Re: easier authentication?

New Message Reply About this list Date view Thread view Subject view Author view

David R. Conrad (drc@adni.net)
Wed, 14 Oct 1998 11:43:25 -0400 (EDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 13 Oct 1998 mgraffam@idsi.net wrote:

> If you introduce me to 15 people, and then we all go into a party with
> 200 other guests, I may not remember those 15 people's names too well,
> but I'll recognize their faces.

I recall reading in an essay by Kurt Vonnegut, Jr. (or perhaps in the
introduction to one of his books) that he has virtually no memory for
faces _whatsoever_. So this is a method that will have a small subset of
the population who simply cannot use it (just as a method involving colors
could be unworkable for people with certain forms of colorblindness).

Somewhere on the web I found a list of 7776 common words (6^5), one per
line, with a number on each line. The numbers consist of strings of five
digits where each digit is from 1 to 6, so the numbers go from 11111 to
66666, the idea being that you can roll 5 standard dice to pick one of the
words. My current passphrase is formed from fourteen such words, and I
only threw out a couple as I chose them, and with a little rearrangement,
a few slight variations, and a couple of punctuation characters thrown in
for good measure I have a not-too-long easy-to-remember passphrase that I
feel confident has upwards of 160 bits of entropy in it, even if the dice
aren't perfectly fair.

(There are just under 13 bits of entropy (~12.92) per word chosen from the
list, so fourteen words would be a hair over 180 bits.)

It seems to me that about the only way the faces/other images method could
be not-too-cumbersome from a user interface point of view would be with a
touch screen. But there's another problem which just occurred to me.
With a standard password/passphrase you can avoid showing it as it's
typed, but picking images would have a lousy (or great, depending on your
attitude) shoulder-surfing potential.

How would you deal with that?

David R. Conrad <drc@adni.net>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBNiTGqIPOYu8Zk+GuEQIy5QCg7KhnGMDy1tEz5oFAHNGQJs2DbXIAn3i+
PvrbRGDyRo/dsPqOhgDET/ML
=xlst
-----END PGP SIGNATURE-----


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:21