Startup Replacing Passwords With Patterns (Shayype)

By: Brian Rhodes, Published on Jun 28, 2017

This startup, Shayype, aims to eliminate passwords, replacing them with patterns.

Problems with passwords are clear, as simple passwords, re-used passwords, brute force attacks on passwords, etc. create significant problems.

But can 'patterns' fix this problem?

Inside this report, we share our test findings on Shayype's approach.

**** *******,*******, **** ** ********* passwords, ********* **** **** patterns.

******** **** ********* *** clear, ** ****** *********, re-used *********, ***** ***** attacks ** *********, ***. create *********** ********.

*** *** '********' *** this *******?

****** **** ******, ** share *** **** ******** on *******'* ********.

[***************]

Uses ********, *** *******

****** **** * ***** password ** ***,*********** * ****** ** changing ******* **** ********** to ***** ** *** display. ** ***** *********, the **** ***** ** the ******** ******* ********* the ***** ** * sequence ******* **** **** previously *******.

*** ********* ***** ***** example ********* *** ***** of *** ******** ***** composing * ******* ********:

*** *** ** *** pattern's ********, ** **** future ********* **** *** entirely ********* *******. *** interface ********* / ****** numbers ***** **** ********* when *** ****** ** moved:

******* ****** **** *** matrix ****** '*.* ******* possible ******** ** *** 6x6 ****** (** *** use *** **** *****)', and **** ** '**** if ******* ***** *** same *******, **** *********** of ******* *** ****-**** will ** *********', ********* in * ****** ********, single *** '****' ******* of * ********.

********** * *******, ** forgetting * *** *** that ******, ******* ******* or ******** ******* ** reset **. ** *** case ** *******'* **** website, **** **** * reset **** ***** ***** chose * *** *******.

Overview *****

** *** ***** *****, we **** *** ******* works *** *** ** is ********* **** ******** based **************:

Claimed **********

******* ****** **** ******* one **** ***** ****** be ****** *** ********** patterns ** ******* *** not **** ** *****, their ****** ** **** secure. ** ******** ** the ******* ******** *** password, ******* ****** ******* other ********** **** ******** passwords, *********:

  • ** ****** '*****': **** *******, ***** do *** **** ** touch *** ******, ** fixed ******* ******* ** enter * ****, *** only *** *** ******* with ***** **** *** enter ** ***** * separate ******. **** ** different **** *********** ******* where **** ****, ********* use ** **** ******** buttons *** ****** ****** or ****, '*******' ********* threats ***** ******* *** used *** ***** ******. Shayype's *** ****** *** a **** ** ******* buttons ** *** **** that ** *** **** someone ******** ** **** of *** ******* ***** used.
  • ****-**-*****: ** *** ********* values *** ******* * - *, **** ***** is ******** ******** ***** on *** ******, ******* complicating *******. ** ******* sees * **** ***** entered, ** ***** *********** be ******* ********* ********.
  • ******* ************: **** ** ***** prefer ****** ********, **** 'L- ******' ** '**** corners', *** ***** *** pattern ** ******* **** also ** *****, ** moving **** *****-**-****, ** leaving * ***, ** pressing *** **** **** twice **** ** *** obscurity ** * ******** roster ** ******. ********, key ******* ** ****** passwords *** ******* ** themselves, ** *** ****** they ******* ** **** symbolic ** * ******** pattern *** ********* *********.

Online ****

*** ******* ***** *'***** ** *******' ******* ***** *******. **** users ****** ***** *********, Shayype ******* ** ******* page ********** *** *** *** how ******** *** ********** *** *** *** system ***** **********.

***********

*** *** ******* ********, Shayype's ****** **** **** drawbacks, ********** *** *** physical ******** ******. *** top **** *******:

  • ** ******* ***: ******* ** ***** an **** **** * very ***** ***-****** **********, and *** *** *** been ******* ** ******** in ** *** ********. While * ********** ****, the ******** ***** *** history *** *** ******* lacks ********** ** ********** use *** **********.
  • ******** ***** ********: ***** **** ********* to ******* **** ****, Shayype ******** *** ***** be ********* ** ******** out *** ***** ** unauthorized *****. **** ***** that ************* ******** ** codes *** ** *******, but ********* ********** ***** can ***** ***** ***** codes.
  • *****-***** ****: ******* ** ***** developed ** *** **-********** from ******* ******** ******** or *************,*** **** ********** ** marketing *** ***************** *** ***** ********* ********* ******** **** Philips, *****, ***, *** T-Mobile. *******, ******* *** have *********** ********** ******** new ******** ** ****** or ********** *** ******** through ******* ******.

Vote / ****

Versus ************

*** ******** ******** ************, Shayype ***** ** ** interesting *** *** ******** access ******* ** ******* for *** ** ****** readers. ****** **** ******* stagnant **** **** *** quickly ** ********* ** observed ** ************ *****, Shayype ***** ******* '*********** security' ** ******* ** using * ********* ****** of ********** ***** *****.

**** '**** ********' ******* that ********* ***** ******* are ****** ******* **** still **** ****** ***** stolen **** ********, ** the ***** ** *** code **** *** ****** nor **** *** ********* the ******* ******. ****** forms ** ************ **** like *****, ** ***** in ******** ******* ****: ***********:

******* *********** ******** *** security ** **** ** not ***** ***** ********* at ***, ******* ************* a *********** **** **** of ****** **********.

Still ***** ** ******

** *** ********* *** Shayype's *******-***** ****, *** the ****** *** ******* needs ** *********** ** can ** **** **** effectively *** ********, ***** the **** ** ***** record *** **** ********.

Comments (16)

Undisclosed End User #1

07/06/17 03:01pm

I know that a canadian company Cryptocard had something similar to this. I thought it was patented. Now Cryptocard was sold to Safenet, which is now part of Gemalto. I wonder if these people will get sued. :)

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed End User #1 | 07/06/17 04:22pm

That's a good find!

Here is a video of Gemalto's GrIDsure:

The similarities here are strong. I'll ask Shayype to comment on where/why/if their system is different.

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed End User #1 | 07/07/17 05:58pm

I emailed Jonathan Craymer, one of the developers of Shayype, to ask about the similiarities between it and Gemalto's GrIDsure. His response:

"I was the originator of Gridsure (Wikipedia https://en.wikipedia.org/wiki/GrIDsure ) with Stephen Howes, who I hired in as a jobbing technician to do some programming.

However Shayype is a far more developed version, offering scalability for millions of users and the addition of a high security version.

You’ll also notice from the Wiki text that a mathematician Mike Bond criticised Gridsure because in theory a hacker who records the grid display and the characters typed in say 2-3 times could perhaps work out the user’s pattern.

For this reason we’ve created a high security version (Shayype HSS) which doesn’t use the device’s keyboard, preventing a hacker knowing which characters have been typed in. This means in our view that an attacker would have to record/film the login operation several thousand times – which of course they’re unlikely to do."

Essentially, Craymer says that Shayype's separate keypad/ not matrix screen touchpad and obscured displayed inputs (*, not a number) make observation more difficult than the Gemalto version.

Undisclosed #2

In reply to Brian Rhodes | 07/07/17 06:14pm

For this reason we’ve created a high security version (Shayype HSS) which doesn’t use the device’s keyboard, preventing a hacker knowing which characters have been typed in.

Since the public information regarding Shayype HSS is apparently limited to this one line,

its hard to evaluate it.

However, in regards to the viability of an access control application;

if it indeed forgoes the embedded device input for one using a mobile device, I would wonder what the point is anyway, since many other less cumbersome options exist already, if a smartphone is required.

Undisclosed #2

07/07/17 05:01am

While more difficult to explain than PINs, Shayype patterns can still be explained or sketched out and given to unauthorized users.

1 6 31 36 15 22 may not need much explaining :)

Undisclosed #3

07/07/17 05:34am

This makes it more challenging for a casual shoulder surfer to catch your pin, but a determined person might catch video of the session, and the users pattern can then be determined as long as the session pattern and the entered pin are captured.

Maybe it's unlikely to be able to get this on video thanks to a polorized filter limiting the angle of view and a well-obscured key pad in which case I guess it's pretty good at preventing stolen credentials.

But it's only marginally more difficult to share the pattern with a friend as a pin. Their demonstration video shows just how to do it. A quick scribble on a sticky note and the credentials are shared.

And any modern ACS should support resetting the password via an email link. Every WordPress blog out there does it, and it's free, so that doesn't really excite me. It should be standard.

If you want to prevent sharing of access control credentials, use dual factor authentication, anti pass back, and strong company policy against sharing.

The multifactor authentication itself will strongly limit the possibility of stolen access credentials, and scheduled access along with anti pass back will pretty much limit unauthorized access to the folks who are going to get in no matter what electronic measures are in place.

Afaik, all of this is already available on the market so as innovative as shayypes system appears to be, imo it is not adding significantly more security than what is already available in the market.

Just me?

Undisclosed #2

In reply to Undisclosed #3 | 07/07/17 06:54am

but a determined person might catch video of the session, and the users pattern can then be determined as long as the session pattern and the entered pin are captured.

No, that would not be enough due to the duplicate digits in the grid. For instance, Brian's 411022 one-time password yields many thousand compatible patterns, not just his valid one of four corners and two center, so you would not be able to try them all before lock-up.

On the other hand, if you were able to secretly catch video of several logins by the same person, each with their own key grid, you could eventually determine the pattern, by deduction.

Maybe a quant could work the math correctly, but it would go something like each numeric code might be compatible with 50,000 patterns, ~6^6. Each attempt would yield another 50,000. Any patterns not in the patterns from the previous attempts would be discarded, since the correct pattern would have to be present in all keys.

Rinse and repeat till there is only one left. Maybe you could do it with just a handful of tries, or maybe they do something that would make it much harder, but one login definitely is not enough.

Unless you're really lucky :)

Undisclosed #3

In reply to Undisclosed #2 | 07/07/17 07:01am

Gah, you're right. My mistake! Still, that is pretty much the only attack this addresses and it seems to me it can be reasonably addressed with existing technology. But if you can add this to the list of available security features, why not I guess.

Paul Shah

07/08/17 12:26am

Can I Phish it by creating a fake image of the box to capture the pattern? It seems that all I need the pattern and it doesn't matter what the ransom numbers are.

The attack just changed from capturing the the random numbers to capturing a static pattern.

Avatar

Brian Rhodes

IPVMU Certified | In reply to Paul Shah | 07/09/17 02:57am

Each number appears multiple times, so even a phising attempt would require multiple observations to understand a pattern.

I'll ask Shayype for specifics, but a single phising attempt will not likely divulge the pattern.

Paul Shah

In reply to Brian Rhodes | 07/09/17 07:31am

It's phishing the pattern, not the random numbers

Undisclosed #2

In reply to Paul Shah | 07/09/17 06:33pm

But they don't draw the pattern, they only give you numbers back that correspond to many patterns, only one of which is the one that the user set up.

If you were to make every number on the your displayed grid unique your method would work, but since there are 36 squares normally, only using the digits 0-5, such a grid would clearly be a forgery.

Paul Shah

07/09/17 07:50pm

So if I were to present you a fake page that had the image and layout of the the matrix layout with arbitrary numbers, you were to click on the on the fake matrix and then i would be able to know your pattern and order.

I wouldn't be able to login at that moment, but I accomplished my goal.

Once I have your pattern and order, I can go to the real site, click on the real squares, grab the real random numbers to login to the real site

Then there is the MITM attack.

Undisclosed #2

In reply to Paul Shah | 07/09/17 08:35pm

So if I were to present you a fake page that had the image and layout of the the matrix layout with arbitrary numbers, you were to click on the on the fake matrix....

There is no clicking on any matrix to log in, look at Brian's video above.

The only time you click on the matrix is when you setup the pattern for the first time, and then there are no numbers.

Conceivably, you could phish them to change their pattern, but that doesn't help you know their previous, still valid pattern.

However, it can be done, you just need several attempted logins with different grids to deduce, as I wrote above.

Paul Shah

In reply to Undisclosed #2 | 07/09/17 08:41pm

Yes, That makes sense

Avatar

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 07/10/17 01:52am

This is correct, Shayype users do not touch a pattern on the matrix. They visualize the pattern but never physically divulge it.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Startup

ZeroEyes Gun Detection Startup on Jul 16, 2019
A gun detection video analytics startup, ZeroEyes, is being led by a group of 6 former Navy SEALs, aiming to "save lives" by using AI to assist...
Calipsa - UK AI Startup Profile on Jul 10, 2019
Analytic startups are a major industry trend. One UK company, Calipsa is aiming to use AI to filter out false positive alarms for live video...
2019 Mid-Year Video Surveillance Guide on Jul 01, 2019
IPVM's new 400+ page Mid-Year Industry Guide brings all of these issues and events together in a single resource to read and review. It can be...
Directory of 59 Video Surveillance Startups on Jun 25, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Startup Vaion Launching End-to-End AI Solution Backed with $20 Million Funding on Jun 17, 2019
An EU / USA video surveillance startup, Vaion, founded by ex-Cisco Senior Directors is launching an end-to-end VSaaS platform with $20 million in...
Carnegie Mellon AI Startup Zensors Profile on Jun 11, 2019
Zensors is a startup formed by Carnegie Mellon graduates from a Carnegie Mellon research project, offering customized models per camera that they...
Directory of 30+ VSaaS / Cloud Video Surveillance Providers on Jun 07, 2019
This directory provides a list of VSaaS / cloud video surveillance providers to help you see and research what options are available. 2019 State...
Startup Rhombus Systems Says Twice the Features, Half the Price of Verkada on Jun 04, 2019
Closed cloud systems may be the fastest growing segment of video surveillance with Meraki and Verkada. Now another California company is joining...
OWAL Startup Profile - Ex-Googler Cloud AI Video Platform on May 29, 2019
OWAL, a NYC-based startup developing AI video analytics, is aiming to "improve the quality of life" within high-rise apartments, and commercial...
11 Facial Recognition Providers Review (Secutech) on May 09, 2019
Adding to our 19 Facial Recognition Providers Profiled report from ISC West, IPVM focused on facial recognition technology for our Day 2 coverage...

Most Recent Industry Reports

Wyze Disruptive AI Analytics Tested on Jul 17, 2019
$20 camera disruptor Wyze has released free person detection deep learning analytics to all of their users, claiming users will "Only get notified...
Anyvision Aims For 2022 Revenue of $1 Billion on Jul 17, 2019
Only 3 video surveillance manufacturers do a billion dollars or more in annual revenue - Hikvision, Dahua, and Axis. Now, Anyvision plans to join...
HD Analog vs IP Guide on Jul 16, 2019
For years, HD resolution and single cable signal/power were IP camera advantages, with analog cameras limited to much lower resolution and...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can arise for installers. In fact, one of the most difficult reader...
ZeroEyes Gun Detection Startup on Jul 16, 2019
A gun detection video analytics startup, ZeroEyes, is being led by a group of 6 former Navy SEALs, aiming to "save lives" by using AI to assist...
Motorola Acquires Watchguard, Adds to Vigilant And Avigilon on Jul 15, 2019
2 years ago, Motorola had no position nor relevancy to video surveillance. Now, they own major video surveillance, LPR and body camera providers...
Hikvision Global News Reports Directory on Jul 15, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 15, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Beware African 50,000 IP Camera Contract Scam on Jul 12, 2019
A “Nigerian Prince” scam for the video surveillance market is going around. You, or at least we, could be lucky enough to be the single bidder for...
Axis ARTPEC-7 P1375-E Camera Tested on Jul 12, 2019
Axis claims the new P1375-E box camera with ARTPEC-7 chip delivers "clear, sharp images in any lighting condition." But how well does it do? We...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact