Could places, not phrases, be the basis of secure passwords. UAE researchers have created a system for creating complex passwords using facts about a user’s favourite place – and claim it can foil ID-theft attacks.
Human beings find it difficult to remember long strings of mixed, numbers and ‘special characters – so a new password-creation system focuses on what we ARE good at, ie remembering familiar places, according to Ziyad Al-Salloun of security company ZSS, located in the United Arab Emirates.
Thinking of, for instance, a hexagon drawn round the Eiffel tower could be the basis of one of Al-Salloun’s passwords – using information such as the length of its sides, its height, its perimeter and radius. For humans, it is easier to remember places, and information associated with them, than strings of characters. The passwords are also hard to crack, Al-Salloun claims in his paper (an open access link is available via Eurekalert.)
Al-Salloun’s team investigated 47,000 breaches in which weak passwords had been a factor, and found that his software would have prevented or mitigated the impact of 76% of them.
“The high guessing entropy of the credential makes it very difficult for adversaries to compromise,” Salloun writes, as reported by Science Codex. The geographical human friendly password would change how people deal with their access credentials; just imagine your geographical password to your email or social network is your summer home or the lake you have visited for years.”
Rather than simply remembering a place-name (easy prey for cracking programs), users remember a set of parameters such as height, number of legs, the area of the grounds, creating a password built from statistics – and easier to remember than random numbers.
Salloum claims that humans simply do not like remembering characters by themselves – a fact borne out by previous research, such as Bensinger 1988, PhysOrg reports. That research shows that basic human behaviour is to avoid memorizing characters, and to cut corners where possible – therefore, Salloum writes, users will always reuse passwords, use short passwords and easily guessed passwords in an effort to save time and avoid forgetting them. Many users also fall into the trap of creating ones based on family names, pet names and addresses.
Salloun’s system, published in the Journal of Signal and Imaging Systems Engineering, explains the process – and extra security measures to make the Geographical Passords extremely hard to guess, or to brute-force
“The geographical password system utilizes the geographical information derived from a specific memorable location around which the user has logged a drawn boundary- longitude, latitude, altitude, area of the boundary, its perimeter, sides, angles, radius and other features form the geographical password,” he says.
“For instance, the user might draw a six-side polygon around a geographical feature such as the Ayer’s Rock, a particular promontory on the Grand Canyon, a local church, a particular tree in the woodland where they walk their dog…or any other geographical feature,” Al-Saloum says.
Al-Salloun points out that creating a new, hard-to-guess password is easy – think of another location. His proposed system would then add further failsafes, he said, “ Once created, the password is then “salted” by adding a string of hidden random characters that are user-specific and the geographical password and the salt “hashed” together.”
This means that even if it IS common for users to pick famous landmarks such as the Eiffel Tower, the passwords themselves provide another barrier The system has other advantages, Al-Saloum reports – any geographical area can be used – a field, a tree, a mountain – allowing users to create secure passwords quickly.
Using two such ‘Geographical Passwords radically increases the security, Al-Saloum report, ‘A whole-earth map might have 360 billion tiles at 20 degrees of “zoom”, which offers an essentially limitless number of essentially unguessable geographical passwords.”
ESET Senior Research Fellow David Harley said an earlier blog post relating to passphrases built around mnemomics – i.e. designed to be easy for the user to remember, but hard to crack – “I remember stumbling across research into story-building mnemonics used in passwords in a psychology experiment at university in the early 70s.
“Essentially, I found myself able to remember a long string of essentially unconnected words by inventing a story. It was surprisingly effective: I could still bring it to mind many months afterwards without rehearsing it, and I’m not even a particularly visual thinker, so my ‘story’ was less reliant on visual elements. These days, though, I’m happy if I can finish the day remembering which day it is…”
“One problem that tends to come up with solutions that focus on memorization techniques rather than maximizing entropy is that they tend to make assumptions about the randomness of the resulting passphrase and the equivalence of randomness and entropy that aren’t necessarily true.”