Bad Passwords – problem or opportunity?

This article includes some interesting analysis of passwords found in the wild. A reasonable first impression would be, “good god, those people are sure stupid”. But I had another idea… isn’t it interesting that a lot of people prefer pattern-based passwords, i.e. pressing the buttons in a certain order, without respect to the semantic meaning of the password. That means they are thinking visually, storing their password as a picture of the keys, and a mental model of the shape and direction their fingers will go to enter the code.

So why not take advatage of that? Here’s how it would work: anyplace there is a “enter password” box, the UI would say, “or, if you prefer remembering shapes, click here and we’ll generate a shape for you”. When you click on it, the password generator chooses a password based on a markov chain of key adjacency. It would be trivial for a cryptographer to figure out how much entropy is in a given shape (IANAC, so don’t ask me). You adjust the length of the key-path to the desired entropy. You show the user a little diagram of their new “password” to help them see the shape in it and program it into their memory.

There are some gotchas, of course. First, you have to give the user a chance to practice the password a few times, perhaps best done with some kind of highly visual Flash app (think Guitar Hero — Password Hero!). Second, the key-adjacency info is keyboard specific, as anyone who has ever left the United States will tell you (hello? French people? You really like AZERTY? Are you crazy?)

I have no intention of actually doing anything like this. I have a system for picking my passwords, and it works for me. Frankly, I don’t care about people too stupid to understand entropy and pick good passwords. This is why they don’t let me do UI: Left to my own devices, I’d just give everyone a PDP-11 console and let the UI itself weed out the idiots. 🙂

But, patent trolls: beware. This is prior art. I thought of shape passwords first, don’t bother patenting them suckers. I’ll open a can of patent-busting whoopass on you.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *