it took you three attempts to break your own password? that’s pretty sad. you should try remembering your own password better. it normally takes me one try to break my own password, since i already know what it is.

maybe you should try hacking my myvidoop account; it is easier to break into than the good ol password authentication, according to you.

but for real, three attempts?

The first is that the following two attacks are of approximately equivalent sophistication:

Attack against Vidoop: 1. Exhaustively scrape from a constantly-changing (We aim to turn over the entire image library on a regular basis), randomly-presented library of images 2. Have a human attach a guess (albeit probably a good guess) of the category or categories represented by each of those images 3. Steal a user’s soft token 4. Capture that user’s screen and keystrokes simultaneously during login 5. Presumably with some kind of computer vision library, exhaustively match all of those scraped images to the images in the grid during sign-in 6. Use OCR software to match a character to each of the images in the user’s grid 7. Compare the OCR’d characters to the characters recorded when the user signed in 8. Sign in by repeating the process of exhaustively matching grid images, OCRing the characters on it, and then entering the appropriate characters

Attack against passwords: 1. Capture a user’s keystrokes with keylogging software. 2. Sign in as the user, using the password captured by the keylogger.

The other argument I see here is this: “If an attacker is assumed to have the ability to execute arbitrary code on a user’s computer, that user screwed.”

You need to go back to school. How exactly does a password (no matter how complex) combat simple keystroke logging? automation? guessing? etc…

-WONDERING what kind of security related authority you have especially since you sound like you are just hating.

I still contend that the image-based login system doesn’t buy you anything. It doesn’t thwart keylogging since you can scrape and categorize the library of images, plus you can steal the software token.

The image login system is less secure, harder to use, won’t work on small devices, and can’t be used by anyone who is blind. In almost every respect, it’s weaker than a plain old alphanumeric password.

The only idea of merit is using SMS as a trusted, out-of-band channel. The image-based login will not be successful because of its usability and security issues.

A hacker has to answer “what category does this yellowish-sphere-with-a-ring-around-it represent?” We don’t spend any effort to make our images work well in this direction.

Legitimate Vidoop Secure users, on the other hand, have to answer “which image is an example of an object in space?” (It’s that yellowish sphere from before, only now it’s more clear because I know more about what I’m looking for.) We extensively test our images to make sure they work in this direction.

We’re working to make the hacker version of the question even harder than when you had difficulty with it before. By using images that represent more than one category, a hacker has a bigger identification problem to solve (and one that doesn’t have a unique solution). As you noticed from your experiment, some of our images do this already.

On the subject of strength-of-secret, it’s true that a Vidoop Secure user’s secret is only 11-17 bits. Remember: an ATM PIN is around 13.3 bits, and is also weakened by end user bias.

Regardless, you can still scrape the images and build your own corpus by categorizing them. That would allow you to log keystrokes just like a password.

Vidoop’s user secrets only have about 11-17 bits of information, depending if you choose 3 or 5 categories. That’s assuming users have no bias for certain categories, which they obviously will.

If a computer is activated, Vidoop’s security is based on essentially a cookie and a tiny shared secret. Both can be stolen by malware. Or, since the secret is so small, a non-trivial portion of activated computers can be brute forced.

Using the cell phone as a second factor is a better solution and has merit on its own. However, I think the image-based login is weak and would not recommend it to anyone.

When you’re evaluating the security of Vidoop Secure, keep in mind that all the cash in your bank account is secured by your possession of a plastic ATM card (which can be straightforwardly cloned) and your knowledge of a 4-digit number.

For access to my account on myVidoop I have, in the place of an ATM card, chosen to require possession of my cell phone. Much like my ATM card, it can be disabled and recreated if it gets lost or stolen. Unlike my ATM card, I’ll notice it missing much faster.

Of course, those who are less paranoid than I am can choose to activate every computer that they use regularly, and then they only have access using knowledge of their secret categories.

With myVidoop, users have more (and better) ways to vary the security of their credentials than merely choosing a longer, more complex, harder to remember password.

/No/ authentication technology solves every problem simultaneously. But of the possible replacements for passwords out there, this one’s available today, for free, across the entire internet.

If you have another technology that solves more of your problems today, the by all means use it instead of ours.

And either way, we appreciate your feedback.

Scott Blomquist CTO, Vidoop

The software token doesn’t buy you much since it can be easily stolen by malware, which is what they are claiming they help protect against.

Regardless, anyone can walk up to a computer with a token installed and break Vidoop’s login in seconds.

A real two-factor solution makes use of a separate device, such as a CryptoCard or RSA token. If we’re worried about keyloggers, anything on the PC cannot be trusted.

i think we can all agree that myvidoop.com has substantially raised the bar in regards to mitigating hacks. it’s always nice to compare things against non-existant “super, solve-all” solutions…however, reality is, they are just that – non-existant. IMO – this is the best of very strong, usable (not to mention FREE) security available at the time.

Let’s say they have a fixed set of 12 categories, so every login attempt has samples from the same set of sets. Then brute force guessing is easy. If you pick 3 images out of 12, that’s only 1320 possible ordered combinations and 220 unordered combinations.

Or, you could just scrape the images displayed during a single login, capture the keystrokes, and look at what the pictures are of.

This can be automated, because there will be a limited set of advertisements or stock photos. Someone just tries a bunch of logins, collects all the image samples they display, and categorizes them. That only needs to happen once and can be crowdsourced. They can keep updating their images, but then it’s just an arms race.