- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - Microsoft Research is investigating if the inkblot is a better idea than the sticky note when it comes to remembering passwords that aren’t easy for others to crack.
Researchers Jeremy Elson and Jon Howell, who work in the distributed systems and security group at Microsoft Research, have revived a project that uses inkblots, similar to the way Rorschach Inkblot tests are used, as visual cues to help users create and remember passwords.
On Monday, Microsoft Research opened a public Web-based project called InkblotPassword.com.
The Web site lets users create a password using a series of random inkblots and a formula to select letters. The user associates a word with the inkblot that corresponds to what they see in the image, such as a bird or a shield. InkblotPassword.com currently has 1,000 inkblots in its database.
For each inkblot the user enters the first and last letter of their word: bd for bird and sd for shield. A set of 10 images creates a 20-character password that Microsoft Research has shown is easily memorized but hard to crack. In fact, after a period of time many users remember the password without having to consult the inkblots, according to the research first conducted in 2004.
Typically such random and hard-to-guess passwords have been written down by users, on such things as sticky notes, and left by their terminals. Or users create weak passwords and use them over and over again at different Web sites.
Microsoft aims to change that by marrying the strong passwords and Web-based single sign-on technology.
Microsoft’s project combines the inkblot research with the OpenID protocol, which is used to create single sign-on for Internet
users. Version 2.0 of the OpenID protocol was released on Tuesday. In February, Microsoft announced support of OpenID.
With an OpenID, users can sign in once to an OpenID provider and then use that authentication to access any Web site that supports OpenID. Passwords that control the single sign-on can now be created with inkblots.
In addition, Microsoft is operating InkblotPassword.com as an OpenID provider so users also can use it as their single sign-on hub.
If we wanted to get people to try out a new authentication scheme the best way to immediately apply it to a large number of Web sites, in sort of this research context, would be to make it an OpenID server,” said Elson.
Elson and his colleagues, however, are warning users that InkblotPassword.com is an active research project and not a secure Web service.
“For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly,” says a data sheet on the InkblotPassword.com Web site.
Researchers will be evaluating data and will have access to passwords and lists of OpenID sites accessed via the password. The researchers, however, vow to preserve the privacy of users the best they can.
If the research bears fruit, Microsoft says it may consider offering it as a commercial product or service.