My personal opinion is that biometrics are the way to go and for added security, simply slap a short pin or gesture and you have a dual layered mechanism that involves something you have and something you remember.
Using pictographs or gestures as a security measure isn't new and was available way back in the nineties with the Newton.
I did say in the article that this isn't a new idea, but what IS new is the prospect of intelligent touchscreen devices being cheap enough for the mass market.
The Newton and other devices were very expensive, the N97 and iPhone are very expensive, but (for example) the upcoming Nokia 5530 is getting much closer to a price where a large proportion of the market might be willing to buy a touchscreen device. There is still some way to go in reducing prices, but Symbian's appearance on lower-priced hardware means it's possibly the best-positioned format to popularise doodle-based passwords.
My personal opinion is that biometrics are the way to go and for added security, simply slap a short pin or gesture and you have a dual layered mechanism that involves something you have and something you remember.
As long as biometrics isn't a replacement for passwords...
There's the danger people will just use biometrics without any kind of password, which would reduce security because biometric measurements by definition never change.
You can use pictures as passwords in every single T9 pad equipped phone.
Here's an example: I want to use a house so I choose the password to be 247896.
Why this password? Because if I draw a house on 3x3 grid starting from the roof i must go through these numbers.
It's not a real house but an approximation in my head and I'll remember it.
Another example is the Google's G-password in Android. It would be 321478965.
Tzer2 wrote:
The Newton and other devices were very expensive, the N97 and iPhone are very expensive, but (for example) the upcoming Nokia 5530 is getting much closer to a price where a large proportion of the market might be willing to buy a touchscreen device. There is still some way to go in reducing prices, but Symbian's appearance on lower-priced hardware means it's possibly the best-positioned format to popularise doodle-based passwords.
No objections there. Touch has taken a long road to acceptance for sure.
Tzer2 wrote:
As long as biometrics isn't a replacement for passwords...There's the danger people will just use biometrics without any kind of password, which would reduce security because biometric measurements by definition never change.
Well, the best security is always a layered system comprising of some combination of something remembered (password, pass-phrase, doodle), something possessed (key, card, SecurID) or something of you (biometrics). Or even multiples of all combinations in extremes.
I've been to places where they requires a pin, thermal fingerprint, keycard and multi-frame retinal scan.
Which always brings up that funny scene from "Monsters vs. Aliens."
Properly implemented, the non-changing nature of biometrics should not be a problem since, properly implemented, you cannot provide the authentication without that part of the biometric reading being present in living state. The unique nature of properly implemented biometric security ties access uniquely to the authorized user to a statistical certainty.
Key-rotation shouldn't be necessary if the biometric readings cannot be falsified or presented in proxy.
Many biometric systems implemented today, especially at the consumer level, are quite inadequate.
Finger print reader fooled with tape (Refer to Myth Buster). Safe? I don't think so.
Key-rotation shouldn't be necessary if the biometric readings cannot be falsified or presented in proxy.
I agree, and the suggestion I made in the article about using signatures as passwords would be fine if it could never be reproduced by others (I don't just mean the appearance of the signature but the strokes used to write it). It would be easy too because everyone knows how to sign their own name.
But as with the signature suggestion the problem is what do you do if there is some way for crooks to reproduce the biometric data? With passwords it's easy to change them but biometric data and signatures are much more difficult to change.
If you use doodles that's something that's only in the person's head, and they can change from one doodle to another relatively easily just like passwords.
Unregistered wrote:Finger print reader fooled with tape (Refer to Myth Buster). Safe? I don't think so.
Notice I said "properly implemented" and how lacking some consumer solutions are.
As a sidebar, the methodology deployed in MythBusters are highly unscientific and almost always for entertainment purposes with a sprinkle of facts. It often does more to harm than good to educate, you can probably learn more facts watching ER or an episode of CSI.
High security palm and finger print scanners detect ridge details that cannot be easily falsified by making use of the residual print on the scan glass. It is also very good practice to smear your print after every use.
That said, there are also alternatives to visual-based fingerprint scanning such as a thermal capacitance scanner. A simple implementation of those can be found on certain Lenovo ThinkPads and also on Compaq iPaqs.
Tzer2 wrote:I agree, and the suggestion I made in the article about using signatures as passwords would be fine if it could never be reproduced by others (I don't just mean the appearance of the signature but the strokes used to write it). It would be easy too because everyone knows how to sign their own name.But as with the signature suggestion the problem is what do you do if there is some way for crooks to reproduce the biometric data? With passwords it's easy to change them but biometric data and signatures are much more difficult to change.
If you use doodles that's something that's only in the person's head, and they can change from one doodle to another relatively easily just like passwords.
Absolutely true.
Signatures are a bad idea and so is storing unhashed biometric data and poorly designed scan input systems that can easily provide a method of by-passed data injection and or input by proxy.
This concern about "biometric theft" has been brought up when many governments of the world decided it was a good idea to incorporate biometric information in passports.
Many very valid and real security issues were brought up but often to deaf ears.
Good article though and I hope I didn't inadvertently hijack this discussion into one discussing access security in general.
Nice Idea but sadly it doesn't work yet. At least on my N97 Nokia prohibits the use of Handwriting Recognition on password fields like that in HTML forms. No Handwriting Recognition means no Shortcut Recognition either, so no doodles for passswords on S60v5. Or is there a special Configuration needed?