Seemingly Fatal Drawbacks of Pictorial Password – Shoulder Surfing & Low Entropy
We have been advocating Expanded Password System that accepts images as well as texts from 2001. We have since kept hearing our proposition blamed for two major ‘drawbacks’ of using images – Shoulder Surfing and Low Entropy. So many people are still misguided to take it for granted as if it were the case.
The fact is that threats of shoulder surfing can be mitigated with ease by some simple techniques - images to get shrunk prior to tapping, texts allocated to images for quiet typing and so on at the end of developers, with the simplest solution being just looking around you before tapping the images at the end of users. How can it be a fatal drawback?
Another seemingly serious problem of low entropy can be eliminated at the end of developers without giving any extra burden on users.
With Expanded Password System, each image or character is presented by the image identifier data which can be of any length. Assume that your password is “CBA123” and that the image ‘C’ is identified as X4s& eI0w, and so on.
When you input CBA123, the authentication data that the server receives is not the easy-to-break“CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk…………..” which could be automatically altered periodically or at each access where desired, all without involving users.
Passwords of sufficient entropy, if properly hashed, can stand fierce brute force attacks. How can it be a fatal drawback?
As for amplifying the entropy on the network, we could think about a very simple case as a reference.
You have two passwords - one that you can easily recall and the other that is too long for you to recall and needs to be stored on a paper or your device. You recall the first password and put it at the front or end of the second password before sending it off.
The authentication server obtains its hashed value and get it matched with the stored hash value. This hashed value has a very high entropy unless the hash program is compromised. Our proposition is not too far away in principle from this simple case.
Incidentally, the idea of combining a remembered password and a memo with a password on it could be viewed as an improvised 2-factor authentication that everyone can deploy right away at no cost for much better security than now.
#identity #authentication #password #security #safety #biometrics #ethic #privacy #civilrights #democracy