Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:

>Saul wrote:
>> I'm looking to build some new security features for a website which
>> will need stronger levels of password access, but I'm conscious from
>> experience that users aren't very good with passwords and keep losing
>> them or forgetting them so I don't want just bigger and better
>> passwords. What I was wondering was whether image files would be
>> better:

>...
>Have the site send the user an image; the user uses key encryption to
>encode the image data and return it to the web site which authenticates
>the result. This process would be similar to PGP.

The user does this key encrytion how? Where does this key come from? The OP
was concerneed that his users would forget their keys, and came up with his
technique so that they could store their keys, unencrypted, on their disk.
He relied on the fact that that disk would have lots of images on it, so an
attacker would not know which image to choose.


>The advantage is that an attacker sniffing at the results would find
>it much more difficult to 'find' the authentication key inside the
>junk of the randomly selected image, while the authenticator already
>knows what the image was and what the bits should look like when
>receiving it after the image is encrypted with the key.

The attacker is assumed to know what that obfuscation technique is.