Picture Password Picture Password - How strong or weak is it?- How strong or weak is it?

It could be as weak as the weakest textual password and could be so strong as to resist offline brute force attacks. All depends on how it is operated.

5th January, 2016 Mnemonic Security, Inc., Japan/UK

Brute Force Attack & Picture Brute Force Attack & Picture PasswordPassword

The picture password could be as weak as the weakest The picture password could be as weak as the weakest text password if operated carelessly or naively. text password if operated carelessly or naively.

So could an Expanded Password System that accepts So could an Expanded Password System that accepts pictures as well as characters. pictures as well as characters.

When, however, operated with some tweaks, the When, however, operated with some tweaks, the picture password could provide the level of strength picture password could provide the level of strength that can resist the offline brute force attacks without that can resist the offline brute force attacks without inflicting heavy burdens on users.inflicting heavy burdens on users.

how?how?

Assuming that a 40-bit random data Assuming that a 40-bit random data (password-component) be allocated (password-component) be allocated to each image, picking up 4 or 6 to each image, picking up 4 or 6 images from among the matrix images from among the matrix would result in a password of 160 or would result in a password of 160 or 240-bit entropy. 240-bit entropy.

Produced from such materials, the hashed value would be large Produced from such materials, the hashed value would be large enough against the offline brute force attacks, particularly enough against the offline brute force attacks, particularly effective when the password-components are stored separately effective when the password-components are stored separately from the rest of the data, most preferably between the servers from the rest of the data, most preferably between the servers on the network and the devices in the users’ hands. on the network and the devices in the users’ hands.

andandCriminals, who want to produce a rainbow-table for a shortcut Criminals, who want to produce a rainbow-table for a shortcut attack, would need to steal both of the two groups of data stored attack, would need to steal both of the two groups of data stored separately. Should it happen, it could be no more than an separately. Should it happen, it could be no more than an isolated case. When the criminals get to obtain more powerful isolated case. When the criminals get to obtain more powerful computers, we could then make password-components larger.computers, we could then make password-components larger.As for the online attack, we can thwart it by simply locking the As for the online attack, we can thwart it by simply locking the account when the numbers of failed attempts reach the pre-set account when the numbers of failed attempts reach the pre-set threshold. So we do not need to bother too much about the threshold. So we do not need to bother too much about the mathematical strength about online BF attacks, although it goes mathematical strength about online BF attacks, although it goes without saying that the higher the better, i.e. it would be without saying that the higher the better, i.e. it would be recommended to register more of the images from among the recommended to register more of the images from among the larger matrix of images, where security, not convenience, larger matrix of images, where security, not convenience, matters more. matters more.

thereforethereforeCoupled with the features of being hard-to-forget Coupled with the features of being hard-to-forget and removing the burden of remembering the and removing the burden of remembering the relations between the accounts and the relations between the accounts and the corresponding passwords, Expanded Password corresponding passwords, Expanded Password System, when carefully operated, could hit the System, when carefully operated, could hit the best possible balance between the security and best possible balance between the security and the convenience. the convenience. It could also make ID federation schemes more It could also make ID federation schemes more secure, multi-factor schemes yet more secure and secure, multi-factor schemes yet more secure and biometrics schemes less insecure.biometrics schemes less insecure. Thank youThank you