from the I-bet-people-will-write-the-same-profanity dept.
As more people use smart phones or tablets to pay bills, make purchases, store personal information and even control access to their houses, the need for robust password security has become more critical than ever. A new Rutgers University study shows that free-form gestures sweeping fingers in shapes across the screen of a smart phone or tablet can be used to unlock phones and grant access to apps. These gestures are less likely than traditional typed passwords or newer "connect-the-dots" grid exercises to be observed and reproduced by "shoulder surfers" who spy on users to gain unauthorized access. "All it takes to steal a password is a quick eye," said Janne Lindqvist, one of the leaders of the project and an assistant professor in the School of Engineering's Department of Electrical and Computer Engineering. "With all the personal and transactional information we have on our phones today, improved mobile security is becoming increasingly critical."
Lindqvist believes this is the first study to explore free-form gestures as passwords. The researchers will publish their findings in June as part of the proceedings of MobiSys '14, a premier international conference in mobile computing.
In developing a secure solution to this problem, Lindqvist and the other researchers from Rutgers and collaborators from Max-Planck Institute for Informatics, including Antti Oulasvirta, and University of Helsinki studied the practicality of using free-form gestures for access authentication. With the ability to create any shape in any size and location on the screen, the gestures had an inherent appeal as passwords. Since users create them without following a template, the researchers predicted these gestures would allow for greater complexity than grid-based gestures offer.
(Score: 5, Funny) by c0lo on Thursday June 05 2014, @11:43PM
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by mendax on Friday June 06 2014, @04:54AM
I'll bet real money that someone will get a patent for this, too!
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by c0lo on Friday June 06 2014, @05:02AM
(nah, I'm not taking your bet) Of course someone will do: after all, it's "on a computer"
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by mendax on Friday June 06 2014, @10:00AM
If it happens, I'm going to patent the the process of pissing squiggles in the snow.... or even better on the patent office's front door.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 4, Funny) by DECbot on Thursday June 05 2014, @11:46PM
Just like how 'password' and '123456' are some of the most common traditional passwords, I imagine penises becoming the most common squiggles with this new scheme.
cats~$ sudo chown -R us /home/base
(Score: 2, Interesting) by IndigoFreak on Thursday June 05 2014, @11:57PM
Hell, I was going to say the straight line is the new password.
I wonder how precise they want these to be? I could see it becoming a pain in the ass when you want to quickly unlock your phone.
(Score: 2) by bob_super on Friday June 06 2014, @12:00AM
1.3 Billion Chinese were observed simultaneously facepalming...
(Score: 2) by wonkey_monkey on Friday June 06 2014, @07:20AM
Why are they all using the same password?
systemd is Roko's Basilisk
(Score: 2, Funny) by tftp on Friday June 06 2014, @02:16AM
Humans are very close to their limit of remembering enough randomness to control access to devices. Their opponent is not always another human - it can be a computer that remembers everything. Humans are also vulnerable to a $5 wrench. Today we already have captcha that can be decoded by a computer faster and more reliably than by a human.
The best way to proceed at this point is by having (wearing, implanting) a personal cryptographic processor. (Yes, the right arm, or the forehead, are both excellent locations.) As opposed to biometrics, these processors _can_ be copied in duress, as it is often preferrable to being hacked up with a rusty knife. These keys should be revocable. Security-wise, they can contain enough key length to ensure confidence for the nearest ten or twenty years. Convenience-wise, they can be used for authentication and for encryption. Enough with all these "squiggly lines" nonsense - humans are poor processors of that information. Some humans are poor processors of any information. Just implement the proper tokens, issue them to everyone like they issue passports and driver's licenses, and be done with it for good.
(Score: 0) by Anonymous Coward on Friday June 06 2014, @02:18PM
I'm left-handed, you insensitive clod!
(Score: 3, Insightful) by DrMag on Friday June 06 2014, @03:45AM
I imagine the real failing of this idea is how difficult it will be for a person to reproduce the same free-form gesture; it will become very frustrating to users when, after the 6th failed attempt, they finally get in to their device. If this is implemented, it may make the issue worse as people would disable the authentication entirely.
(Score: 2, Insightful) by tftp on Friday June 06 2014, @06:47AM
it will become very frustrating to users when, after the 6th failed attempt, they finally get in to their device.
It's more fun if after the 6th failed attempt the device locks up for 3 hours - or, for extra joy, deletes everything.
(Score: 2) by Marand on Friday June 06 2014, @05:51AM
Better password schemes are useless when you can't trust the encryption you're using to transmit them. How many SSL flaws in various implementations (OpenSSL, gnutls, whatever apple uses) in the past couple months alone?
But hey, at least with this scheme, security flaws turn into a marathon run of Pictionary, so it's fun for the user!
(Score: 3, Interesting) by bradley13 on Friday June 06 2014, @08:53AM
Some commenters are mixing up two different things: Passwords for the security of individual devices or services, and the security of online data transmission.
It is perhaps worth remembering that, in the vast majority of cases, the purpose of a lock is to remind honest people to be honest. If you left your valuables sitting on your front step, anyone could - and many people would - take something. But you don't - your valuables are in your house, where you have a crappy lock on a flimsy front door. That is enough to ensure that only a dedicated thief would make the effort of stealing something.
It's much the same with passwords. We don't need super high security, because the purpose of passwords (or squiggly lines or whatever) is to remind basically honest people to leave our stuff alone.
Of course, you probably have different expectations for the contents of your bank account. You expect your bank to have *real* security, so that even dedicated thieves cannot access your stuff. And your online banking transactions should be equally secure (n.b. even if you use a crappy password).
Online data transmission is used for both purposes - access to individual, relatively unimportant things, but also for important things like financial transactions. Hence, while we are entitled to use crappy passwords (or squiggly lines) for lots of things, we still have every right to expect the online infrastructure (like OpenSSL) to be genuinely secure.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Monday June 09 2014, @01:42AM
...the need for robust password security has become more critical than ever...
Irrelevant! When spooks can access your data however they might like (LOVEINT, STINGRAY, DEA/SOD et al.), it's clearly only a theoretical line in the sand before they start planting what they want to make a case. Unlimited power leads to unlimited irresponsibility. Time is the only constant. We all know better than this.
King George would be rubbing his grubby hands together in his grave.