Preparing for a Post-Password Future with Pokemon Cards

Every year a gathering of hackers and information security professionals convene in Washington, DC to discuss how awful and broken the state of computer security is. Passwords are a perennial problem area in almost every security architecture, and here in the lobby of the Dupont Circle Hilton, tales of default or weak passwords are swapped over whisky or Red Bull. Strong passwords are an ideal which work when remembered or managed securely, but generally aren’t. When that happens, no matter what font size or weight your password reset link is, you will get emailed asking for a forgotten password to be reset.

During GO, we experienced this en masse as an explosion of human nature flew into our inboxes at the height of our scramble to scale our infrastructure to keep the website from collapsing under heavy traffic. Resetting passwords only to have them forgotten again was a problem, and a lesson to learn from when we’d have to address it again with the ASK dashboard, which is part of the Bloomberg Connects project. Without support staff resources to handle yet another password for non-technologist staff to remember, we’d have to come up with an alternative to text passwords. There’s been a few attempts at this with things like biometrics or swiping gestures, but few that we could apply to run on a standard web browser.

The most compelling use case involved memorizing combinations of images instead of text characters. Dr. Ziming Zhao’s research on the security of picture gesture authentication at Arizona State University’s SEFCOM lab pointed me to a research paper (PDF only) from a team of researchers at Charleton University on the evolution of graphical passwords over the past dozen years which compared a range of graphical password architectures that we could base a design on. Before writing a single line of code though, we wanted to test the viability of memorizing image combinations first-hand with our own staff to see if that fundamental assumption would work with our user base.

Using a series of baseball, animal facts, World of Warcraft and, eventually, Pokemon cards, we constructed a portable poster of cards which our IT Liaison, Tim, would bring to a mix of our non-technologist staff and ask them to choose one card from each category. A sampling of fifteen people had their card choices recorded, and a week later, Tim would bring the cards back to each person and ask them to remember their choice from the previous week. Then a month. Then three months. Remarkably, every person at every timeframe remembered their card choice.

We wanted to leverage our collection of art photos for this (we didn’t want to spend money on licensing Pokemon images) and choose the most memory-friendly photos in our collection from four different categories: African art, Asian art, Egyptian art and American art. With some pointers from local neurologist/photographer Lauren E. Wool about how faces are remembered in the brain, we aimed to pick out images that would contain representations of faces and images of particularly distinctive artworks.

Having more confidence in the idea, James and I evaluated the security issues around a passphrase made of four items. The total number of permutations that our system was higher than a PIN code, since we were using 12 photos in 4 categories rather than 10 digits in a string of four characters. However, that was still not nearly as strong as an ideal text password (which don’t tend to survive human memory well). PIN codes themselves, for being as weak as they are, allow someone to take money out of your bank, but devices like ATMs balance that risk by adding other restrictions that keep certain threat models out of the picture, like those involving the internet. In a similar sense, we have the dashboard restricted to use within the museum’s internal network, where network connections have assigned IP addresses associated with the machine and ownership of that machine. People connecting from the outside can be issued a one-time PAD token to gain access to the dashboard, making it a two-factor authentication system when used through over an authenticated connection over the public internet.

Other security features are also available; Copying a page from Apple’s iOS, we can trigger a temporary time out after a certain number of incorrect attempts. We can also intentionally slow down our API’s response to the authentication call by a number of milliseconds that wouldn’t be too noticeable to humans when logging in, but would significantly slow down password cracking software—especially since the full combination of chosen pictures is sent over all at once, not one category at a time as presented it might seem in the UI.

Currently, only a few people in the Technology department have picture passwords until the Audience Engagement Team starts using the ASK dashboard. How well this new system fares in real-world usage in a broader user base is something we haven’t been able to determine yet, but will soon. Will we see doodles of mummies and presidents on sticky notes stuck on the side of monitors? Should someone reset their picture password, will they have trouble mixing up their current password with previous ones? These are the questions we’ll find out answers to soon enough. Stay tuned!