Creative WebWelcome to Creative Web. Discover professional articles, resources, and expert updates on our official portal.

Why ‘Password Maps’ Are A Bad Idea

Update: Wow, F-Secure UK and KoreLogic are linking to this!

Over the last couple of weeks, multiple people pointed me to articles about the idea of using maps instead of passwords. Most of them pointed me either to this MSNBC article or to this Discovery News article. In a nutshell, the idea is that instead of a password field, you get a small box with a map like the one from Google Maps, and instead of typing in your password, you would have to zoom to a location on the map you've specified during your registration progress. Most of my friends were like "Hey, isn't that a great idea?", while I was like "No.". In this post, I want to explain why I think that using a map instead of a password is a bad idea.

Accessibility

In my opinion, everything on the web should be accessible by disabled or physically disadvantaged people. In case of a map, this is just not possible:

Blind or people with a massive lack of visual perception just can't see the map, they're using braille displays or text-to-speech systems to browse the internet along with special browsers of which most are not even able to execute JavaScript. (Just to make clear that this is a real problem: Also projects like reCAPTCHA are providing an audio-based way for people who are not able to see the captcha itself.)

Do you really want to bolt out this people?

Technical Problems

When using this approach, you'll prevent anyone who has disabled JavaScript from logging in. Also, most of the browsers on 'older' mobile phones don't work well with embedded maps, as they only have basic, broken or no JavaScript support. Then there's the problem of the massive bandwidth consumption of this: Especially on mobile devices in areas where only 2G is available, it may take several minutes to get to your exact location. User friendly, isn't it?

Security

The article on MSNBC states:

By zooming down through the map to the high level of resolution, users can graphically produce a nearly unbreakable password that neither people nor viruses could track.

That's bullshit. There are several large problems in the approach, here are two of them:

Shoulder Surfing

The first thing that came to my mind when read about the idea was "What about shoulder surfing?". Just imagine you're sitting beneath someone who is logging in using this technique: How complex would it be to remind the exact location to where he zoomed in? Well actually, I tried it out: I told a friend of mine to remember a location on a map, and then zoom onto it with all captions on the map disabled. Even though the place was somewhere in South America, I was able to remember the exact location he zoomed to. You may say "Hey, I could also read the password someone is typing from his fingers!", but that's a lot harder, as you can't actually see it on the screen. I bet no one manages to just read my password off my fingers without any good hidden camera.

Just imagine you give a presentation to a crowd of people and everyone can actually see your password!

Actual Password 'Length'

Bill Cheswick, the guy behind this idea, states:

“You could have a 10 digit latitude, and a 10-digit longitude, then you have a 20-digit password.”

At first, about the math: as latitude and longitudes are numeric characters only, we have a 20-digit, numeric password. This means there are 10^20 combinations, that's 100000000000000000000 different passwords. But remember: Most of the earth is covered with water, and no one will actually be able to remember a place somewhere in the ocean. (According to the Wikipedia, 71% of the planet are covered with water, but let's just ignore this fact and go on.)

How exact do I have to zoom in to get this 10 digit latitude/longitude precision? Well latitudes and longitudes range from 0 to 360, so we would need 8 digits after the decimal point to get the promised '20-digit password". Take a look at "Usability" to get an idea on how real that is:

Usability

Let's pretend I'm not disabled, I'm not on a mobile network, no one is watching me and I'm using a modern browser with good JavaScript support. Let's also pretend I've set up my 'password' to be the center of the cathedral of Cologne, Germany.

An overview over the cathedral of Cologne:

Why ‘Password Maps’ Are A Bad IdeaArchive Unresolved - Placeholder Asset" alt="" width="500" height="400"/> I zoom further in onto the center of the cross:

Why ‘Password Maps’ Are A Bad IdeaArchive Unresolved - Placeholder Asset" alt="" width="500" height="400"/>Let's zoom in to the maximum available zoom factor of Google Maps and show the location I've set my 'password' to, in this case, it's at the point (represented as decimal fraction) "50.94132,6.95812":

Why ‘Password Maps’ Are A Bad IdeaArchive Unresolved - Placeholder Asset" alt="" width="500" height="400"/>

Now, to get you an idea of the dimensions, I'll add a second marker with an increased longitude of 0.00001:

Why ‘Password Maps’ Are A Bad IdeaArchive Unresolved - Placeholder Asset|50.94132,6.95813" alt="" width="500" height="400"/>

Well, this should give you an idea on how real it is to get a 20 digit password: In this case we've a longitude of 7 digits and a latitude of 6 digits, and it's already almost impossible to zoom to the exact location, and even if you manage to do so: How much would you have to practice to always get to the right location without always trying out at least 5, slightly different locations (And you don't even know in which direction your 'password' is wrong.)? And don't forget: You'll want to have a different location for each service you log on. So where does he get this 20-digit password myth from?

Conclusion

I don't think this idea is able to replace passwords. I don't think that it's impossible to write viruses that analyze the screen of the user and try to find password maps and then keep track on where the user zooms to and I don't think this approach gives any advantage to usability or security. In fact, I think it's not usable and it's insecure. I agree that we need new solutions, but this is definitely not the way to go. I'm also not sure if replacing the password is the right way to go, but the spreading of SSO and two-factor authentication is something that might be able to make the net a bit more secure.