back to article Net boffins plot password alternatives

Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions. Most users have scores of online accounts and, human nature being human nature, often choose easy-to-remember passwords. Using the same password on multiple sites is also a common problem. Most sites are …


This topic is closed for new posts.
  1. Anonymous Coward

    Prior art

    a few years ago, a TV technology show (it may have been Tommorows World) showed a system for verification which used faces in place of numbers. The point being people are very good at remembering faces, not so good at numbers. I can't recall if the system demoed allowed the user to supply their own pics, but these days, it should be a given. Then your cashpoint simply asks "Please select auntie flo, your eldest child and the secret photo you set up yourself (maybe a celebrity)".

    *Almost* foolproof, except for people whose FB account has pics of Aunty Flo, eldest child and mentions you are a huge Geoge Clooney fan,

    1. Anonymous Coward


      Wasn't Facebook testing this a little while ago? It seems to have just dissapeared.

      The problem is, you still have the same data that could be captured with trojans etc anyway.

      1. Charles 9

        Not only that...

        ...but some people are actually "prosopagnosiac", categorically unable to remember a face. Using a face-recognition system would handicap these people.

    2. Tom Chiverton 1

      Ahh, well,

      Some people have issues with the Facebook system :

  2. The Alpha Klutz
    Thumb Up

    protected using evolution of a two-dimensional dynamical system close to a phase transition

    So they just invoke the quantum wave function and hex code determinism will increment the binary stack counter. It's all so clear to me now.

  3. Anonymous Four
    Thumb Down

    Prior pets

    Whatever happened to Microsoft's Asirra (Animal Species Image Recognition for Restricting Access) which asked users to identify photographs of cats and dogs (with a database of 2 million, in 2007); "a task difficult for computers, but easy and accurate for humans."

    If anyone seriously suggests increasing the usage of Letter/Number CAPTCHAs, I shall cite them for "cruel and unusual punishment"...

    1. Ammaross Danan


      It failed (or will at least) because it used as the source for "human categorized images of cats and dogs." They even would put a link to under the CAPTCHA as a head-nod credit and to "support adoption" of pets. The obvious problem with this? Image trolls scripting the crap out of Petfinder, causing poor performance and expense, and effectively hash-verifying the images or something similar. If they're smart, they'll convert the scraped images to a 120x120 jpg or the like to prevent direct hashing, but the scrapers could do likewise, and any cropping or the like as well to mimic what they see on live sites (or according to the Asirra specs), or if it comes down to it, random area sampling to compare images to known ones. In short, very easy to game the system. CAPTCHAs are a difficult system to construct. I would posit that it would be far more likely to use the cat & dog solution, but based on breed and/or coat color. The user says "my 'password' will be German Shepherds or Chocolate Labradors" and each random sampling of 12 jpgs will contain at least 1 German Shepherd or Chocolate Lab (yes, Chocolate Lab is not a specific breed, working off the "or coat color" bit) for the to choose from. It would require a human continually refreshing your log-in page to see which breed(s) always show up in each set, which is why you have a password requirement linked to it. Enter password first, which then displays the images (regardless if you get the password correct or not). If the password was wrong, a random sampling of images is shown, if password is correct, show random sampling of images with your password image included. Doesn't get rid of passwords altogether, but CAPTCHAs aren't really meant for log-in authentication, just as preventions for automated sign-ups and the like. Once you are required it show a certain image or image type for authentication purposes (since the human will have to pick something standard), using it (random-image-based CAPTCHAs) for anything more than a minor deterrent at brute-forcing the password becomes not-fit-for-use.

    2. Anonymous Coward
      Anonymous Coward


      "If anyone seriously suggests increasing the usage of Letter/Number CAPTCHAs, I shall cite them for "cruel and unusual punishment"

      Agreed. I can't stand CAPTCHA's, firstly because most of the time I can't see them (not sure why), maybe my browser settings. Secondly, when I can see them, I have to keep clicking through until there is something that vaguely looks recognisable. It sounds good making them unrecognisable to OCR technologies, but most of the time I can't even read the CAPTCHA's.

      I agree that something needs to be done with passwords though, because a keylogger would make any password (no matter how complex) worthless. And before people jump on the bandwagon and say that they are safe just because they don't click on links they don't know, open emails they don't know, visit sites they don't know, etc. Don't be so sure. Over the last year, sophistication of attacks has just become ridiculous and is a big problem.

      1. Anonymous Coward
        Anonymous Coward


        This is because I, and lots of other lonely people, sat in bed every night solving captcha's (I couldn't even tell you how many). Now that all of the easy ones are solved, they'll have to find something else.

        I'm still waiting on the Lbrvm de Google.

    3. davemcwish
      Paris Hilton

      Animal identification would be no good to me..

      I can't tell the difference between a Bombay duck and a fish.

    4. Keris

      Photographs of cats and dogs

      "a task difficult for computers, but easy and accurate for humans."

      Yeah, right. Unless you happen to have visual problems (which is the same problem as with CAPTCHAs). But anyway all you get out of it is one bit of 'security' -- it's either a cat or a dog so you have a 50% chance of guessing it correctly. That's even worse than the restricted 4 digit PIN (can't use things like 0000 or 1234 or your birthday, etc., brings it down to around 1000 combinations they actually allow).

      So in practice you'd need an alternate authentication system for the visually-impaired. Some CAPTCHA sites use an audio file -- but that depends on the user having audio and also knowing the language (I came across one which 'spoke' the numbers and letters in Russian!).

  4. Vic

    Total crap.

    They're advocating splitting a "secure" password into two bits, leaving one (a weak password) with the user, and presenting the rest as a captcha.

    That's nonsense. You still have a weak password, and a token that is sent back to the user in the clear. They are relying on the strength of the captcha algorithm to be hard enough to frustrate automatic decoding, but esay enough to be usable by humans.

    In other words, this is simply a (weak) password and a captcha.

    Captchas are trivially defeated by a tiny bit of scripting and a reasonable stash of pornography.

    So this system boils down to - a weak password.

    There are a number of things one could do to make passwords more useful. This isn't one of them.


  5. peyton?

    RSA tokens?

    You don't need the recent fiasco to see the problem there. In world where every login page has a "forgot my password" link, I shudder to think how he expects to cope with all the lost tokens (and requisite syncing) average users the world over will generate.

  6. John Deeb
    Big Brother


    A password is also one type of token, perhaps the simplest by far in terms of usage as well as implementation. There's a lot of infrastructural stuff needed, bullet proof, severely tested over a long period before something could replace passwords in a more generic, web wide, out-of-control sense while offering more advantages than drawbacks compared to the current many-fold distributed solutions.

    Just scale back to the simplest, human-centered scenario. Millions of knock-knocks at many doors. Identify yourself! Now define the most secure and easy solution to this and try to translate it to an IT service. It's also fun to translate certain proposed IT solutions back to a physical door scenario and see why it won't work from a human perspective.

    The problem might solve itself when personal devices as "identity proxies" can become universal identity token generators. This is already being done of course but these devices need to evolve further to become actually *personal* as well as *security* driven to the degree that is required to solve the puzzle.

    1. Scott Broukell

      Yes but ...

      Whilst I admire the thought of scaling to the simplest, isn't one of our 'human' traits also the ability to loose such devices, I mean usb sticks and laptops go missing by the tonne every day. So unless my personal id-proxy device is buried deep under my skin, I'm running the risk of it falling into the wrong hands (and even then there's the old scalpel to contend with).

  7. stefan 5


    Il keep my passwords thanks. They can shove there capcha where the sun dont shine. Load of utter rubbish. FAIL!!!!!!.

  8. NoneSuch Silver badge

    Passwords fail...

    ...only when given to users.

  9. Charlie Clark Silver badge

    For the young Mr Stajano

    Passwords, CAPTCHAs, etc. are all terrible. Let's admit it and start the debate on something better - usable and, therefore, more secure.

  10. Charles 9

    I think the big problem... that in the two spaces of "usability" and "security", it's hard to even determine if there is a reasonable place where the two can actually meet. Making it easier to use can also potentially make it easier to crack, and similarly the inverse. And as noted, no Turing-type test would be of much help against unscrupulous agents able to employ other humans to break the systems.

    You may as well ask the Internet users out there which they'd prefer: the ability to conclusively prove identity or the ability to surf the Internet with reasonable anonymity. And no, you can't have both since they're mutually exclusive: supporting one necessarily compromises the other.

  11. Anonymous Coward


    Why not using (per user) salts? This will also defeat rainbow tables.

    And instead of using md5 / sha1 / etc, use something like bcrypt (build of blowfish). This will slow the attack so much, that regular bruteforce will be ineffective.

    1. Phil101

      Pass the Salt

      This was my first thought - have a per user, cryptographically random, salt. In use (i.e. generating a comparison hash from an input password) the stored salt is itself modified (e.g. encrypted) before being used so that the database itself doesn't hold the information necessary to reverse engineer the password hash.

      1. Ben Tasker

        This is what i do

        I'd debated what the processing overhead was going to be like for per-user salts, but having implemented it it's negligble really.

        Depending on how large you want your salts to be, even randomly generating them doesn't take much.

        ATM the salts are stored in plaintext (shudder) on the basis that whilst you could generate rainbow tables you'd have to do it for a specific user (and is it worth the issue).

        One thing that occurred to me is the issue of unscrupulous admins when using a system wide salt. If I know the default password is P455Word, any users who stick with the default (assuming theya rent forced to change) are identifiable in the table.

        With per-user salts, although the password may be the same, the hash is different.

        Hadn't thought of using something other than MD5 or SHA though (SHA256 makes a hell of a hash :D )

  12. Anonymous Coward
    Anonymous Coward


    Two parts, one held by human, one by the site.

    How's that different to the current password + salt that any half decent site uses?

    Their idea suffers from the same problem as salting (of course, being that it's an identical process) in that it relies on all sites doing it. However good salting, stretching, etc is on my site, if an attacker's managed to grab your password from a site that doesn't salt, it's worthless.

  13. david 63

    One problem is...

    ..the proliferation of sites needing username and password.

    It's unecessary for most online shops. The exception are the ones using one-click purchasing.

    I've started doing phone transactions whenever they ask me to create an account. The reason/excuse is you won't have to fill in your address next time. Whoopeeedooo

  14. Anonymous Coward
    Gates Halo

    Come back .NET passport ....

    ... all is forgiven!

  15. davemcwish

    I'm a PC (user) and I have

    a biometric device (fingerprint scanner). With this I can set a different password for each website with them controlled in a database only openable with a correct scan which may also include a master password. I can then copy/paste the password in to the required field.

    This does have Snow Leopard compatability but won't work with current iFondleDevices. I'm not bothered because I haven't got any.

    For Ebay/PayPal I use the key fob; there's also smartphone 'app' (

  16. Door Handle

    Use public keys?

    Why not use public key cryptography instead of passwords? When signing on to a new website, the browser could detect that a new key is required (e.g. in an <input type="publickey"> element), and could generate a key pair and submit the public key. On logging in, the browser would automatically use the private key corresponding to the site or provide a list of possible identities for the user to select the one he needs.

    This way the server only stores your public key and even if the server gets compromised hackers cannot use your key to log in to the same site or to anywhere else.

  17. 2cent

    Physical Presence Requirement Addressability

    Are you who you say you are?

    Devices that contain direct addressing confirmation that are literally a USB computer.

    The device must be aligned with you at a physical location that is alignment matching service, where you are matched to your device.

    Similar in process to getting a automobile license or taking a loan from a bank, you must prove who you are.

    You wish to complete a transaction.

    A request for your 'key' is made.

    The device, when connected, asks for a password from you to proceed.

    Enter password.

    It then, will only communicate with pre-allocated address spaces for confirmation of continuance.

    These address spaces are authorized business or governmental bodies that are heavily restricted and independent of influence. It's their only business and they may not be in any other business.

    The physical device will use packet scrambling to the pre-allocated address.

    The address space sends a packet identical to a packet from your device.

    They match and the completion of transaction occurs.

    Hence, you must exist, the device must exist, the physical location of the addressing confirmation must exist. The final point of transaction is assumed to exist.

    While not perfect, it does remove most of the conveniences of how your identity is stolen and makes each possible point of compromise available for inquiry.

    If the device is lost or stolen, it is reported.

    Sidebar: Credit/Debit companies remove them selves from the security loop and pay fee for independent body.

    One would think they would love this because always so worried about saving us money.

  18. acbot

    We already have a solution to this

    Its called public key cryptography. The problem is most people are too dumb to use it and websites don't implement it.

    Also to the windoze user with the biometric device. How in god's name does this protect you from having's database compromised and your password revealed?

  19. This post has been deleted by its author

This topic is closed for new posts.