Making passwords more secure – especially for mobile devices

In the experiment, the researchers also used fields with alternative node arrangements to the participants, in addition to the original three-times-three fields (fig. 2). It emerged that with the original arrangement, the test participants who were given the original field to work with often chose an “L” or a “Z” in various variations. “In most cases, the patterns were not randomly chosen at all,” concludes Dürmuth. This makes it much too easy for thieves to guess the password. The most secure passwords were created if the digits were arranged in a circular shape on the screen. Test participants who were given a circular arrangement were the least tempted to choose commonly used patterns.

Passwords are also at the heart of Markus Dürmuth’s second project. Here, the researcher is aiming at optimizing the security in so-called fallback authentication. This is an approach for resetting a forgotten password. Two methods are widespread: “reset by email” means the user receives a new password by email. However, this approach entails a risk, as the new password is sent unencrypted over the network. Moreover, it may arrive in an account that was in use at the time when the registration took place but has become defunct, and the user may not even remember it.

The second method uses security questions. For this purpose, the computer asks the user a question such as “What was your mother’s maiden name?” The user established the correct answer when he set up the account. The drawback here: “With a bit of luck and research, the attacker will be able to answer some of the security questions correctly,” says Markus Dürmuth.

A case where a hacker exploited this vulnerability is that of US journalist Matt Honan, which was widely reported in the media in 2012. In the first step, attackers hacked his email account and then used the fallback authentication mechanism, in order to set up new passwords for other accounts. As a result, they successively took over all of his accounts, thus stealing Honan’s entire digital identity.

Together with colleagues from the University of California, Berkeley, and the Institut national de recherche en informatique et en automatique (INRIA), Grenoble, Markus Dürmuth has developed an alternative to the method described above. It makes use of so-called Mooney images. This term refers to black-and-white images that were edited using a special filter. At first glance, it is impossible to tell what a Mooney image is showing. Only after viewing the original picture, a user will be able to recognize the motive in a Mooney image – an effect that lasts a long time. This is referred to as priming for a picture.

The images originated in the field of brain research. In the 1950s, they were deployed by the psychologist Craig Mooney for examining that so-called aha! effect with the aid of MRI.

This is how Dürmuth uses the mechanism in fallback authentication: rather than coming up with a security question and answer to prepare for the worst-case scenario, the user is presented ten Mooney images and the respective original pictures during the priming phase. Should he forget his password one day, he will be shown 20 Mooney images and will have to state what he has recognized.

“The true account holder will recognize the ten Mooney images for which he had been primed,” explains Dürmuth. “But he won’t be able to identify the other ten. Subsequently, he will be assigned a new password.” A hacker would betray himself either by not recognizing any Mooney images at all, or recognizing those that the true user is not familiar with.

There is one catch, however: if the method is used on a number of websites, it is possible that a user would be primed for a Mooney image on one page for which he is not primed on another page – consequently, he would recognize the image there as well and be flagged as a hacker. “This is why we continue to pursue this project. I still think that this approach constitutes a genuine and good alternative to the current method,” says Dürmuth.