Wednesday, December 06, 2017

[slzgndfr] Different pictures for different passwords

Wherever a UI prompts for a password, it should also present a unique image.  Then, the user will learn to associate the image with muscle memory of typing the password, (hopefully) helping remember the password.  It may also be useful if the user remembers the password only subconsciously in muscle memory; it may be more difficult to force someone to divulge their password through rubber-hose cryptanalysis.

If the user changes their password, the image should change.  One way to do this is to generate the image programmatically from the password -- from the hash of the password sufficiently stretched and salted so an attacker cannot invert the image back to a password.

No comments :