"Saul" <saul.dobney@dobney.com> (07-02-22 03:33:42):

> I'm looking to build some new security features for a website which
> will need stronger levels of password access, but I'm conscious from
> experience that users aren't very good with passwords and keep losing
> them or forgetting them so I don't want just bigger and better
> passwords. What I was wondering was whether image files would be
> better:
>
> [...]
>
> Note that the image is never shown on a website so it shouldn't be
> cached anywhere.

I disagree about the security of pictures. What's the probability that
the image is not a copy taken from a web-site, an image shot by camera
and uploaded to Imageshack, etc.?

Like users tend to use their pets' names or their birthdays as
passwords, they will google up a cool image and use that one. But what
concerns me more about this concept: Even more likely, they will
present them to friends: "Hey look, this is my password!", just to
impress them.

The story goes further. Users go, "What? You can use images as
passwords? Cool!", so they'll do the same, which builds up a large
network of cool users using cool pictures for authentication. Cool,
ain't it?

Take another approach. Build a CA (which is as simple as generating a
self-signed certificate). The users need to generate certificates,
which are transferred to the server and signed by it. Only users with a
signed certificate will be let in. This also eliminates the need to
authenticate explicitly, since you can save the certificate in the
browser, so it presents it to the server automatically.

Another interesting feature of this concept is that users can prove they
are users of your service to others by presenting their certificate, if
this is of any use.


> This would have the benefit that the password image is easily
> recognisable to the user so easy for the user to remember whilst being
> difficult for a non-user to spot, it's also not obviously a password.
> It's almost impossible to hack from outside the users computer without
> a copy of the image - the data length is too big and too random for
> brute force attacks. The image can also be copied on to a memory card
> and used from other computers if needs be under the control of the
> user (like a house key essentially).

All this can be done with a certificate as well, with the additional
benefit that users don't even have the desire to share it.


> The danger is that the computer or the memory card get stolen, or the
> images get copied, but even stolen it would blend in to other images
> on the system (personally I've got around 15,000 jpegs on this
> computer, but I could be unusual), or could be additionally secured or
> encrypted locally.

No problem with certificates. The corresponding private key is
encrypted using a passphrase by default, and you can use the same
certificate to identify to different services without a security risk.
Just add additional signatures to it.


> Does any such system already exist? Does the server actually need to
> make modifications to the uploaded image or would a plain image do on
> its own? Are there any comments or am I just barking up the wrong
> tree?

Probably barking up the wrong tree. Never use personal things as
authentication secrets, because they aren't secret. On requesting an
image, a lot of users will upload an image of themselves. Why? Because
it's an `identification' image. Or just because the image represents
themselves. Like authentication in real world is done by looking at the
person. Remember: Users are dumb.


Regards,
E.S.