0

I'm a student currently pursuing my Engineering in Computers. I'm planning to put all my knowledge in and try to actually implement something related to security. To be more specific I'm more interested in graphical way to authenticate a person.

So before i begin my questioning about core way of actually implementing graphical password authentication process and its related stuff i want to know some of its basis answers to some of its basis questions

Here it goes

  • Apart from ease of use What benefits do you think graphical password approach has ?

  • Is it really an alternative to text based and can it really replace text based in any sense?

  • Is a graphical password more secure and what is scope of graphical password in nearby future?

  • Will it be the next way to improve security and build more robust system or is there any other way you find it can replace text based password or addition in text based to make it more secure?

NOTE: when i say graphical password its not necessary that I'm taking about windows 8 picture password there are others way to implement graphical password system and that too in more secure prospect.

noxious
  • 19
  • 3
  • You started out with an interesting question, but you added a lot of opinion-based, open-ended questions that will be difficult to answer. If you want to implement graphical passwords, we can address that question, but the questions of "should I be using graphical passwords" is beyond the scope. Can you focus your question? – schroeder Oct 09 '14 at 15:32
  • 2
    While I don't think the question is answerable in it's current form. I think it is important to point out that NO, WINDOWS 8.1 PHOTO PASSWORD ISN'T SECURE. It's horrible, horrifying, awful, stupid, don't use it, crazy insecure. You can't hash it and still get a reliable input and most people are going to actually draw on something in the image, which makes it FAR, FAR, FAR easier to break than even a fairly weak password. (Not to mention easier to shoulder surf.) – AJ Henderson Oct 09 '14 at 15:42
  • possible duplicate of [How secure is Windows 8's Picture Password login?](http://security.stackexchange.com/questions/20228/how-secure-is-windows-8s-picture-password-login) – Eric G Oct 09 '14 at 15:50
  • @AJHenderson windows 8.1 picture password is just a basic version i find it cool because it was something new to me just for a change. There are more robust version to implement GPA where graphical objects takes different forms and ways to make it a better option though it will take more time for user to authenticate himself – noxious Oct 09 '14 at 16:00
  • @schroeder Yeah man i know i changed it to more open ended questions the only thing i want to know for while is what other people thinks of graphical password authentication. I have bunch of questions in my bag related to graphical password implementation but before i be more specific to this implementation part i want to know why graphical password and what all benefits it has and where it can be more effective and in any sense it will compete with text based password – noxious Oct 09 '14 at 16:09
  • @schroeder it's like before making any new dish i want to know will it worth for me to spend my time without even knowing how will it taste and weither it will make my tummy satisfy or just spoil and ended up puking. – noxious Oct 09 '14 at 16:26
  • Ok, I get that, but then your question needs to reflect that. You want to understand the feasibility of utilizing a graphical password. It's taken you a long path to get to that core question. Can you edit your question to reflect that? – schroeder Oct 09 '14 at 16:44
  • @schroeder feel free to edit and correct me if i'm going wrong somewhere it will be really helpful for me thank you :) – noxious Oct 09 '14 at 17:24
  • @noxious see the linked dup question, this has been covered conceptually in the past. Ultimately, a picture password has less entropy and a lower number of possible combination, in the end its still bits and bytes. They also tend to be less random and more predicable. – Eric G Oct 09 '14 at 17:25
  • @EricG see bro i find that linked dup question a basic way here i actually want to put my knowledge into implementation and build GPA system all by myself and that too i want to do it in different way so basically here i want improvement that can be possible to make graphically password a better option and surely an alternative to traditional way to authenticate. – noxious Oct 09 '14 at 17:35

2 Answers2

1

Well, you can break it down and look at it from a mathematical perspective. A graphical image is really just a set of data being represented in a visual format for us humans. It's probably going to be salted and hashed to be kept safe on the authenticating machines, other than the fact that the input method might be a little different, (you might upload a pseudo-random bitmap for instance (which would need to be kept safe and never duplicated/transferred), or "draw" it in some sort of pre-organized format with enough entropy to be comparable to phrased passwords) it doesn't seem fundamentally different from your typical text-password scenario, other than the fact that people are probably far, far less likely to remember the intricate details of an image as opposed to a short sentence.

Desthro
  • 1,007
  • 5
  • 5
  • 1
    How do you hash something that is going to inherently not be exact each time? Similarly, how many people are going to actually choose a pattern that isn't outlining some part of the image and think that they are then secure? Plus anyone watching you log in can easily copy it. At least passwords are a little hard to tell what they typed unless you use a camera. – AJ Henderson Oct 09 '14 at 15:44
  • That's my point, it's going to have the same vulnerabilities and weaknesses that typical passwords do, (whats going to stop someone from picking alternating lines of black and white for example?) – Desthro Oct 09 '14 at 16:24
  • @Desthro but don't you think graphical password is less vulnerable to traditional attacks like brute force,dictionary etc and don't you think users will able to recognize graphical objects more than just remembering and mugging robust text password. – noxious Oct 09 '14 at 16:34
  • @noxious I don't think so, if anything, a graphical password is more likely to be comparably vulnerable if it is used on a standardized scale. Just because it's less common than text-based passwords doesn't mean dictionary attack methods won't be developed or used. "IwenttoSubwayandlaughedatthecashier." is a pretty darn good password, dictionary attacks not withstanding as an example, its easy to remember too. Probably more so than a graphical image that could be easily confused. – Desthro Oct 09 '14 at 16:59
1

Its an improvement in having a strong windows account password (for online use) and a user-friendly device access code for offline.

A big complaint about windows 8 is having to tie it to an online email account. Device access passwords are entered far more frequently than internet account passwords, and aren't open to as many threats. Additionally you can't leverage password managers for device access, so there is that problem.

I prefer device access passwords to be very easy to use, such as the thumbprint scanner or a 4 digit pin. What I don't like is that windows 8 forces me to login with an email account.

So what do you do? You want strong, random passwords for online accounts, and then leverage a manager for accessing those. Except that one account thats tied to windows. Doh!

You shouldn't view this picture password as anything more sophisticated than a 4 digit pin. Its there for ease of use.

I think some people are over-exaggerating the vulnerability here. For my desktop that sits in my office, this would be perfectly acceptable. What it wouldn't be acceptable for is accessing an online account.

If picture password is used for offline, physical, in-you-hands device access only, then use it if it makes sense in your life.

It is in no way a replacement for strong passwords when dealing with corporate networks, remote logins, or accounts accessed over the internet.

Andrew Hoffman
  • 1,987
  • 14
  • 17
  • I agree with u but since beginning we are using only text based approach despite numbers of vulnerability we faced. So you think this will continue even when more audience joins or become part of this huge world of Internet. Is there any way where we can improve in proving better authentication options to users. – noxious Oct 09 '14 at 16:55
  • When users take security seriously they stop assuming that the developer will implement good security and will want to bring our own security. One way of doing that is just using a really strong, unique passwords. That way even if a developer makes a mistake, or is even a bad guy, you can still be well protected in almost-worst-case-scenarios. And for me the best and most convenient way for me to bring my own security is to use a high-quality password manager. – Andrew Hoffman Oct 09 '14 at 17:07
  • Though I do dream of the day where all devices can be authenticated by being in close proximity of a bluetooth RSA token fob, similar to the smart cars. That could work for websites as well, but OS's and web browsers would need to provide APIs to websites in order for them to leverage that capability. – Andrew Hoffman Oct 09 '14 at 17:09
  • 1
    @AndrewHoffman: Win8 (or at least 8.1) doesn't *force* you to use an email login (and I don't). They just bury the option to avoid it in some sub-menus. You can also disconnect it after the fact and use metro apps on a login-per-app basis. – Enigma Oct 09 '14 at 17:29
  • @Enigma I did not know that, time to lock down my windows account email now. :) Now the only thing thats left is the weak iTunes password. – Andrew Hoffman Oct 09 '14 at 17:52