Forget sticky notes, Microsoft using inkblots as password reminders

Research project aims to marry inkblots that are used to create and remember strong passwords with single sign-on technology for the Web

Researchers at Microsoft are using inkblots, similar to the way Rorschach Inkblot tests are used, as visual queues to help users create and remember passwords. Microsoft’s project combines the inkblot research with the OpenID protocol, which is used to create single sign-on for Internet users.

Microsoft Research is investigating if the inkblot is a better idea than the sticky note when it comes to remembering passwords that aren’t easy for others to crack.

Researchers Jeremy Elson and Jon Howell, who work in the distributed systems and security group at Microsoft Research, have revived a project that uses inkblots, similar to the way Rorschach Inkblot tests are used, as visual cues to help users create and remember passwords.

On Monday, Microsoft Research opened a public Web-based project called InkblotPassword.com. 

The Web site lets users create a password using a series of random inkblots and a formula to select letters. The user associates a word with the inkblot that corresponds to what they see in the image, such as a bird or a shield. InkblotPassword.com currently has 1,000 inkblots in its database.

For each inkblot the user enters the first and last letter of their word: bd for bird and sd for shield. A set of 10 images creates a 20-character password that Microsoft Research has shown is easily memorized but hard to crack. In fact, after a period of time many users remember the password without having to consult the inkblots, according to the research first conducted in 2004.

Typically such random and hard-to-guess passwords have been written down by users, on such things as sticky notes, and left by their terminals. Or users create weak passwords and use them over and over again at different Web sites.

Microsoft aims to change that by marrying the strong passwords and Web-based single sign-on technology.

Microsoft’s project combines the inkblot research with the OpenID protocol, which is used to create single sign-on for Internet users. Version 2.0 of the OpenID protocol was released on Tuesday. In February, Microsoft announced support of OpenID.

With an OpenID, users can sign in once to an OpenID provider and then use that authentication to access any Web site that supports OpenID. Passwords that control the single sign-on can now be created with inkblots.

In addition, Microsoft is operating InkblotPassword.com as an OpenID provider so users also can use it as their single sign-on hub.

If we wanted to get people to try out a new authentication scheme the best way to immediately apply it to a large number of Web sites, in sort of this research context, would be to make it an OpenID server,” said Elson.

Elson and his colleagues, however, are warning users that InkblotPassword.com is an active research project and not a secure Web service.

“For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly,” says a data sheet on the InkblotPassword.com Web site.

Researchers will be evaluating data and will have access to passwords and lists of OpenID sites accessed via the password. The researchers, however, vow to preserve the privacy of users the best they can.

If the research bears fruit, Microsoft says it may consider offering it as a commercial product or service.

“Part of the reason to make this publicly available is to do in some sense a broader user study using the Internet population,” said Elson. “What we are hoping is if the InkblotPassword site gets popular we will be able to publish a follow-on paper [to the 2004 research] that has additional data for a much larger population.”

On the InkblotPassword.com site, Microsoft says a century of psychological literature indicates that inkblot associations are “intimately personal.” The company confirmed those findings with its own research done by Dan Simon of Microsoft Research and Adam Stubblefield, who was an intern in 2004 and is now an assistant research professor at Johns Hopkins University.

The two researchers found that different users almost always describe the same inkblot in different ways. That type of personalization, they concluded, leads to passwords with “high entropy,” which means they are hard to guess.

The researchers reported that people find their associations to be very memorable because the mental images they associate with the inkblots are hard to forget. They said users eventually develop “muscle memory” and can log in without referring to the inkblot images.

Learn more about this topic

Passwords and the limitations of people

02/08/07

 
Join the discussion
Be the first to comment on this article. Our Commenting Policies