On Tuesday 02 July 2002 07:57, Topi Ylinen wrote:
> And I ran into a very curious difficulty. I had limited the
> characters to plain ascii (i.e. < 128) to avoid problems with
> different international character-sets and keyboards, but we had
> problems. The colon (":") proved especially difficult for a vendor
> who lives in Eastern Europe.
The problem with different character-sets, different interpretations of
alt-characters and different rules for creating passwords are all
drawbacks when it comes to creating secure passwords since they also
have to be easy to remember for the users.
(This is where I tend to go OT;)
The most important human-computer interface enhancement in the last 25
years is the GUI, but we're still using text-based passwords, why?
Using images would certainly help the user (the brain remembers images
much better than letter or numbers) and increase the security.
I've made a beta-sketch how a system for handling graphical-"passwords"
under GNU/Linux and it available here:
www.northernsecurity.net/img/gaul/gaulbig.png and an article is
available here: www.northernsecurity.net/articles/gaul.html.
Since it's in swedish I'll give you a very short version.
(And yes, there is systems available already for this kind of thing but
they are far to restricted, limiting themselves to only one type of
images etc.)
The image database looks like this:
1. Image databse
1.1 Common images [faces, animals, cars, etc]
1.1.1 Grayscale
1.1.2 Color
1.2 Random Images [fractals, etc]
1.2.1 Grayscale
1.2.2 Color
Every image has a SHA-1 signature assigned to them.
User Adam is allowed to create a password based on rules set by root.
The rule applied to Adam only allows the user to use random images in
color, which are the images in 1.2.2.
Adam then chooses a number of pictures as stated by the rule (let's say
5) from the the specified category and places them in a logical (to the
user) order, these images are now the users "password".
The system takes the image signatures and merges them to one, and using
this final signature to validate the "password" when the user wants to
login next time.
/Thomas
--
[EMAIL PROTECTED] | www.northernsecurity.net
PGP: 4315 81B3 9E7F DC00 63DC F1D8 1326 651B AADE 91FC
"You got zero privacy anyway."
-Scott McNealy, Sun Microsystems
