RSS RSS feed | Atom Atom feed
Popular Articles: Tom Riddle's Magical Diary | AJAX Lego Robot | AJAX CAPTCHA | SQL Multisets

Using AJAX for Image Passwords - AJAX Security Part 1 of 3

Try it!

This app uses javascript and XMLHttpRequest. Your browser must have these enabled to try this out. I didn't put in code that would check for incompability, sorry. See limitations section below for other shortcomings.

Known to work with FireFox 1.5beta and IE 6.0.

  • Move the mouse into the record area.
  • To start recording, press and keep a mouse button clicked.
  • While keeping the mouse pressed, move the mouse in a pattern that you could remember and easily reproduce.
  • To stop recording, release the mouse button.
  • You should get a confirmation message from the server when a successful recording has been made.
TIP: Try first using only one straight line which are must easier to move the mouse in. Having a touch screen, I imagine, would make it a pleasure to create complex patterns.
  • The same procedure as for recording, but with the exception of using the login area.
  • Try replicating your recorded pattern as closely as possible.
  • If the login fails, you don't have to re-record a new password. You can also draw your login pattern in a different order, as long as the end pattern looks the same.
  • Upon successful login, you will be presented with your current bank balance.

How it works

When a mouse movement is detected whilst a mouse button is pressed, a small HTTP request is made back to the server containing the position of the mouse cursor relative to the area, be it the record or login area. The position is stored temporarily in a session variable.
When it's time to login, the positions resulting for the login movement are matched against the stored ones. An error matching value is calculated and if the resulting value exceeds a certain threshold it results in a bad login attempt and vice versa. The server code is based on PHP and both the client and server code are bundled in a zip file attached with this blog entry.

Increased security

Using a mouse movement login, in addition to a regular text password, will increase security being another dimensional input. Although keyboard sniffers could fairly easily start logging your mouse movements (I'm sure some already do), the amount of data needed to be stored is orders of magnitude more than regular text passwords. Order of magnitude more data means order of magnitude more data proccessing and storing which will help make it harder for an attacker overall, whether it be spyware or phising attacks. Mouse passwords are also less prune to weak passwords. There are no such thing as dictionary based attacks in mouse land. Another benifit is easier to remember passwords, at least for persons like me who have easier to remember images and patterns over sequences of letters and digits.

Although this seems nice, there are drawbacks.

Increased security but at what cost?

When you move your mouse over one of the areas above whilst keeping a button pressed, hundreds of mouse move events will be triggered. All these events are sent back to the server that stores and processes them. In my implementation, drawing a circle will spawn approximately 500-600 HTTP requests. This surge of requests can be avoided, which is dicussed in a section below. The login process is a short period of time compared to the time period of an overall session, so it could be ok to pay these sporadic network load and processing for the sake of increased security.

Other compelling disadvantages:

  • ******* While typing in text passwords the password is masked to prevent over-the-shoulder-attacks. I guess it is technically possible to temporarily hide the mouse cursor or obstruct the area on the screen with your hand or something, but not as readily available or easy.
  • Not 100% browser recognition.
  • Client bandwidth limitations. The server can be scaled and beefed up, but not all people are using high speed internet connection which can be painfully slow sending hundreds of request in a small period of time.
  • Reproducing complicated mouse movements patterns over an area can be difficult.

Eliminating high bandwidth requirement

You might wonder why I didn't code it in such away to send only one packet containing all the position data when a the user releases the mouse button. The reason for this is that the time difference between packets can be used to boost security a notch, which is the subject of the next blog in this series.

Limitations and future improvements

I can see improvements done to the javascript logic that handles the mouse movement detection. It's easy to upset it by moving the mouse outside the areas or keeping the mouse pressed while entering the page etc.

Another compelling feature would be to change how the mouse input is done. Having the user defining points by clicks in an area. This allows greater reproducibility and more complex patterns to be recorded and recognized. The same pattern fitting algorithm can be used. I would prefer this approach if I was a user.

Download Source Code

The code is available here. It's not much. A few comments.

To enable XMLHttpRequest in mozilla running the html file off your local harddrive, uncomment the following lines in ajaxmouselogin.html
//if (req) { // if (typeof netscape != 'undefined' && typeof != 'undefined') { //'UniversalBrowserRead'); // } //}
slashdot digg technorati [more]

Re: Using AJAX for Image Passwords - AJAX Security Part 1 of 3

This one doesn't work very well either...interesting though...

Re: Using AJAX for Image Passwords - AJAX Security Part 1 of 3

Impressive! Needs refinement, but it's still very impressive.

Re: Using AJAX for Image Passwords - AJAX Security Part 1 of 3

Re: Using AJAX for Image Passwords - AJAX Security Part 1 of 3

It's impressive, however, trying logging in with different pointing devices than the recorder one (big mouse, touchpad, trackball, pen, other sensibility settings) may result difficulties.

Re: Using AJAX for Image Passwords - AJAX Security Part 1 of 3


Re: Using AJAX for Image Passwords - AJAX Security Part 1 of 3

The only problem with it is the inevitable human error.

Re: Using AJAX for Image Passwords - AJAX Security Part 1 of 3

Interesting article

Add a comment Send a TrackBack