Map Based Passwords

smitty777 writes "Discovery is running an article on passwords based on a very specific location on a map. Instead of showing UID and Password fields, the user would simply click on a very specific spot on Google Earth, for example. I wonder how you would make that secure? Also, if you forgot, would you get a message saying 'Your password is the third flamingo on the left on the lawn of Aunt Bessie's house'?"

slacker geo-hack

[alphatel]

Fastest password crack ever: Click "1600 Pennsylvania Avenue"

Re:slacker geo-hack

[Intron]

MEMO FROM IT DEPT.

It has come to our attention that some users are selecting weak passwords. Henceforth, we have implemented measures to prevent selecting passwords based on well-known locations, major cities and major landmarks. When selecting a password we will not allow you to use a place that you, a relative or a friend have ever lived or visited. Please fill out the attached questionairre listing everywhere you have been since you were born.

Thank you.
IT - Department - help you can count on

Re:

[Jazz-Masta]

MEMO FROM IT DEPT.

It has come to our attention that some users are selecting weak passwords. Henceforth, we have implemented measures to prevent selecting passwords based on well-known locations, major cities and major landmarks. When selecting a password we will not allow you to use a place that you, a relative or a friend have ever lived or visited. Please fill out the attached questionairre listing everywhere you have been since you were born.

Thank you.
IT - Department - help you can count on

How did you get my Memo?

Re:

[FoolishOwl]

How did you get my Memo?

It was in the recycling bin in your cubicle.

Re:

[Lumpy]

I prefer the one we put on all the windows machines here at work.

"your password must not contain any characters that can be typed on the keyboard."

The CTO did not think that it was funny...

Re:slacker geo-hack

[badboy_tw2002]

Dang, my password was someone's backyard where they had spelled out "GOD" "SEX" and "LOVE" with their hedges. If I ask them to grow a "1" after it will we be all good?

Re:

[jank1887]

you need a special character, too. And that better not be all uppercase.

Re:

[oodaloop]

In order to make passwords more secure, we will no longer be using overhead views.

Brilliant...

[Anonymous Coward]

... and when the internet link is down or God forbid, Google Earth is down, users login how?

Re:

[T Murphy]

But if Google Earth is down, google.com itself is probably down, in which case the user couldn't navigate to the website in the first place. I don't see the problem.

Re:

[Lumpy]

Enter the Lattitude and longitude in by hand DUH.

Re:

[tehcyder]

If your internet link was down how would you be logging on to a remote site anyway?

It works!

[grub]

I forgot my gmail password

and here was my hint [google.ca].

(how I forgot "goatse" as a password is beyond me.)

Re:

[JWSmythe]

That's a lot safer than this one [google.ca]

Re:

[MartinSchou]

Completely off topic, but does anyone else look at that picture and see a hill rather than a crater? I know it's a crater, but to my brain it looks like a hill due to the shadows and lack of perspective (i.e. can't see it going into the ground).

Re:

[JWSmythe]

It's the same illusion that people see when looking at photos of mars. It's very easy to get disoriented looking at satellite/aerial photography, without a lot of practice.

here [google.com] is a fun place to look at craters. Remember, in the Northern hemisphere, North of the Tropic of Cancer, the shadowed side will be to the south, and the illuminated side will be to the north. That's how you can tell that this is a pyramid [google.com] and this is a crater [google.com]

And of course, this is a tall building, at [google.com]

Forget mouse trackers...

[bieber]

...this one is easy enough to crack just by shoulder-looking. And of course there's the issue of needing to load a ton of map data just for a simple password entry, and if the map provider is out you're screwed. Plus the hassle of zooming down from a world-map to some specific point every time you want to get into a site. Need I go on?

Re:Forget mouse trackers...

[T Murphy]

this one is easy enough to crack just by shoulder-looking

So don't display the map plainly- replace it with asterisks. Problem solved.

Re:Forget mouse trackers...

[Zerth]

So my password would be ore, ore, ore, ore, ore, ore, ore, ore

I'd rather have tower-cap, quarry bush, pigtail, dwarf, elephant, corpse, corpse, corpse

Re:

[MozeeToby]

Hey, it could also be cobaltite stones (man did that ever piss me off the first time I hit it, could not figure out why I couldn't smelt it down for the life of me).

Re:

[IICV]

I've got the same combination on my luggage!

Re:

[PRMan]

Can you? That's pretty comprehensive already.

Re:

[Crudely_Indecent]

If implementing a map-based-password, I would require users to choose more than one location. I might place an upper limit on the number of locations as well.

Someone could then set their password to equal: 1. where they were born, 2. where they work, 3. where they went on vacation last year.

Of course, there wouldn't be any prescribed formula for choosing the locations, so a user could choose any number of locations for any reason. They might even choose "..that place where they put that thing that time [youtube.com]."

Re:

[DavidTC]

Indeed, the password reminder clue would be pretty interesting. 'It's the place where you got that flat tire that time' or 'Won't ever eat there again' or 'The weird sign'.

Incidentally, I love that clip, as it has the single realistic 'hack' in the entire movie. If you're on a phone where you can't dial at all, hang up the phone, take it back off the hook, click the switchhook ten times, which dials '0' in rotary, and you get an operator, who can dial for you.

Re:

[JWSmythe]

    It would be a little slicker to dial the number like that. It can be done. But I'm sure half the people here don't remember pulse dialing. For quite a few years, I had to change the strings for my modem from ATDT to ATDP so I could dial. :)

Re:

[demonlapin]

Well, it probably did save you $2.50 a month.

Re:

[JWSmythe]

Oh, I wish it was so easy. No, I grew up in a rather rural area. This isn't really all that long ago, it was the late 1970's through mid 1980's. But they hadn't upgraded their infrastructure. They finally upgraded their equipment in the late 80's, so I could start doing tone dialing.

Hmm, come to think of it, they split the area into two exchanges in the real late 80's. So they couldn't have had more than 10,000 subscribers, both residential and businesses across several sm

Re:

[demonlapin]

My grandparents lived in a town that still offered four-digit dialing until the mid-late 80s. Yep, no prefix needed. Just dial the last four. Can't remember if they had pulse or tone dialing, though.

Still, BellSouth was hammering me for something like $2.50/mo for tone dialing up until I ditched them ca. 2004.

Re:

[DavidTC]

It can be done, but why? It's much easier to just ask the operator to dial for you.

The fun thing about asking the operator is that even the smartest 'pen register' tap can't figure it out. Even if they can do pulse dialing, they'll just see you dialing 0.

It sounds silly, but in actuality jail phones often have such a device on them.

Re:

[JWSmythe]

To the best of my knowledge, all jails record phone calls. I'm sure they intercept the dialed number as well as the calls. Getting the number the technical way, especially when it's tapped out by hand, is harder than just listening to the operator saying "Operator, please connect me to 212 555 1212".

They have a bit less interest in the phone number than the actual conversation.

Most inmates are in prison for a reason. They got caught, usually because they made stupid mistak

Re:

[geekoid]

It actual hard to gte an exact pin point by should surfing with this then any ATM machine or keyboard.

Re:

[dtml-try MyNick]

That was my first thought too.

There are so many problems with this sollution and shoulderlooking is a huge one.

It's nice that humans are good at remembering graphic data like images on a map but the same goes for the guy standing behind you.
If someone knows you personally in most cases he or she wouldn't even have to see the exact location where you click.
"ah... that looks like her old neighborhood, let's see if she picked her old house as passlocation"..

Also, it seems way to slow to be functional.
The way i

Re:

[shird]

Yes, valid points. However I like this idea for the purposes of password recovery.

Use a high strength regular password, and have your browser save it. However, when you lose it, or need to login from somewhere else, the ability to recover/reset a lost/difficult to remember password is useful when the password hint is something a bit stronger than 'What's your favourite colour?'.

Find a point on a map?

[bigredradio]

Here is the US that would be very effective.

REQUEST: Locate Belgium on a map

RESPONSE: uh.....uh......connection timed out!

Re:

[Nadaka]

We don't use that kind of language around here mister!

Re:

[vegiVamp]

Reference++

Re:

[PRMan]

Hey, you're on to something there. If you want to keep Americans out of your site, just use this.

Re:

[bill_mcgonigle]

The best ridicule posts are proofread.

Re:

[Cro Magnon]

Belgium? Heck, by the time the average American searched all of South & Central America for New Mexico, the connection would be long dead.

Re:

[JWSmythe]

No. Use Google Maps, it will show you the way. [google.com]

The third flamingo on the left on the lawn of Aunt

[sakdoctor]

That's amazing! I've got the same flamingo on my luggage.

Fractal images a better bet?

[Banichi]

Could you use the scalability of fractal images as a map in this manner?
By my understanding, this would give you random numbers depending on your "depth" and x/y coordinates.

Re:

[quickOnTheUptake]

It seems like that would make it easy to get lost, fractals have an odd way of looking similar at various magnifications.

Intercourse, Pennsylvania

[xednieht]

Is about to become a lot more popular.

Re:

[belthize]

Sometimes when driving on I-40 I find myself thinking "Fuck, Texas".

Re:

[Jawnn]

Sometimes when driving on I-40 I find myself thinking "Fuck, Texas".

I'm wondering if the comma belongs there, indicating exasperation when confronted with Texas, or not, indicating what ought to be done with Texas. Either way, I know exactly what you mean.

Re:

[guyminuslife]

Too bad the panhandle is actually a misclassified region of Oklahoma.

Re:

[iPhr0stByt3]

So is "Fucker, Austria" :

http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Fucking,+Tarsdorf,+Austria&sll=47.50978,12.150879&sspn=5.632476,14.227295&gl=us&ie=UTF8&hq=&hnear=Fucking+Tarsdorf,+Braunau+am+Inn,+Upper+Austria,+Austria&ll=48.070279,12.886448&spn=0.087063,0.222301&z=13&iwloc=A [google.com]

errr, fucking

[iPhr0stByt3]

I mean, "Fucking, Austria"

Re:

[oodaloop]

Blue Ball is on the way to Intercourse, right before Paradise. Bird in Hand isn't far away either.

I'm serious.

Re:

[russotto]

Intercourse, Paradise, and Bird In Hand are pretty close to each other, but Blue Ball is several miles further away. And in any case, Intercourse is on the way from Blue Ball to Paradise.

Re:

[oodaloop]

I guess it would depend on which direction you were going, wouldn't it? I live in Strasburg. You from the area?

Re:

[russotto]

I used to live between Philadelphia and Reading, so not that close. But unless there's another Blue Ball (which is not impossible; I think PA has 6 Springfields), I don't see any way Blue Ball could before Paradise on the way to Intercourse. Blue Ball is on the other side of Intercourse, towards Reading.

Just use a picture

[PktLoss]

Rather than using a map, just have the user upload a picture.

You're killing two birds with one stone. First, the user is being shown something to confirm that this is indeed the site they think it is (think: sitekey or the like). Second, they can pick some incredibly detailed point without all the hassle of licensing someone else's data.

All that, and this is still a pretty stupid idea. You have all the same problems with password: users don't want a long one, users want to pick the same one for multiple sit

Re:

[hoggoth]

This!

Every user gets his own picture, and coordinate within that picture.
So my password could be Aunt Bertha's left eye and yours could be Megan Fox's umm... freaky thumb.

Enter username. Gets instant feedback that you aren't on a trojan site. Only the real site should know and have a copy of YOUR picture. Then select your secret point on the picture. Don't send the coordinates, but an encrypted or one-way hashed version of the coordinates so an eavesdropper doesn't get any useful information.
Easier to remem

Re:

[fmobus]

This would be vulnerable to MITM.

Passwordless?

[EkriirkE]

I imagine the back-end simply being the coordinates with a margin of error.
Still a password: "You could have a 10-digit latitude, and a 10-digit longitude, then you'd have a 20-digit password." - TFA

In Geographic Password ...

[rlp]

In Geographic Password you pick Soviet Russia.

Actually

[TheCarp]

If you could choose your own map areas, this could work well.

I could easily choose map spots that could be described in a way that only I or a very select group of people would know. Things like if I showed you a map of the neighborhood where I grew up, and said "the tits", how would you know where it is? Would you guess in the park? Where in the park?

Trust me, no google earth view is going to show you the landmark in question, and it would only be visible as such from one spot.... but I know exactly where

Network fail or storage fail

[goodmanj]

Nope, won't work. You have two options: either store the maps locally, or download them from an online source like Google Earth.

If you get them online, then anyone watching your network traffic can see which map tiles you're requesting, and use that to figure out the approximate location you're clicking on. This limits the possible passkeys to some point on the last map you loaded -- which given image/mouse resolution, means there are only about 100,000 possible passkeys. Not enough.

If you store them loc

Re:

[goodmanj]

Let me put it another way: if the number of possible passwords is X^Y, where X is the number of symbols and Y is the length of the password, using a password system in which Y = 1 is stupid, for any feasible choice of X.

Now, a map password in which the user clicks on *several* locations on a low-res map, in order? *that's* got some entropy behind it. But at that point, you might as well just make your "map" image a photo of a keyboard and reinvent the wheel.

Better for password recovery?

[w0mprat]

Just as people set their own names, birthdates and 'password', they will assuredly put their own home as their password.

This makes more sense as a optional authentication factor for password recovery than for the sole means of authentication.

not dumb

[Tom]

It's not half as dumb as the summary makes it sound.

For security, what matters is the keyspace and the likelyhood of guessing correctly. The keyspace easily competes with alphanumeric passwords. It is dramatically reduced by the assumption that people will pick places with meaning to them, which means places they've been to. Nevertheless, it should measure up to passwords in security.

Different from passwords, though, the human mind is pretty well equipped to recall specific places. Arbitrary alphanumeric combinations, on the other hand, are amongst the most difficult things to remember and recall.

Re:

[Hacksaw]

People are dumb. Millions of people would select something like the entrance for Fort Knox, or Norad, or a local bank. You have a training problem just as large as the one you have now.

Re:

[Tom]

People are dumb.

True, but individuals are smart.

Yes, you would have to exclude famous landmarks. But the training is a lot simpler. Compare:

With this scheme:
"Pick a place that has meaning to you, personally, and that you can easily remember. Don't pick famous landmarks or other places that lots and lots of people would think about, but rather something personal."

With passwords:
"Pick a difficult-to-guess combination of letters, numbers and special characters. Don't write it down anywhere, you have to remember it. But it can

Re:

[Tom]

Here's a vital difference: These things are different for each person.

Sure, if you are attacking a specific individual, finding out his address, finding his house on Google maps and finding the front door is easy.

But what you can't do is sweep through an entire University with a list of common passwords and look where you get lucky. You need to actually do some research on the particular person, and that drives costs up considerably. Mass-hacking would be over.

Re:

[DavidTC]

It is dramatically reduced by the assumption that people will pick places with meaning to them, which means places they've been to.

Well, yes, but places people have been to are a lot harder to figure out than, for example, words that are familiar to them.

Sure, they might choose the pizza place they went on their first date with, but that's a lot more difficult for a cracker to figure out then the name of their dog.

A lot of meaningful places to people are never recorded anywhere, even if talked about.

Re:

[guyminuslife]

I've gotta tell you, there's a lot of "empty" space out there.

Take the world.
Subtract the oceans.
Subtract the areas without any human settlements.
Subtract the areas without any features to distinguish them from surrounding areas. (Big, endless plains, random points in large forests, maybe even suburban rooftops)

You've gotten rid of most of the world.

Now, find the user's IP address.
Search for interesting features locally. There aren't that many of them. Sure, you *could* try writing an advanced image-process

Re:

[Tom]

I'm an American, I might choose Westminster Abbey as my password, but I'm not going to select a random flat in London.

Really? How about if you were told - like with passwords today - not to pick famous places. You might pick a random flat in London. One that isn't random for you. Maybe the one where you laid that gorgeous black girl on your first business trip there?

And besides, even if you do pick famous places, you may have to be a bit more specific than that. You might pick Westminster Abbey, but not the whole building, but, for example the roof of the tower [google.de]. That's a lot more difficult to guess.

This rivals one of the worst-ever schemes security schemes I've seen. A credit union I used to use would let you select a "secret question" from a drop-down list.

And there's the massive

I can barely tell where I am right now

[Drakkenmensch]

My 3rd grade teacher said geography would be useful one day.

My new password . . .

[cashman73]

This is excellent news! I will finally be able to set my password up as "CowboyNeal's Mother's Basement!" ;-)

Garmin

[olsmeister]

I have a Garmin Nuvi GPS that does something similar for theft deterrence. If you enable locking on the unit, you must either input a 4 digit PIN code, or the unit must be in a pre-programmed 'Home' location when it is powered on for it to function.

Much smaller search space

[Caerdwyn]

The issue with this is that most people will either choose locations that are well-known landmarks, or which they are associated with. This vastly reduces the potential search space for a password based upon a physical location. But even if you choose a location at random... Let's pull a number out of the air: let's suppose there are 100 million buildings in the United States that represent potential candidate "geokeys". That's what, a 27-bit key? How long would it take to exhaustively brute-force a 27-bit

Real men don't use maps.

[PatPending]

Real men don't use maps.

'Nuf said.

My Password is 12345

[PatPending]

My password is 12345 [google.com]

Note to self: Now I have to change my password.

Re:

[AndrewNeo]

Hah, there's an Amazon distribution center right there.

14 Digit Password

[DaleSwanson]

Looking at Google Maps the area covered by the windshield of my car is about five places after the decimal point of precision in both lat and long. That is about one square meter and as precise as you could realistically expect users to be. That would mean each location would give you 2+5 digits for the lat and the long, a total of 14 digits for a password. That's 10^14 possibilities. For comparison a password made up of random characters (lower, upper, digits, special) for a total of 95 total possible choices would need to be seven characters long to have about the same entropy (67 trillion vs 100 trillion).

Seven character random passwords are ok, but certainly not uncrackable. You could argue that letting the user choice several spots would greatly increase the entropy, but realistically the user is going to pick spots close together. Not to mention you could probably cut down on the possible locations with something similar to a dictionary attack, i.e., eliminating the vast expanses of nothingness that are unlikely to be chosen (like oceans, and deserts). Lastly, it relies too heavily on the mapping service. What happens when they update their images and your landmark disappears or moves slightly?

Re:

[Eivind]

It's worse than that. A LOT worse than that.

First, the 2 first digits are hardly random, instead they can be guesstimated very well from the users aproximate location, for example if the user is American, the latitude is somewhere in the 30-50 range, which is a much smaller searchspace than -90 to 90.

Secondly, aproximately 99% of anywhere is NOTHING. Nobody is going to choose as their password points which have no map-features nearby. Third, one meter resolution, is unrealistic. You might select a building,

Is the map. . .Scrambled?

[shadowfaxcrx]

How do you keep that secure in a public environment? If i type my password in a computer lab or at work, all anyone sees is a line of asterisks. If I have to hunt down a location on Google Earth, anyone and his dog can see where I clicked.

From the title

[sxmjmae]

When I read the title I thought it would use your location in the part to valid you. IE: your IP indicates you are attempting to log-in from Europe and yet 1 hour ago you where logged in at your home in California. I have seen a website already do something similar to to... when I was using a proxy server and hit my account it knew my access was not from my regular IP address and prompted me for a some more security questions for validations - the secret question I wrote for the extra level of security

Wait, what?

[mea37]

10 digit lat and long? Well, if I did my math right that's about 0.8 inch north/south resolution. The east/west resolution depends on how far from the equator your location is; about 0.8" if you're at the equator, less otherwise.

I doubt you have a world map wtih 1" resolution. I doubt you can click on the single pixel you intend on any map.

It seems to me you can come at this from the other direction; the surface area of the Earth is on the order of 10^14 meters. Eliminate areas where a specific location

Missing the point?

[mgiuca]

Wow, leaving aside the stupidity and inconvenience of using maps as passwords (sure, there's enough entropy, but shoulder-looking kills it, and it would take much longer to enter a password than with a text-based one), the entire article seems to centre around the concept that this will solve the "multiple passwords" problem.

"Online passwords are tedious, and it seems like too many websites require one" ... "I hate creating a new password for every website where I keep even a scrap of personal information".

Re:

[mgiuca]

Best way to check if you've made an improvement over an existing system:
"Cheswick hasn't performed any usability tests to see how the average Internet user might respond, but anything's better than the current system."

Does that violate a security principle?

[MrCrassic]

How would one mask the picture such that a user can click on the map without anyone else obviously seeing? The good thing about passwords is that the word can be masked as you type it, with the idea being that only the user entering the password "knows" what's going in that box. An adversary can get it by keystrokes, sure, but that's much less obvious (hence, much more non-trivial) than seeing a user click a flamingo a few times to access a restricted zone. To make matters worse,

I suppose it would be a g

Re:

[colinnwn]

I'm not saying this is a great idea for an authentication system, but why wouldn't you include with this logarithmic rate limiting or account disabling with incorrect guesses? Additional security measures with this shouldn't be different than any other well designed password or token based system.

Re:

[zero.kalvin]

Several points on the map as a username. and several others as a password. How in the hell a script will deal with that ? If you have several million pixels, that would translate as your alphabet with few million letters. Brute forcing will be the idiotic thing to do.

Not stupid; but maybe for a different problem?

[KlaymenDK]

Maybe it's not so stupid; remember that the pixel you have to hit isn't necessarily in the same spot every day, if you have to scroll&zoom the globe to find your spot.

Or, it would make a very good solution to a slighly different problem: It seems a little bit tricky to machine-translate the password hint "the third flamingo on the left on the lawn of Aunt Bessie's house" to a particular coordinate. Unless the hint is something entirely obvious ("Aunt Bessie's house" is more cryptic than "Lincoln Memoria

Re:

[hedwards]

That's more how I imagine it. Choose two points, then the route between the two is the actual passphrase.

Re:

[CastrTroy]

So if they construct a new road, or change their routing algorithm, I've now lost my password forever?

Re:

[bill_mcgonigle]

So if they construct a new road, or change their routing algorithm, I've now lost my password forever?

Don't worry, the guy down the hall sniffed all your Google Maps HTTP request traffic.

Re:

[DavidTC]

You laugh, but some GPSes are using that specific idea, although it's in combination with a PIN.

You simply set a 'password recovery' location in the GPS. You forget your PIN, you drive there, do the password reset, and it lets you in.

Some people use their house, but I always thought that was silly...if someone steals your GPS, they could easily find your house (After all, it's in the damn GPS.) and drive there and park close enough. They're unlikely to figure it out if it's the parking lot of the local Ar

Re:

[jeremymiles]

But they can't find your house in the GPS, because they don't know the PIN, so they can't get in to see what's inthe GPS. (Although they might know where you live because they found your car there.)

Re:That's great for me

[RapmasterT]

something tells me you don't need to worry about women.

pull over

[Comboman]

They pull over and ask a gas station attendant what their password is.

Re:

[Surt]

While men never pull over, and instead just keep trying to brute force their own passwords?

Re:

[NFN_NLN]

So what happens when they update the imagery or the map (streets do change, you know)? Also, this is clearly not usable for many people with disabilities (requires good eyesight, good coordination, a steady hand, good memory, etc.).

I hadn't thought of that but it's a good point. This could be a great system for eliminating AOL users from the rest of the internet.

Re:

[Red Flayer]

the number of possible coordinates that can happen on a world map are much much lower than the possibility of combinations of alphanumberic passwords with special characters.

The number of possible coordinates on a world map is infinite. What bounds the number of coordinate passwords is resolution of the images used to identify the coordinates.

Besides, you could easily increase the difficulty of cracking the password by requiring multiple locations.

Re:

[unity100]

no, you will need a certain, defined resolution in the software you use. so, when one of the software becomes common, it will be bound by its map's resolution.

Re:

[Red Flayer]

Right, which I addressed in my post.

But even then, so what? We have the resolution to get 10 decimal places of lang and lat. Do the math -- here, I'll do it for you.

(360*10^10)^2. That's about 1.3*10^25. Even if you reduce it by 75% to remove ocean surface, it's still in the 10^24 magnitude, which is approximately the security offered by a 255 character set 10-character-long password. Brutally long for a brute-force attack. A dictionary attack is different; but increasing the resolution of the "pa

Re:

[Red Flayer]

Good point.

There'd have to be a local tool to make it easier to select the passlocation. May not be feasible without compromising security.