There is a memo on my desk reminding me to change my AWS password. I venture to the Amazon website and load up the Security Credentials page. An old foe awaits, but this time I have the upper hand.
The previous week my research had taken me to Khairpur. A city of rich culture and magnificent archaeological sites, laden with endless fields of rice and wheat under the encompassing shade of date palms. Khairpur was the destination of the 4th International Conference in Computer & Emerging Technologies. I was scheduled to present at the conference, a paper extending the work of Mohammad Mannan into object-based passwords.
Object-based password schemes can be used as an alternative to the popular text-based password schemes that we use day in and day out. Object-based password schemes also happen to offer a host of benefits over text-based passwords. They eliminate the age old dilemma of high entropy passwords that are difficult to remember between easy to remember passwords that are susceptible to creative hack attacks. Object-based passwords can exhibit randomness and be easy to remember at the same time. They are also much more convenient to come up with since they require selection, where their text-based counterparts require construction.
So what are these objects that can double as passwords? Objects come in the shape of digital media; a private photograph of yourself snorkling in the Maldives or the capture of a brittanica.com article from the April of 1999 using the Wayback Machine (web.archive.org) would make for a strong object-based password. The vast pool of personal and public objects makes it impractical for attackers to come up with a generalized dictionary of passwords. These objects are eventually transformed to a textual form using a secure cryptographic function, but this step may be obscured depending on the particular implementation.
My work centered around proposing, implementing and evaluating two variations of the object-based password schemes. The first scheme involved delegating and distributing the responsibility of hashing the objects to the clients. The second scheme involved passing the objects to the server; a scheme that is specially useful for devices not quite optimized for hashing, such as low end tablets and smartphones.
Back in the jungles of Amazon, there are 6 complex password restrictions that stand between me and the rest of my day. I see a way around them. I fire up my webcam, snap a picture of myself, hash it and set it as my new password.
Text-based passwords, until we meet again.