
Graphical password vulnerability - thesmok
http://translate.google.com.ua/translate?hl=uk&sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F174773%2F
======
networked
Judging by the photo at the end the reason the author's locking code was
defeated so quickly is that although the input mechanism used doesn't work
quite like a traditional keyboard it is a common keyboard pattern. Keyboard
patterns in passwords are an actual research subject [1], and a pretty
interesting one at that. There's at least one practical JavaScript-based
password quality meter that can find spatial patterns in QWERTY passwords [2]
like "bgtyujmnh", which the author's code is similar to. The meter is actually
quite interesting to play with.

On a related note, it's nice to see Pascal still used for fun but the fact
that it's a version from almost 20 years ago doesn't help the language's
image. If are curious about Pascal and think you might want to write some code
in it today I'd suggest you try Free Pascal [3], a modern, FOSS, object-
oriented 32/64-bit Pascal compiler based largely on Borland's own dialect that
even has a good recreation of Borland/Turbo Pascal's Turbo Vision IDE [4] if
you want one.

[1] See
[http://www.usafa.edu/df/dfe/dfer/centers/accr/docs/schweitze...](http://www.usafa.edu/df/dfe/dfer/centers/accr/docs/schweitzer2009a.pdf),
<http://www.ijicic.org/ijicic-10-09032.pdf>, etc.

[2] <https://www.cygnius.net/snippets/passtest.html>

[3] <http://www.freepascal.org/>

[4]
[https://upload.wikimedia.org/wikipedia/commons/3/34/FPIDE_1....](https://upload.wikimedia.org/wikipedia/commons/3/34/FPIDE_1.0.10_de.png)

~~~
mistercow
I don't think that was the takeaway. I think the vulnerability was that she
could see the pattern in the hand-grease on the phone. It wouldn't have
mattered if he hadn't used a common pattern, because the path of the finger
would still be obvious. The fix is to wipe off your screen after you lock it.

~~~
networked
I guess you're right. I was thinking along the lines of "a less common pattern
is less likely to be noticed and tried correctly the first time around and by
then the traces left of it are ruined" but now that I've looked at the photo
again I see this is probably wrong. On a phone like that any grease pattern
should be pretty obvious.

------
Madrigal
My sister uses the schizophrenic pattern shown in the middle that uses all the
dots. Because sliding your fingers between two dots just pixels apart was an
error prone nightmare, she decided to just hop her fingers from dot to dot,
based on the fact that if you touch one dot and then you touch another, when
you lift the first finger the path between both will be automatically drawn.
That way, the trace in her screen is just fingers over dots, making it
impossible to tell which one is the first and which one comes next.

------
lessnonymous
I suggested to my local supermarket that they change their alarm code: there
were four digits that were white, the others were covered in grime. Knowing
the only possible digits makes it a cinch to work out the code just from
watching movement from afar.

Two years later, those same keys are still clean. The others are even dirtier.

~~~
antonb2011
Not so. If it's a 4 digit combination, it's already n!, so 24 combinations,
which is enough for a good system to lock up and automatically call the
police. If it's more, then it's gonna grow as n!/k!l!m!... where, k, l, m...
are the numbers of repeated digits, but still it's more than enough to know
that someone's trying to brute force the system.

~~~
FreeFull
The point is that the attacker watches from a distance, and using the rough
hand movements he/she has seen can reduce that 24 combinations significantly.

~~~
sageikosa
Hence why I prefer the smaller keypads on ATM machines, so I can minimize my
finger movements. Having one keycode for the supermarket is also a good way
for disgruntled former employees to act malfeasantly.

------
cpdean
the broken english translation really adds to the punchline.

~~~
no_more_death
Hmmm, could someone build a text "scrambler" that would intentionally create
broken English? I have also noticed that "broken English" is more effective by
some measures than ordinary English.

Note also that the broken English here is not the author, but it's Google
Translate. The text has been machine translated from Russian. Also interesting
that Google Translate is much more effective translating the mathematical
portions than the other portions of the text. Another case of what people find
hard computers find easy, and vice versa.

~~~
3amOpsGuy
The fact that broken English is effective for recall, at least in some
circumstances, totally fascinates me.

I'd love to capitalise on the idea somehow, just because its so counter
intuitive I think. Although i fully appreciate it's not effective enough to
replace spaced repetition or other formal techniques.

------
StavrosK
That's not really new, though, is it? The bigger "vulnerability" is shoulder-
surfing, which is pretty damn effective against this.

~~~
icambron
It isn't new, and people have been joking about finger smears since this kind
of unlock mechanism came out (I remember making this discovery myself and
promptly switching my phone back to using a number pad). But it is worse than
shoulder-surfing; you can just steal a phone, say, from someone's purse or off
a table when no one is looking, and then unlock it. You don't have to stock
the person, see them unlock the phone, and _then_ steal it.

~~~
icambron
*stalk

------
InformalRelief
I sometimes take a friend's phone from them and hand it back to them unlocked.
Just for the look on their faces. Until they figure out that I just watched
them unlock it.

------
bdcravens
Love the Pascal script

------
ratzinho87
This even has a name. It's called a "smudge attack"

<http://en.wikipedia.org/wiki/Smudge_attack>

------
diminoten
The graphical password isn't really meant for security though, and I always
considered it a means to prevent pocket-dialing.

~~~
__--__
It's considered a security setting for preventing other people from opening
your phone. If you just want to prevent pocket dialing, there's a mode you can
set where you swipe anywhere on the screen to "unlock".

~~~
diminoten
I don't believe the intent of the graphic password was ever for security.

------
lucb1e
> [...] probability of 0.01%. One hundred percent

One hundredth percent*

Google translate should work on its spelling!

