Thursday, December 06, 2007

Drawing Your Password

I came across this article and feel that this is some amazing research into how future technologies will make it easier for us to generate more secure 'passwords'. Dr. Yan has taken Draw a Secret (DAS) technology and improved upon it in a great way...

I had not seen DAS technology before reading this article and my first thoughts were: "OK, if you ask people to draw something that will become their password then you will probably end up with a bunch of smiley faces for passwords." What Dr. Yan has done is add in a background image that you then draw your password over (BDAS). This is really cool because for me this would build upon a natural tendency for me (and I imagine many others) to take an existing picture and 'doodle' on it. Obviously, you would want to avoid some common background images, such as the Mona Lisa, since most people would probably just draw a mustache on her and be done. However, you take an image of your house, dog, or favorite vacation spot and then you could get really creative (even the most artistically challenged geek could muster up something worthy).

The article explains that in testing the technology they found that passwords generated using BDAS contained 10 more bits of data than those of standard DAS. That is a significant improvement.

My only concern would be that the screens you would draw the images on may become 'tatooed' and reveal the outline of your password which would make password stealing easier. However this scenario is somewhat protected because the technology is looking at more than just the drawing. It also considers stroke counts and stroke lengths. Full details on the technology is available here.

On a side note...

This sparked a topic in my head on the security of signature data. If you walk into many retailers today and purchase items using a credit card odds are that you will be asked to sign an electronic pad. These pads convert the pin up and pin down events and stroke lengths into a binary representation that is then stored and can later be retrieved and reprinted (often on your copy of the receipt). Since the data is stored electronically in a database somewhere it could easily be stolen. I did a very brief search for signature protection legislature or standards (i.e. PCI) and came up with little worthwhile. This is an are that probably could use some research and some proper guidelines.