On Mon, Nov 16, 2009 at 11:25 AM, William Enck <[email protected]> wrote:
> Don't your fingers leaves smudges for each digit in the PIN? Six one way, > half dozen the other. Personally, I frequently clean the screen on my pants > before putting my phone in my pocket. > > Lets assume the password (on a 3x3 horizontal grid as below) is 75289. This is easily possible with both methods: 123 456 789 For the swipe method, you have a clear direction (as 7->5 is 'below' 2->5->9). Even if that is not discernible, you have 2 possible combinations. (75289 or 98257.) MAYBE 3 if the 2,5 combo is unclear. Even without such hints you can eliminate many possibilities: you know its not "725" because of the connections it draws. For the pin mode, you have 5! (120) possible combinations, and no way to rule any out. > For those interested in academic research, I'd love to see a breadth study > of cell phone authentication methods (one may already exist). Different > password complexities are required for different interfaces. There is a risk > trade-off. I don't mind my phone access password being less secure than my > online bank password. > > One thing I like about Android's graphical password is that it is much > faster to enter than a PIN, making me (and most users) more inclined to use > it. I also have a much easier time changing to a new graphical password than > coming up with a new PIN (which is supported by years of user studies in > literature). > > Just my two cents. > -Will > > > On Nov 16, 2009, at 11:05 AM, curtis wrote: > > I've been thinking about this a lot lately as well... the smudges on >> my screen DEFINITELY make my security pattern obvious. >> >> This is definitely not a great idea if Android wants to make strides >> towards the enterprise. I would think that it would be pretty simple >> to implement the standard pin/passphrase, right? >> >> >> On Nov 10, 9:09 am, JDub <[email protected]> wrote: >> >>> I'm sure this has been discussed and debated to death by now, but I >>> thought I'd throw in my two cents after using my Droid for a few days. >>> >>> At first the unlocking pattern utility is really cool ... but the >>> smudges left behind might make it easy for someone to guess what >>> pattern you are drawing. I find myself trying to determine what >>> patterns would best account for my oily fingers. >>> >>> A better implementation would have the dots spaced with random >>> variations/distortions. For example, the dots could be uniformly >>> stretched out or contracted, non-uniformly stretched/contracted (ex: >>> one side a la trapezoid), or the entire grid could vary in its >>> orientation or placement. All of this of course would be random. >>> >>> As it exists, I personally would rather have the traditional pin/ >>> keypad. >>> >> >> > -- > William Enck > PhD Candidate > Department of Computer Science and Engineering > The Pennsylvania State University > [email protected] > >
