Microsoft Uses Inkblots in Password Generation

Microsoft Research has just launched a new Web site InkBlot, which shows, a series of Rorschach Inkblots and helps users create a secure, personal password that is easy to remember. The user is presented with a sequence of random inkblots. Each should remind the user of a word, a butterfly or a pumpkin, for example. For each image, the user then types the first and last letters of the word that come to mind, such as 'by' for butterfly or 'pn' for pumpkin. currently has 1,000 inkblots in its database.

Passwords almost always suffer from one or more serious problems. Users have a difficult time remembering strong (high-entropy, hard to guess) passwords. Users handle this difficulty by recording their password somewhere insecure, by selecting a weak but memorable password, or by using the same password at multiple sites. You can also learn more about the principles behind inkblot passwords in this Microsoft Research technical Report MSR-TR-2004-85.

One question which comes to mind, is that if the site is saving the word associations, does it mean that it is saving your password too ?

Link: InkBlot
News source: WinVistaClub

Report a problem with article
Previous Story

Messenger Plus! 4.50

Next Story

Nvidia GeForce 8800 GTS 512 review


Commenting is disabled on this article.

Forgive me for being sceptical, but I dare say that a lot of these inkblots end up having similar results. There may be 100 different opinions as to what each one means, but 100 is still a lot less than the number of possibilities of a dictionary search.
So, with a little bit of research, isn't it feasible to assume that someone could get a big list of the most frequently picked associations with the various inkblots and thus narrow down their results considerably?

Let KeePass generate your passwords, and secure the vault with a good passphrase. I never memorize passwords any more. Give a copy of your vault to all your friends, so there's no risk of loss. KP will also fill in the login/pw boxes on webpages. End of story.

I'm like Yossarian with fish ("What does this fish remind you of?" "Other fish" "And what do other fish remind you of?" "Other fish") in Catch-22 when it comes to inkblots: An inkblot looks to me like an inkblot regardless of attempts to engineer me to see a dog with an axe in its head (c.f. Watchmen). This would make my passwords "it" across the board.

That aside, the sign-up box on looks like a Scottish thistle painted by a 2yo with lumps of potato. Unfotunately that then equates to, that's right, an inkblot.

The use of the first and last letters raises an issue: whilst you can have a very strong password with seemingly random characters, words have a very small subset of permutations, and first and last letters of those words even more so. I can't think of a word that ends with "j" or "q" (proper nouns excepted), so that further reduces the subset.

The reference to great, thought-provoking literature seems somehow out of place here. :P

I never did fully wrap my head around that book, and the movie just plain stank!

Nice idea...

However, my password will now be all be: bt bt bt bt bt bt bt bt

Coz I saw.

Another Bat
errr, a group of bats
bat wearing a tuxedo
oh and there was one turtle. But it could have just been a green bat.

So I am either crap at making up passwords or have no imagination

Its a good concept, I hope they are able to let it take off. People will assign meaningful shapes to seemingly random blots due to each individual's own life experiences. Presumably, if you see someone else's inkblots, they will represent different things to you, since you have your own experiences to color your judgement.

Oh, by the way: is a research project deployed by Microsoft Research. It is for demonstration and research purposes only. You are welcome to try it out, but we make absolutely no promise that our implementation will protect your password. Don't use your account here to protect any data you care about, from money to your reputation. We also make no promise that the site will continue running. Should the service prove successful, Microsoft may consider offering the service as a commercial product or service. For now, consider it an unreliable, insecure service run by a couple research coneheads in their spare time, and trust it accordingly.

Microsoft Research will study the usage patterns of users of this site, to help us evaluate the inkblot password scheme. We will have access to the passwords and lists of OpenID consumer sites accessed by users of We will do our best to preserve the privacy of users of the site. However, we will report on our studies, including aggregate or anonymized versions of the data we have collected.

Privacy issues aside, I can see why it is necessary to have information about a person's password - you need to see whether people really do see different things in the blots, or else the system won't work.

I'm not sure if I understand this. Yes, I have been to the site!

But really can't see it helping to create stronger passwords. If the pictures are visible then other people could see the same word in the pictures. All you need is the username to access that user's sequence of pictures.
How many people would think butterfly for this one?

Also, what happens if the picture's meaning changes to you. In a space of 5 minutes, I can't remember what word I originally thought of for some of the pictures and now can't login after serveral tries. The pictures are too vague.
Did I think of two doves, some flags, dancing people for this one?

Maybe I got something wrong as I'm just confused by it. The way I see it is that it would be better to remove the picture-word association from the system. Users should select their favourite images from a selection of pictures.

Yes, it is saving your password, and they can see it, which is why they recommend you don't use it for mission critical data.
Then again, I suppose Microsoft could see your .NET Passport password if they wanted, and that's a deployed service.

I'm fairly confident (or I would hope) that microsoft uses a one-way hash (a fairly complex one at that) on your .NET password so its not reversable. So really, they wouldn't know your password.

xmitchx said,
I'm fairly confident (or I would hope) that microsoft uses a one-way hash (a fairly complex one at that) on your .NET password so its not reversable. So really, they wouldn't know your password.

if they wanted it badly enough, they would bruteforce it, and a cluster of there servers would do that very fast