Thread: Image files as passwords
View Single Post
  #1 (permalink)  
Old 02-22-2007, 11:33 AM
Saul
Guest
  
Posts: n/a
Default Image files as passwords
I'm looking to build some new security features for a website which
will need stronger levels of password access, but I'm conscious from
experience that users aren't very good with passwords and keep losing
them or forgetting them so I don't want just bigger and better
passwords. What I was wondering was whether image files would be
better:

1. User is asked to upload an image and an access key to the website

2. The webserver takes the uploaded image, subtly modifies say 500
pixels by adjusting tone or hue a bit say so the image still looks OK
to the eye

3. The server converts the image to a jpeg and saves a random start
point from this file (away from the header) and say 500 characters on
a database, plus a hashkey for the file itself.

4. The image is packed into a zip file which is password protected
with the access key the user specified and sent to the user via email.

5. The user unpacks the image and saves it among other images (they
can rename it too, and put it in a secure directory on their system if
required).

6. When they need to authenicate themselves they upload the relevant
image

Note that the image is never shown on a website so it shouldn't be
cached anywhere.

This would have the benefit that the password image is easily
recognisable to the user so easy for the user to remember whilst being
difficult for a non-user to spot, it's also not obviously a password.
It's almost impossible to hack from outside the users computer without
a copy of the image - the data length is too big and too random for
brute force attacks. The image can also be copied on to a memory card
and used from other computers if needs be under the control of the
user (like a house key essentially).

The danger is that the computer or the memory card get stolen, or the
images get copied, but even stolen it would blend in to other images
on the system (personally I've got around 15,000 jpegs on this
computer, but I could be unusual), or could be additionally secured or
encrypted locally.

Does any such system already exist? Does the server actually need to
make modifications to the uploaded image or would a plain image do on
its own? Are there any comments or am I just barking up the wrong
tree?



Saul


Reply With Quote