One of the constant sources of frustration for users and corporate security is passwords. Everyone has them, and everyone hates them. Some people choose the simplest possible password -- such as "password" or "123456" (seehttp://splashdata.com/splashid/worst-passwords/). So easy for hackers to get in.
http://blog.capogeannis.com/wp-content/uploads/2012/03/14862429.jpg |
Others have so many different and complex passwords that they can't remember any of them. So they write them all down. Now hackers merely need to be thieves to get to all of your system data. Do you leave your password on a piece of paper with your secretary? Better hope there isn't a temp in the office the day a hacker calls pretending to be you.
What can be done about this?
http://www.soc.napier.ac.uk/~bill/lee01.gif |
One promising solution is to replace text-based passwords with graphical ones. By selecting images and then areas within images, an authentication scheme can thwart some of the simplest hacker tactics (common passwords, default passwords, dictionary attacks) and also make the password more intuitive and simpler for users to remember. Of course, shoulder surfing becomes a bigger problem with these approaches. A couple of good discussions are available at http://www.acsac.org/2005/papers/89.pdf and http://rutgersscholar.rutgers.edu/volume04/sobrbirg/sobrbirg.htm.
http://en.wikipedia.org/wiki/File:Recaptcha.png |
One of the most common (and annoying) graphical authentication schemes currently in use is called reCAPTCHA (http://en.wikipedia.org/wiki/reCAPTCHA). It's aim is often to prevent automated systems from posting spam or registering for free accounts. The means is to use really hard to identify characters from digitizing old documents. The fact that OCR couldn't figure out the characters initially makes them very hard for spambots to handle also.
http://productimages.superwarehouse.com/userfiles/image/Fujitsu_N6420_features_01.jpg |
Of course, there's always the CSI approach -- fingerprints and retinal scans and the like. While these are more and more common for physical access control (the Holiday Gym here in Madrid even has a fingerprint scanner at its turnstiles), now they are starting to show up as software security as well. ASUS is using the webcam in it's laptops to logon with facial recognition instead of a password.
And also on the horizon, recognizing how you type instead of using a standard password. http://arstechnica.com/uncategorized/2012/03/darpa-dreams-of-authentication-using-the-way-you-type/ Of course, if you've a broken hand, this might lock you out of all your systems. And, as we move to input devices other than keyboards, this becomes even less relevant.