What mechanisms could be used to easily generate a high entropy password on a smartphone without having to resort to alphanumeric input?

Question

I'm working on a version of Password Safe for android. Password Safe uses a passphrase to encrypt your passwords, but typing out long passphrases on a smartphone can be tedious, especially if they're masked. I'd like to investigate using alternatives to a passphrase, such as arrays of simple images.

Are there any good examples of such password methods? What kinds of images are best? Zener Cards seem like a good choice but don't seem to lend themselves to mnemonic devices, certainly not for the number of values you'd need to get a strong passphrase.

EDIT: Some precepts might help. The point of password safe is that the file containing the passwords is encrypted with a strong key that is never stored. On a PC this strong key is a cryptographic hash of a phrase or word you enter when you want to unlock the safe. The safe automatically 'forgets' the password you gave it and drops all the unencrypted versions of the data after X minutes so that you're not vulnerable.

Ideally, I'd like to see a version of password safe that can be decrypted with one of two equally strong keys, with one of the keys being suited to an alphanumeric keyboard, while the other one would be the answer to the question.

So far the best idea I've come up with is to allow a user to enter a phrase for which a rebus could be created, and have an image based rebus entry be the resulting input method.

Answer 1

If you could invent some physical shake pattern recognition, it would be amazing. I've always wanted that.

Answer 2

Have you seen the Droid lock screen? You could use that as a base for ideas.

This particular idea uses a series of interconnected points as a pass phrase but a simple option could be a set of toggles (check boxes) similar to some bike locks.

P.S. One great thing about this type of security method (Droid Lock Screen) is that the input is very fast. You can get through with a single stroke (though the image shows a very complex one.)

Answer 3

Is the goal to prove one's identity to a program or device that can log false attempts, or to provide a secret which could be validated without informing a trusted party? The level of entropy required for the former scenario is much less than for the latter.

Answer 4

One big problem you have to overcome is that touch screens tend to leave smudges when used, and without care, those will give away information about the password. One common technique to avoid this is to rearrange the keys on each input, but that slows down entry a lot, as users have to look carefully to figure out where the requisite digit is.

The alternative, which I'd suggest, would be to use a long passphrase with a relatively small number of options, so that any given passphrase will use most or all of the options, meaning you can't tell anything useful from the smudges.

What that exact mechanism is is still a very good question, but I don't think a long numeric pin would be out of the question.