Geographical passwords that can never be hacked

Ziyad Al-Salloum of ZSS-Research in Ras Al Khaimah, UAE, is developing a system he calls geographical passwords. Writing in a freely available "open access" research paper in the International Journal of Security and Networks, Al-Salloum emphasizes how increasingly complicated our online lives are becoming with more and more accounts requiring more and more passwords. Moreover, he adds that even strong, but conventional passwords are a security risk in the face of increasingly sophisticated "hacker" tools that can break into servers and apply brute force to reveal passwords.

Al-Salloum has devised geographical passwords as a simple yet practical approach to access credentials that could provide secure access to different entities and at the same time mitigate many of the vulnerabilities associated with current password-based schemes.

The new ‘geo’ approach exploits our remarkable ability to recall with relative ease a favourite or visited place and to use that place’s specific location as the access credentials. The prototype system developed at ZSS-Research is capable of protecting a system against known password threats. 

"Proposing an effective replacement of conventional passwords could reduce 76% of data breaches, based on an analysis of more than 47,000 reported security incidents," Al-Salloum reports.

The geographical password system utilises the geographical information derived from a specific memorable location around which the user has logged a drawn boundary - longitude, latitude, altitude, area of the boundary, its perimeter, sides, angles, radius and other features form the geographical password. Once created, the password is then “salted” by adding a string of hidden random characters that are user-specific and the geographical password and the salt “hashed” together.

Thus, even if two users pick the same place as their geographical password the behind-the-scenes password settings is unique to them. If the system disallowed two users from picking the same location, this would make it much easier for adversaries to guess passwords.