These alternative passcode systems are really neat. Is there a way, though, to quantify, for the different systems, how plausibly the passcode can be 1) remembered or 2) forgotten or 3) "forgotten"?
On 02/27/2013 09:42 AM, R. Jason Cronk wrote: > You could play Guitar Hero to get in your phone... > > http://bojinov.org/professional/usenixsec2012-rubberhose.pdf > > Another option would be to use animal species. There are some 3-30 > million different species of animals. Even restricting oneself to > vertebrates, you have about 50,000 species (a five fold increase over a > 4 digit pin). The user would be presented with a series of reducing > questions. Question 1) Amphibian, Reptile, Bird, Mammal, Fish, etc.... > The user need only remember how to get to their one animal choice. > Additional orders of magnitude could be had by adding invertebrates, > plants, minerals on the front end or subspecies on the back end. > > Jason > > > On Wed, Feb 27, 2013 at 9:06 AM, Tom Ritter <t...@ritter.vg > <mailto:t...@ritter.vg>> wrote: > > The Passcode section of the report is blank, I guess indicating the > user did not have a passcode? > > The article does mention passcodes: > > > All modern smartphones can be locked with a PIN or password, which > can slow down, > > or in some cases, completely thwart forensic analysis by the > police (as well as a phone > > thief or a prying partner). Make sure to pick a sufficiently long > password: a 4 character > > numeric PIN can be cracked in a few minutes, and the pattern-based > unlock screen > > offered by Android can be bypassed by Google if forced to by the > government. Finally, > > if your mobile operating system offers a disk encryption option > (such as with Android > > 4.0 and above), it is important to turn it on. > > The iPhone has a class of data that is encrypted when the device is > locked, and decrypted based off a key derived in part by the passcode > when unlocked. I think this, combined with separate passwords for FDE > and screen unlocking would be good classes of improvements we can make > in all mobile platforms (not just phones). > > I'd also love to see some research into alternative, higher entropy > but simple-to-use screen unlock systems. At first I was thinking > something akin to a pattern unlock, but a path through a 3D maze: your > password is a series of turns, but even presented with five choices > five times the keyspace is too small. What keyspaces present a large > number of easy-to-parse options that fit nicely on a phone screen? > Maybe a map? I've seen a few attempts[0,1, and others] but I've not > been convinced they wind up with an order of magnitude more choices > that the baseline 10000 of a 4-digit passcode. > > -tom > > [0] http://www.youtube.com/watch?v=kHBjzlFalvA > [1] http://clam.rutgers.edu/~birget/grPssw/authSueE.pdf > -- > Too many emails? Unsubscribe, change to digest, or change password > by emailing moderator at compa...@stanford.edu > <mailto:compa...@stanford.edu> or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > -- > *R. Jason Cronk,* *Esq., CIPP* > (828) 4RJCESQ > r...@privacymaverick.com <mailto:r...@privacymaverick.com> > blog.privacymaverick.com <http://blog.privacymaverick.com/> > > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
