Humans choose easily memorized passwords, and easily memorized passwords are easily cracked passwords.
Now Ziyad S. Al-Salloum, a researcher with ZSS - Research in Dubai has developed a solution that combines 'easily remembered' with 'strong authentication;' and has produced a solution he calls 'geographical passwords'.
"In this paper," he writes, "we address the conventional password problem and propose a novel, simple, and practical access credential that would provide secure access to different entities and mitigate many vulnerabilities associated with current password based schemes. We name our proposal GeoGraphical passwords."
In some ways his proposal is as close to a biometric as it is to a traditionally memorized password since it is based on unique personal experiences (effectively, something each user is, not just something the user owns): the memory of a favorite and meaningful place perhaps. It draws on what he calls "the remarkable human ability to remember places."
In essence, the user chooses a meaningful location, which could be anything from the Eiffel Tower to a group of trees in a park, or rocks on a hillside; and then draws a shape around it. This combination, he suggests, is easier to remember than long, complex, strong passwords.
"Selecting a geographical area can be done using different ways and shapes," he writes. "A user – for example – can place a circle around his favorite mountain, or a polygon around his favorite set of trees. No matter how geographical areas are selected, the geographical information that can be driven from these areas (such as longitude, latitude, altitude, areas, perimeters, sides, angels, radius, or others) form the geographical password."
The result is used to calculate the credential, to which is added a user-specific hash to ensure that no two users can select the same geographical password. Since the result is neither a word, a variation on a word, nor a short sequence of characters, the hackers' favorite cracking method of dictionary-based rainbow tables is eliminated. Without dictionary-based attacks, the theory is that crackers are reduced to brute-forcing the credentials; that is, they have to try every single possible combination of characters – which is effectively impossible.
"This type of password has many advantages," suggests Benny Ro, a security expert employed by the Shanghai Jiao Tong University: "they are easy to remember and hard to forget, diverse, and hard to predict. And, according to Al-Salloum, 'proposing an effective replacement of conventional passwords could reduce 76% of data breaches, based on an analysis of more than 47000 reported security incidents.'"
"Just imagine your geographical password to your email or social network is your summer home or the lake you have visited few years ago," concludes Al-Salloum. "Geographical passwords can address the increasing vulnerabilities associated with conventional ones and would further improve online security, paving the way towards a better user protection in an unpredictable cyber world."