Sunday, September 01, 2013

Quick look: PIXELPIN

A quick look at:

PixelPin says on their front page:

"Passwords are inherently flawed: they can be phished, hacked, dictionary attacked, and good ones are hard to remember. PixelPin solves all of these problems."
You really can't waive a bigger piece of red cloth in front of my eyes, so I had to take a quick look at what they have to offer. I like the idea of picture passwords, but I'm not all that happy about my observations here.

Background info

I have previously given my opinion on Windows 8 Picture Password. Along with Adam Caudill, as well as Russian company Passcape, Dan Goodin at arstechnica ran a story on our joint findings & opinions. Although Microsoft has some good info on the math & magic behind it, this isn't really about that. After reading about (or trying out) Windows 8 Picture Password and how it works (Circle, Line, Dot), take a look at the PixelPin introduction video on Youtube before you continue reading.

Getting started

So I headed over to their website, and clicked to sign up:

Clean, simple, and already at this page we learn that all accounts uses their email address as their username to sign in. Guessing user-selected usernames are usually harder, so already here we might have an option for verifying existing accounts. More on that later. Since they are using SSL (thank god!), I put them through the mandatory SSLLABS test:

[ Please magnify me by clicking! ]

Grade B, not PCI compliant. Oh well, why would we care if they are not running bank-level security? They just want to protect ... eh.... all your accounts, right? (PCI-DSS has quite a mess on passwords as well...)

Well, moving on with my registration. Compared to Microsoft, PixelPin asks for 4 picture points (dots), while Microsoft asks for 3, but offers a choice of using a circle, line or dot. PixelPin looks at the order of your selected dots (I think Microsoft does that), Microsoft looks at start/end points as well as left/right circles.

So I'm asked to select a picture to be used for my picture authentication. Some people may recognize this particular picture from the penthouse at Palms Place, overlooking the strip (just change your focus for a second). Here I will click 4 points of interest (...), and I have to remember the order I did it:

And done! Or?

AHEM. Eh.... Let's rewind to the top, and quote PixelPin once again:
"Passwords are inherently flawed: they can be phished, hacked, dictionary attacked, and good ones are hard to remember."

Let me see if I'm getting this right.... PixelPin is asking, NO, forcing me to make my own challenge/response question/answer, to be used as my backup in case I forget the 4 points of interest I just selected? My oh my, as if I would ever.... Err... No, wait, there was more than 4 points of interest in that picture, right? 

Well, lets make something then;

Ah. Restrictions you have! Is that for memorability, readability to your helpdesk (for manual resets), or what? And why not display those restrictions *before* I enter my question & answer?

Seconds after signing up, I got this email asking me to verify my email address:

...Sent to me using Googles mailservices. "PixelPin will not send you sales messages or pass your details onto third-parties." Argh. Sorry, couldn't resist highlighting that. Probably because PixelPin doesn't say anywhere on their website that they use Google, how they use it, and for what purpose. I don't have a problem with Google, but I do have a problem with sites & services who doesn't tell me anywhere on their site how they will communicate with me before I sign up.

Oh; and that url, although using https, does contain some data that caught my attention as well. Didn't dig into the details though - a pentest, IT audit or usability review most certainly should.

Moving along....

So I'm all set up, account verified, and lets go back to that login screen:

Wellwellwell, my standard email address doesn't exist (Unknown user name), when I accidentally didn't use the email address I specifically used to sign up. Hm. So now I can probably verify the existence of large amounts of accounts by bruteforcing my way through this interface, and reading off the response. That's a bad thing guys, and it should be fixed. This should be basic knowledge!

Lets try out the "forgot my points of interest" feature then:

Ah. An account lockout policy. 3 incorrect, and account is disabled for 2 hours. So how is your rate limiting configuration here? Any attempts/sec per IP + attempts/sec per username configuration? Any options for me, either as a single user, or a massive online service provider to tweak these settings ourselves? Hm. Maybe I should read your developer docs...

I could have written a lot more here, and I would love to hear your opinion on the recent findings of Ziming Zhao (homepage), as presented at Usenix Security '13 (video + pdf). Personally I like the idea of picture passwords because of the simplicity it offers to end users who are tired of passwords & PINs, who hate bringing their SecurID tokens everywhere, and are not techies enough to use Google Authenticator.

What I don't like is usability solutions or improvements that claim to be security improvements. Increasing usability while maintaining or even increasing security is hard. So far I only see an improvement of usability, which is why I've deleted my test account with PixelPin until security is improved. 

I'm all up for discussing my concerns though. We'll do that over a beer or two when I'm in London next time Luke Briner, right? :-)

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.