I came across the following link that describes GUI-based passwording systems:
http://blogs.zdnet.com/emergingtech/?p=137

In particular, the second system described by the article, which involves a field of randomly chosen shifting icons, really caught my attention. The system has a large library of icons, and the user picks a small handful to be password icons. The twist is, you never actually have to click one of your password icons on the login GUI, which keeps the password secret.

The logon screen consists of a grid of randomly chosen icons, with four of your password icons distributed somewhere on the grid. You locate the icons, and visualize that they're at the corners of an imaginary shape. You click inside that shape, and then the system randomly arranges the icons again. You then repeat the process, figuring out which four icons are from their set of password icons, and clicking inside the borders of the new invisible shape.

After a set number of clicks in the correct areas, the system can determine with a reasonable level of confidence that you actually know which icons are password icons and aren't just hitting the imaginary shapes by random chance. However, someone watching your clicks has no easy way of determining which icons actually make up the corners of your shapes. Depending on the size of the icon library, and the size of grid used for login, it's possible that if someone shoulder surfed a huge number of logins, pattern analysis would eventually pick out out the password icons, but it would not be an easy task.

Anyway, I figure a visually oriented, yet shoulder-surfing resistant password entry system is a perfect fit for the SR setting, especially with how widespread AR overlay is.

That is indeed really cool. And of course the way to hack it is to set up a series of "logins" that are plausibly masked as passing irrelevent traffic that submit no password attempt at all. With enough of them logged, you could check to see which icons are always there and your first "deliberate" login would be correct all the way through.

-Frank

Anyone seen Johnny Mnemonic recently?

Well, you can increase the security there by having the user choose, say, 6 valid icons, but only ever having 4 of the valid icons appear on the login attempts. Also, if you have a semi-smart 'other icon chooser', to make sure that some non-password icons always appear as well that would probably defeat all attempts at frequency analysis.

This would also appear to give you high resistance to the more 'extreme' froms of shoulder surinf, like key-logging and Van Eck phreaking.

BTW, one of the links in the article lets you download a demo program that shows it off. It's worth the download to see the thing in action live.

Crusher Bob's right, just because it uses 4 icons at a time to define the imaginary shape, doesn't mean you're limited to using 4 icons in your set of password icons. (In fact, the demo program uses 6 icons out of a total library of 125 for it's sample password.)

As for bringing up the password grid multiple times to be able to see what icons always show up, just set a policy in place that a particular account's password grid can only be brought up x number of times without a successful click on the imaginary shape. After that, lock the account down similar to how an alphanumeric-based password system locks down an account after x number of failed password entries.

The neat thing about this system is that while the article presents it as an iconic system, there's nothing locking you into graphic images instead of other distinguishable symbology, like say, using differently colored alphanumeric characters. Your symbols could be the letters D, U, M, P in brown and S, H, O, C, K in electric blue.

I like it; good web find, RP.

another interesting thing is that this works in favor of the human brain.
we are preprogramed to locate shapes and similar, but are worse at rembering random rows of letters and numbers.

on the other hand, computers have a bad time with pattern recognition, but can do rapid bruteforce attacks on strings of letters and numbers...