Canadian researchers have come up with a novel solution to the perennial problem of stupidly insecure passwords – create secure ones using images, MP3 files or videos.
Mohammad Mannan and P.C. van Oorschot of Carleton University in Ottawa, Canada, have come up with ObPwd (object-based password), a way of creating complex, random passwords from SHA-1-based hashes generated using a range of image and sound file types as input.
Instead of using the easy-to-guess name of a pet cat as the password – easy meat for a dictionary cracker – the user could use a picture of the same animal to generate something sophisticated enough to withstand even the best password cracking tools. Getting round the technology would mean having to have access to the specific image or file from which the password was generated.
“Users keep a record (memorised or written) of a pointer to their content used in generating each password. Users can write down the password in a `secure' place, or re-create it from the content when needed,” write the authors in a public paper on the concept.
The end user’s mental effort is transferred from having to remember a string of text to simply having to know which file was used to create the password, they point out. ObPwd is advanced enough for the researchers to have released the software in beta form as an add-on tool for Mozilla, and as a standalone Windows XP utility.
The concept has some limitations. They recommend using files above a certain size – 30 bytes - to create long enough passwords, but not so large that the generation process is slowed down. This rules out using large video files, unless the password is based on only part of the file. They also warn against creating passwords from public material, such as pictures on a Facebook page or common image files. The password from a given file will always be the same, making secure possession of file imperative.
The program could, however, be secured using what is called a ‘salt’, a PIN number used to protect the program’s output from a given image, though this would obviously detract from the simplicity of the ObPwd idea.
Obpwd should not be confused with the much simpler idea of using images themselves as pictorial passwords or mnemonics, which has been around for some years. Numerous systems exist to do the latter, including the UK-based PicturePIN.