Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Image files as passwords (http://www.velocityreviews.com/forums/t394718-image-files-as-passwords.html)

Saul 02-22-2007 11:33 AM

Image files as passwords
 
I'm looking to build some new security features for a website which
will need stronger levels of password access, but I'm conscious from
experience that users aren't very good with passwords and keep losing
them or forgetting them so I don't want just bigger and better
passwords. What I was wondering was whether image files would be
better:

1. User is asked to upload an image and an access key to the website

2. The webserver takes the uploaded image, subtly modifies say 500
pixels by adjusting tone or hue a bit say so the image still looks OK
to the eye

3. The server converts the image to a jpeg and saves a random start
point from this file (away from the header) and say 500 characters on
a database, plus a hashkey for the file itself.

4. The image is packed into a zip file which is password protected
with the access key the user specified and sent to the user via email.

5. The user unpacks the image and saves it among other images (they
can rename it too, and put it in a secure directory on their system if
required).

6. When they need to authenicate themselves they upload the relevant
image

Note that the image is never shown on a website so it shouldn't be
cached anywhere.

This would have the benefit that the password image is easily
recognisable to the user so easy for the user to remember whilst being
difficult for a non-user to spot, it's also not obviously a password.
It's almost impossible to hack from outside the users computer without
a copy of the image - the data length is too big and too random for
brute force attacks. The image can also be copied on to a memory card
and used from other computers if needs be under the control of the
user (like a house key essentially).

The danger is that the computer or the memory card get stolen, or the
images get copied, but even stolen it would blend in to other images
on the system (personally I've got around 15,000 jpegs on this
computer, but I could be unusual), or could be additionally secured or
encrypted locally.

Does any such system already exist? Does the server actually need to
make modifications to the uploaded image or would a plain image do on
its own? Are there any comments or am I just barking up the wrong
tree?



Saul


Paul Rubin 02-22-2007 11:45 AM

Re: Image files as passwords
 
"Saul" <saul.dobney@dobney.com> writes:
> I'm looking to build some new security features for a website which
> will need stronger levels of password access, but I'm conscious from
> experience that users aren't very good with passwords and keep losing
> them or forgetting them so I don't want just bigger and better
> passwords. What I was wondering was whether image files would be better:


They can lose the image files too, so you may as well use passwords.
If you want something better than passwords, use hardware tokens.
Paypal is selling those for $5 now, so they must have found a cheap
source of them.

http://blog.washingtonpost.com/secur...aud_token.html

Saul 02-22-2007 03:37 PM

Re: Image files as passwords
 
On 22 Feb, 12:45, Paul Rubin <http://phr...@NOSPAM.invalid> wrote:
> "Saul" <saul.dob...@dobney.com> writes:
> > I'm looking to build some new security features for a website which
> > will need stronger levels of password access, but I'm conscious from
> > experience that users aren't very good with passwords and keep losing
> > them or forgetting them so I don't want just bigger and better
> > passwords. What I was wondering was whether image files would be better:

>
> They can lose the image files too, so you may as well use passwords.
> If you want something better than passwords, use hardware tokens.
> Paypal is selling those for $5 now, so they must have found a cheap
> source of them.


The problem with good secure passwords is they are eminently
forgettable as our current users keep demonstrating - so they either
pick weak or simple passwords or keep chasing us for password help, so
I want something easier without losing password strength for an
application where we really do want better levels of security.

Oh and as we're just a smigeon smaller than eBay/Paypal hardware
solutions aren't really available to us.


Saul


vedaal 02-22-2007 05:00 PM

Re: Image files as passwords
 
On Feb 22, 6:33 am, "Saul" <saul.dob...@dobney.com> wrote:

> 1. User is asked to upload an image and an access key to the website


> Does any such system already exist? Does the server actually need to
> make modifications to the uploaded image or would a plain image do on
> its own?


truecrypt
http://www.truecrypt.org/docs/?s=encryption-scheme
(click on the highlighted word 'keyfiles')
has a similar system in which they use a 'keyfile' in addition to or
in place of a password

any file can be used as a keyfile, (so any image file selected by the
user is ok)

in your setup,
the server does not need to modify the image,
(just hash it [sha-512 should be fine] )
and keep the hash to verify that the image file is unaltered)

but the users have to be cautioned to use only an image that has not
been e-mailed, posted, or otherwise 'leaked'
and to safeguard that image as if it were an actual key


vedaal


Paul Rubin 02-22-2007 05:12 PM

Re: Image files as passwords
 
"Saul" <saul.dobney@dobney.com> writes:
> The problem with good secure passwords is they are eminently
> forgettable as our current users keep demonstrating - so they either
> pick weak or simple passwords or keep chasing us for password help, so
> I want something easier without losing password strength for an
> application where we really do want better levels of security.


If they have to keep an image file around, why not just use a password.
How about giving them a card with a password printed on it.

> Oh and as we're just a smigeon smaller than eBay/Paypal hardware
> solutions aren't really available to us.


The stuff isn't that expensive.

Ertugrul Soeylemez 02-22-2007 05:57 PM

Re: Image files as passwords
 
"Saul" <saul.dobney@dobney.com> (07-02-22 03:33:42):

> I'm looking to build some new security features for a website which
> will need stronger levels of password access, but I'm conscious from
> experience that users aren't very good with passwords and keep losing
> them or forgetting them so I don't want just bigger and better
> passwords. What I was wondering was whether image files would be
> better:
>
> [...]
>
> Note that the image is never shown on a website so it shouldn't be
> cached anywhere.


I disagree about the security of pictures. What's the probability that
the image is not a copy taken from a web-site, an image shot by camera
and uploaded to Imageshack, etc.?

Like users tend to use their pets' names or their birthdays as
passwords, they will google up a cool image and use that one. But what
concerns me more about this concept: Even more likely, they will
present them to friends: "Hey look, this is my password!", just to
impress them.

The story goes further. Users go, "What? You can use images as
passwords? Cool!", so they'll do the same, which builds up a large
network of cool users using cool pictures for authentication. Cool,
ain't it?

Take another approach. Build a CA (which is as simple as generating a
self-signed certificate). The users need to generate certificates,
which are transferred to the server and signed by it. Only users with a
signed certificate will be let in. This also eliminates the need to
authenticate explicitly, since you can save the certificate in the
browser, so it presents it to the server automatically.

Another interesting feature of this concept is that users can prove they
are users of your service to others by presenting their certificate, if
this is of any use.


> This would have the benefit that the password image is easily
> recognisable to the user so easy for the user to remember whilst being
> difficult for a non-user to spot, it's also not obviously a password.
> It's almost impossible to hack from outside the users computer without
> a copy of the image - the data length is too big and too random for
> brute force attacks. The image can also be copied on to a memory card
> and used from other computers if needs be under the control of the
> user (like a house key essentially).


All this can be done with a certificate as well, with the additional
benefit that users don't even have the desire to share it.


> The danger is that the computer or the memory card get stolen, or the
> images get copied, but even stolen it would blend in to other images
> on the system (personally I've got around 15,000 jpegs on this
> computer, but I could be unusual), or could be additionally secured or
> encrypted locally.


No problem with certificates. The corresponding private key is
encrypted using a passphrase by default, and you can use the same
certificate to identify to different services without a security risk.
Just add additional signatures to it.


> Does any such system already exist? Does the server actually need to
> make modifications to the uploaded image or would a plain image do on
> its own? Are there any comments or am I just barking up the wrong
> tree?


Probably barking up the wrong tree. Never use personal things as
authentication secrets, because they aren't secret. On requesting an
image, a lot of users will upload an image of themselves. Why? Because
it's an `identification' image. Or just because the image represents
themselves. Like authentication in real world is done by looking at the
person. Remember: Users are dumb.


Regards,
E.S.

Jim Watt 02-22-2007 06:11 PM

Re: Image files as passwords
 
On 22 Feb 2007 03:33:42 -0800, "Saul" <saul.dobney@dobney.com> wrote:

>I'm looking to build some new security features for a website which
>will need stronger levels of password access, but I'm conscious from
>experience that users aren't very good with passwords and keep losing
>them or forgetting them so I don't want just bigger and better
>passwords. What I was wondering was whether image files would be
>better:
>
>1. User is asked to upload an image and an access key to the website
>
>2. The webserver takes the uploaded image, subtly modifies say 500
>pixels by adjusting tone or hue a bit say so the image still looks OK
>to the eye
>
>3. The server converts the image to a jpeg and saves a random start
>point from this file (away from the header) and say 500 characters on
>a database, plus a hashkey for the file itself.
>
>4. The image is packed into a zip file which is password protected
>with the access key the user specified and sent to the user via email.
>
>5. The user unpacks the image and saves it among other images (they
>can rename it too, and put it in a secure directory on their system if
>required).
>
>6. When they need to authenicate themselves they upload the relevant
>image
>
>Note that the image is never shown on a website so it shouldn't be
>cached anywhere.
>
>This would have the benefit that the password image is easily
>recognisable to the user so easy for the user to remember whilst being
>difficult for a non-user to spot, it's also not obviously a password.
>It's almost impossible to hack from outside the users computer without
>a copy of the image - the data length is too big and too random for
>brute force attacks. The image can also be copied on to a memory card
>and used from other computers if needs be under the control of the
>user (like a house key essentially).
>
>The danger is that the computer or the memory card get stolen, or the
>images get copied, but even stolen it would blend in to other images
>on the system (personally I've got around 15,000 jpegs on this
>computer, but I could be unusual), or could be additionally secured or
>encrypted locally.
>
>Does any such system already exist? Does the server actually need to
>make modifications to the uploaded image or would a plain image do on
>its own? Are there any comments or am I just barking up the wrong
>tree?
>
>
>
>Saul


Not a bad idea, but you do appreciate that a JPG file uses compression
so any altered pixels are not necessarily the same after the image is
saved.
--
Jim Watt
http://www.gibnet.com

Mike Amling 02-22-2007 07:57 PM

Re: Image files as passwords
 
Jim Watt wrote:
> Not a bad idea, but you do appreciate that a JPG file uses compression
> so any altered pixels are not necessarily the same after the image is
> saved.


I think it's OK if they're different, but there would be a problem if
the compression caused the changes to be lost completely.

--Mike Amling

Zilbandy 02-22-2007 09:01 PM

Re: Image files as passwords
 
On 22 Feb 2007 14:57:40 EST, Mike Amling <spamonly@allspam.com> wrote:

>> Not a bad idea, but you do appreciate that a JPG file uses compression
>> so any altered pixels are not necessarily the same after the image is
>> saved.

>
> I think it's OK if they're different, but there would be a problem if
>the compression caused the changes to be lost completely.


Compression does cause total loss of some data. The only way I see to
use the file is to save it, and then use the saved file. If the file
is ever resaved as a jpg, it would most likely be different.

--
Zilbandy

Vanguard 02-23-2007 03:54 AM

Re: Image files as passwords
 
If you have users too stupid to remember their own chosen passwords, or
you use rules that make it nearly impossible to create human-memorable
passwords, then have the user use something like PasswordSafe. It's
free at sourceforge.net. They will, however, have to remember the
password that THEY choose to let them open PasswordSafe but they are
reduced to having to remember just one password using their own rules.



All times are GMT. The time now is 12:35 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.