New Method of Password Security

Researchers have developed a new method of password security that uses squiggly lines instead of traditional passwords. Janne Lindqvist, Assistant Professor of Electrical and Computer Engineering at Rutgers University joins Hari Sreenivasan discuss this breakthrough.

 

TRANSCRIPT

We use smartphones to ensure that life runs smoothly, but as we store more personal information on these devices, having a good password becomes just as important as locking your door at night.

Now researchers have developed a new method of password security that uses squiggly lines instead of traditional passwords.

Here to discuss this breakthrough is Janne Lindqvist, assistant professor of electrical and computer engineering at Rutgers University.

I'm curious.

How would a squiggly password even work?

So a squiggly password is basically that you draw whatever you want on the mobile device like a smartphone or tablet touchscreen, so the idea is actually very simple, so it's not surprising that you can do that on a smartphone screen, but then it ends up being a surprisingly powerful technique compared to other alternatives.

Okay, right now, most smartphones, the lock is either some sort of a combination of dots that you have to connect or it's a four-digit, a six-digit code, or in my phone, it's my fingerprint.

You know, put this on the spectrum of security, the squiggly password.

Well, unfortunately, we can't directly compare the security, so we are working on that right now.

However, I can tell you that... So, for example, PINs and patterns, people typically choose very predictable numbers or patterns.

So for example, it has been shown by other researchers that people use their birth dates, so you can find it in their wallets, what is their PIN.

Got to change mine.

[ Laughs ] Yeah.

And then for patterns, people want to do easy patterns as well, and it turns out that what people choose are actually less secure than three-digit PINs, or what people typically choose.

Wow.

So it's like if you're right-handed, you start on the left top corner, and then you're likely to go for an L.

Oh, my...

And so on.

So what we call the secure gestures, or squiggly lines, we allow much more variation on the touch screen.

Now you also ask about fingerprints, so that is a very secure method.

However, it has issues as well.

It doesn't always work.

You might have smudgy fingers, and it actually... You need to have a backup method if it doesn't happen to work, and one way to get through fingerprint-secured phones would be, well, try the three times fingerprint work, and then just start guessing the PIN, which is typically the backup method.

Right, right.

So how would... Let's say you and I had kind of a free gesture method.

What's the likelihood that you can look over my shoulder and copy that just like you could a signature?

It's very hard, actually.

So we have developed these recognition methods that takes how you do it and records that, and even if you see it from behind your shoulder, it's very hard to repeat how I did it.

Now of course the caveat is here if you just do a really simple circle and so on, yes, it's likely that you're able to repeat the circle, what I did.

And also it turns out that... So we mentioned signature.

So if I do my signature quickly like this, it's very hard for you to repeat it correctly, even if you know it, how it looks.

Is that because... Are you measuring how fast I do it or how much pressure I'm putting or exactly where I'm starting?

Yeah, exactly.

What are the factors that I'm...

Exactly.

So there's multiple factors you can use, and we have been studying what is a good combination with exactly how fast you're doing it, where you started, how big are you doing, all these things.

And also, we could include pressure as well.

Okay.

So now let's say I'm in the free gesture world and I, you know, have something that happens.

I jam my finger.

It's hurting.

I'm just a little slower that next day.

Would I be locked out of my own device?

Yes, you could be locked out of your own device.

So what we do allow is that there is this kind of optimization process or finding out a trade-off that nobody can even perfectly repeat what they're doing all the time.

Right.

So we allow some variation, but if you are, like, super slow next day, yeah, it's not going to work unless we decide that, well, speed is not a factor we want to include.

So how long, how far away are we from phone companies or websites giving us an option to say, 'Enter free gesture as you wish.'

Well, they could start using it nowadays already, so there is no additional technology beyond that you have a touchscreen, and you can have a touchscreen nowadays on your desktop computer as well, and the algorithms we have developed don't require a lot of processing power, but then there's always the adaptation that, 'Well, why do you want to move to a new technology?'

Companies don't necessarily embrace new things if they didn't develop it themselves and so on, so we'll have to see.

All right.

Janne Lindqvist from Rutgers University, thanks so much.

Thanks a lot.