it took you three attempts to break your own password? that’s pretty sad. you should try remembering your own password better. it normally takes me one try to break my own password, since i already know what it is.

maybe you should try hacking my myvidoop account; it is easier to break into than the good ol password authentication, according to you.

but for real, three attempts?

The first is that the following two attacks are of approximately equivalent sophistication:

Attack against Vidoop:
1. Exhaustively scrape from a constantly-changing (We aim to turn over the entire image library on a regular basis), randomly-presented library of images
2. Have a human attach a guess (albeit probably a good guess) of the category or categories represented by each of those images
3. Steal a user’s soft token
4. Capture that user’s screen and keystrokes simultaneously during login
5. Presumably with some kind of computer vision library, exhaustively match all of those scraped images to the images in the grid during sign-in
6. Use OCR software to match a character to each of the images in the user’s grid
7. Compare the OCR’d characters to the characters recorded when the user signed in
8. Sign in by repeating the process of exhaustively matching grid images, OCRing the characters on it, and then entering the appropriate characters

Attack against passwords:
1. Capture a user’s keystrokes with keylogging software.
2. Sign in as the user, using the password captured by the keylogger.

The other argument I see here is this:
“If an attacker is assumed to have the ability to execute arbitrary code on a user’s computer, that user screwed.”

You need to go back to school. How exactly does a password (no matter how complex) combat simple keystroke logging? automation? guessing? etc…

-WONDERING what kind of security related authority you have especially since you sound like you are just hating.

I still contend that the image-based login system doesn’t buy you anything. It doesn’t thwart keylogging since you can scrape and categorize the library of images, plus you can steal the software token.

The image login system is less secure, harder to use, won’t work on small devices, and can’t be used by anyone who is blind. In almost every respect, it’s weaker than a plain old alphanumeric password.

The only idea of merit is using SMS as a trusted, out-of-band channel. The image-based login will not be successful because of its usability and security issues.

A hacker has to answer “what category does this yellowish-sphere-with-a-ring-around-it represent?” We don’t spend any effort to make our images work well in this direction.

Legitimate Vidoop Secure users, on the other hand, have to answer “which image is an example of an object in space?” (It’s that yellowish sphere from before, only now it’s more clear because I know more about what I’m looking for.) We extensively test our images to make sure they work in this direction.

We’re working to make the hacker version of the question even harder than when you had difficulty with it before. By using images that represent more than one category, a hacker has a bigger identification problem to solve (and one that doesn’t have a unique solution). As you noticed from your experiment, some of our images do this already.

On the subject of strength-of-secret, it’s true that a Vidoop Secure user’s secret is only 11-17 bits. Remember: an ATM PIN is around 13.3 bits, and is also weakened by end user bias.

Regardless, you can still scrape the images and build your own corpus by categorizing them. That would allow you to log keystrokes just like a password.

Vidoop’s user secrets only have about 11-17 bits of information, depending if you choose 3 or 5 categories. That’s assuming users have no bias for certain categories, which they obviously will.

If a computer is activated, Vidoop’s security is based on essentially a cookie and a tiny shared secret. Both can be stolen by malware. Or, since the secret is so small, a non-trivial portion of activated computers can be brute forced.

Using the cell phone as a second factor is a better solution and has merit on its own. However, I think the image-based login is weak and would not recommend it to anyone.