(Ping! Zine Issue 73) – As the number of security breaches on personal computers and mobile devices continues to increase, security remains the number one concern for online users. Maybe you know what we’re talking about? Have you got an unpleasant email from your web hosting provider stating that your account has been compromised? Obviously, passwords are put in place to keep people out of our data. The amount of havoc this can cause on your personal life or business is tremendous. Earlier this month Wisconsin based security firm Hold Security discovered the largest data breach to date, revealing that a group of Russian hackers successfully managed to steal over 4.5 billion records, including more than 500 million email addresses and 1.2 billion user names and passwords.
Other notable database breaches include last year’s Target hack that affected over 110 million customers, the group of Chinese hackers that compromised U.S. government computers in order to gain information on federal employees in March, and the recent announcement of a data breach on the popular encryption service, Tor.
What this tells us is that no matter how difficult you make your password, there is a good chance it can be cracked. Since there are more and more “cyber criminals” lurking around the corner, there needs to be a more effective way to safeguard our personal data.
With these growing concerns Bright Plaza is aiming to increase security measures with its new secure password service, Kaje Picture Passwords. Kaje, pronounced as “cagey” meaning “shrewd of crafty”, allows clients and website owners the ability to replace traditional text passwords or PINs with one of their own pictures, making it easier for users to remember their passwords due to an “emotional connection.” This security service is a refreshing change from traditional user names and passwords because clients can use their own personal pictures ranging from photos of pets to loved ones to prized possessions.
Don’t worry if you’re feeling a little lost on how this works. Let’s take a hypothetical situation and show you exactly how Kaje would work. So, we all remember that time that you took your niece out to get her first ice cream cone. Obviously, we brought our camera to take a picture of her eating it for the first time. The picture would look something like her holding an ice cream cone up to her mouth and smiling. Our picture that we would upload for our Kaje image protection would be our niece smiling with the cone with dots that go all across the image. Then we could have three motions were we touched the picture where she didn’t get ice cream all over her face. So we could touch both ears and maybe one place above the right eye. This would then be our password. Pretty cool, huh?
“Picture passwords are superior in every way to typed passwords. Anytime you ask your users to type in a password, consider giving them the option to mouse-in or touch-in their password instead. With only THREE actions, you get the strength of EIGHT typed alphanumeric-symbol characters,” says the password service’s website. “When users change their pictures, their picture passwords are easier to remember than their typed passwords. This is a fact of human recognition memory.”
In order to use this two-fold security feature, users must first select a unique image, followed by three specific actions or patterns. Using the click of a mouse or the motion of a finger can enter these patterns. When the picture and pattern combination is successfully used, the service redirects clients to the website with a “yes” message that completes the login process. For instance, let’s say you finally get tired of someone cracking your password on your WordPress site; Kaje would be an excellent option for you. Gone are the days of someone hacking into your site and doing God knows what with it. There is no program that can crack the three actions you touched on the screen. With these endless combinations, security measures greatly reduce the chance of user’s information being compromised.
“Kaje Picture Passwords is a patented “Software as a Service” that provides an option to text passwords with minimal effort or impact on a website’s design, systems, or maintenance,” says Kaje Picture Password VP of Strategic Business Development, Gary Bickford. “As with the Picture Password option on Windows 8+ login, they have been shown to be safer, easier to remember, and more secure than other methods. But Kaje Picture Passwords are available to web sites, and works on all platforms from desktops to phones, all operating systems, and all browsers.”
Registration for this service is simple and takes less than one minute. Website owners must fill out a form found on Kaje’s website. Click the “Get Kaje on your site” button and receive 10,000 free logins for the Picture Password. A simple HTTPS RESTful API or a CMS plugin such as WordPress or Drupal is used in the installation process. Once an email confirmation is sent, users can begin using their Picture Password on their websites to ensure safe and secure access.
One of the many benefits to Picture Password is that passwords are not kept on the website, so if the site is compromised, attackers will not be able to access any personal information, unless the hackers have the ability to read your mind, which is unlikely. Bickford notes that using a “three-action picture password” is stronger than an 8-character text password using a full ASCII character set and 17 times stronger than a 4 Digit Pin. 8-character text passwords only contain roughly 30 bits of entropy, which means this type of password can be easily cracked in less than 16 minutes on a desktop computer, adds Bickford. Simply put alien technology or mind control is the only way to login as you.
Bickford explains some of the risks associated with traditional passwords, “Experts in online security have been aware since at least the middle 1990s that text passwords were a failing methodology. Computers have become faster and algorithms have improved, so that today a desktop computer may be able to use brute force cracking methods to expose any text password that most humans can remember in too short a time,” adding that text passwords are easy to crack and hard to remember, which results in users picking easy combinations such as “1234.”
Traditional security policies require users to change passwords regularly or use a minimum character count of 12 or 16, which can be difficult to remember. Most clients use the same passwords for every one of their accounts, meaning that if one site is compromised potentially every account could be as well.
Most policies usually require special characters such as upper or lower case letters, numeric, or symbols to be in the password, making it almost unmanageable to have a unique password per account. These examples are popular throughout the Internet. There are better models such as TLS, TTLS, 8021X, and PEAP that range from certificates to user names and passwords with sophisticated encryption. These are standards adopted by security organizations that are empowered to secure communications.
According to SplashData’s annual “Worst Passwords” list, 123456, 12345678, password, qwerty, and abc123 are the most commonly used passwords that can easily be cracked. This shouldn’t go without mentioning, but also using your name or the word “password” probably isn’t the smartest idea either. Obviously, changing our ways of logging into our sites has been a long time coming. With Kaje you really don’t have any reason to ever need to remember a password again.
More information about Kaje Picture Password can be found at www.picturepassword.info. Users and clients wanting to test out this service can do so by clicking the “Try Me” button on Kaje’s website. Here users can see some administration actions and use one of the plugins to set up the service for your site. Bright Plaza offers 10,000 free logins per SSL site.
Bright Plaza, established in 1982, has been a leader in Internet security and privacy since the early 1990s, with numerous patents and “self-encrypting” hard drives related to Internet security. The Kaje Picture Password service has been under development for the past five years following, with its first public beta and pre-release testing released in early 2013. General availability for Picture Password first began in the first quarter of 2014.