Geographical passwords worth their salt

Feb 14, 2014

It's much easier to remember a place you have visited than a long, complicated password, which is why computer scientist Ziyad Al-Salloum of ZSS-Research in Ras Al Khaimah, UAE, is developing a system he calls geographical passwords.

Writing in a freely available "open access" research paper in the International Journal of Security and Networks, Al-Salloum emphasizes how increasingly complicated our online lives are becoming with more and more accounts requiring more and more passwords. Moreover, he adds that even strong, but conventional passwords are a in the face of increasingly sophisticated "hacker" tools that can break into servers and apply brute force to reveal passwords. Indeed, over the last few years numerous major corporations and organizations - LinkedIn, Sony, the US government, Evernote, Twitter, Yahoo and many others - have had their systems compromised to different degrees and overall millions of usernames and associated passwords have been harvested and even leaked online.

Al-Salloum has devised geographical passwords as a simple yet practical approach to access credentials that could provide secure access to different entities and at the same time mitigate many of the vulnerabilities associated with current password-based schemes. The new "geo" approach exploits our remarkable ability to recall with relative ease a favorite or visited place and to use that place's specific location as the access credentials. The prototype system developed at ZSS – Research has proven itself capable of protecting a system against known password threats. "Proposing an effective replacement of conventional passwords could reduce 76% of data breaches, based on an analysis of more than 47,000 reported security incidents," Al-Salloum reports.

The geographical password system utilizes the geographical information derived from a specific memorable location around which the user has logged a drawn boundary- longitude, latitude, altitude, area of the boundary, its perimeter, sides, angles, radius and other features form the geographical password. For instance, the user might draw a six-side polygon around a such as the Eiffel Tower, Uluru (also known as Ayer's Rock), a particular promontory on the Grand Canyon, a local church, a particular tree in the woodland where they walk their dog…or any other geographical feature. Once created, the password is then "salted" by adding a string of hidden random characters that are user-specific and the geographical password and the salt "hashed" together. Thus, even if two users pick the same place as their geographical password the behind-the-scenes password settings is unique to them.

If the system disallowed two users from picking the same location, this will make it much easier for adversaries to guess passwords.

The guessability, or entropy, of a geographical password would increase significantly if the password comprised two or more pinpointed locations. Al-Salloum explains that a whole-earth map might have 360 billion tiles at 20 degrees of "zoom", which offers an essentially limitless number of essentially unguessable geographical .

Explore further: 'Password' no longer the Internet's worst password

More information: "GeoGraphical passwords" in Int. J. Security and Networks, 2014, 9, 56-62. A PDF of the peer-reviewed research paper is available via Open Access to everyone here: www.inderscience.com/admin/osp… 48952&fromonsusy=yes

add to favorites email to friend print save as pdf

Related Stories

Baffle thy enemy: The case for Honey Encryption

Jan 30, 2014

(Phys.org) —Database breaches are making today's headlines, revealing events where thieves scoff up millions of passwords. Security experts meanwhile think about, talk about and work towards fighting against ...

Recommended for you

Automakers aim to drive away car computer hackers

5 hours ago

Against the team of hackers, the poor car stood no chance. Meticulously overwhelming its computer networks, the hackers showed that—given time—they would be able to pop the trunk and start the windshield ...

Advanced cyberspying tool dates from 2008

11 hours ago

A highly sophisticated cyberspying tool has been used since 2008 to steal information from governments, businesses and others, security researchers said Monday.

Man pleads guilty in New York cybercrime case

Nov 22, 2014

A California man has pleaded guilty in New York City for his role marketing malware that federal authorities say infected more than a half-million computers worldwide.

How to keep the world's eyes out of your webcam

Nov 21, 2014

There are concerns that thousands of private webcams around the world could be streaming live images to anybody who wishes to view them – without their owner knowing – thanks to a Russian website provi ...

Britain urges Russia to shut down webcam spying site

Nov 20, 2014

A Russian website offering thousands of live feeds peering into bedrooms and offices around the world by accessing poorly secured webcams should be taken down immediately, British officials said on Thursday.

NSA Director: China can damage US power grid

Nov 20, 2014

China and "one or two" other countries are capable of mounting cyberattacks to shut down the electric grid in parts of the United States. That's according to Admiral Michael Rogers, the director of the National Security Agency ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

adam_russell_9615
not rated yet Feb 14, 2014
I strongly doubt that anyone actually remembers long passwords at all. Maybe 1 maybe 2. But in the modern age you can have several scores of passwords. You need a cheat sheet or something like that.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.