Startup Replacing Passwords With Patterns (Shayype)

By: Brian Rhodes, Published on Jun 28, 2017

This startup, Shayype [link no longer available], aims to eliminate passwords, replacing them with patterns.

Problems with passwords are clear, as simple passwords, re-used passwords, brute force attacks on passwords, etc. create significant problems.

But can 'patterns' fix this problem?

Inside this report, we share our test findings on Shayype's approach.

**** *******, ******* [**** ** longer *********], **** ** eliminate passwords, ********* **** **** patterns.

******** **** ********* *** clear, ** ****** *********, re-used *********, ***** ***** attacks ** *********, ***. create *********** ********.

*** *** '********' *** this *******?

****** **** ******, ** share *** **** ******** on *******'* ********.

[***************]

Uses ********, *** *******

****** **** * ***** password ** ***,*********** * ****** ** changing ******* **** ********** to ***** ** *** display. ** ***** *********, the **** ***** ** the ******** ******* ********* the ***** ** * sequence ******* **** **** previously *******.

*** ********* ***** ***** example ********* *** ***** of *** ******** ***** composing * ******* ********:

*** *** ** *** pattern's ********, ** **** future ********* **** *** entirely ********* *******. *** ********* refreshes / ****** ******* every **** ********* **** the ****** ** *****:

******* ****** **** *** matrix ****** '*.* ******* possible ******** ** *** 6x6 ****** (** *** use *** **** *****)', and **** ** '**** if ******* ***** *** same *******, **** *********** of ******* *** ****-**** will ** *********', ********* in * ****** ********, single *** '****' ******* of * ********.

********** * *******, ** forgetting * *** *** that ******, ******* ******* or ******** ******* ** reset **. ** *** case ** *******'* **** website, **** **** * reset **** ***** ***** chose * *** *******.

Overview *****

** *** ***** *****, we **** *** ******* ***** and *** ** ** ********* than ******** ***** **************:

Claimed **********

******* ****** **** ******* one **** ***** ****** be ****** *** ********** patterns ** ******* *** not **** ** *****, their ****** ** **** secure. ** ******** ** the ******* ******** *** password, ******* ****** ******* other ********** **** ******** passwords, *********:

  • ** ****** '*****': **** *******, ***** do *** **** ** touch *** ******, ** fixed ******* ******* ** enter * ****, *** only *** *** ******* with ***** **** *** enter ** ***** * separate ******.  **** ** different **** *********** ******* where **** ****, ********* use ** **** ******** buttons *** ****** ****** or ****, '*******' ********* threats ***** ******* *** used *** ***** ******. Shayype's *** ****** *** a **** ** ******* buttons ** *** **** that ** *** **** someone ******** ** **** of *** ******* ***** used.
  • ****-**-*****: ** *** ********* values *** ******* * - *, **** ***** is ******** ******** ***** on *** ******, ******* complicating *******.  ** ******* sees * **** ***** entered, ** ***** *********** be ******* ********* ********.
  • ******* ************: **** ** ***** prefer ****** ********, **** 'L- ******' ** '**** corners', *** ***** *** pattern ** ******* **** also ** *****, ** moving **** *****-**-****, ** leaving * ***, ** pressing *** **** **** twice **** ** *** obscurity ** * ******** roster ** ******. ********, key ******* ** ****** passwords *** ******* ** themselves, ** *** ****** they ******* ** **** symbolic ** * ******** pattern *** ********* *********.

Online ****

*** ******* ***** *'***** ** *******' ******* ***** *******. **** users ****** ***** *********, Shayype ******* ** ******* page ********** *** *** *** how ******** *** ********** *** *** *** system ***** **********.

***********

*** *** ******* ********, Shayype's ****** **** **** drawbacks, ********** *** *** physical ******** ******. *** top **** *******:

  • ** ******* ***: ******* ** ***** an **** **** * very ***** ***-****** **********, and *** *** *** been ******* ** ******** in ** *** ********. While * ********** ****, the ******** ***** *** history *** *** ******* lacks ********** ** ********** use *** **********.
  • ******** ***** ********: ***** **** ********* to ******* **** ****, Shayype ******** *** ***** be ********* ** ******** out *** ***** ** unauthorized *****. **** ***** that ************* ******** ** codes *** ** *******, but ********* ********** ***** can ***** ***** ***** codes.
  • *****-***** ****: ******* ** ***** developed ** *** **-********** from ******* ******** ******** or *************, *** **** experience ** ********* *** communications [**** ** ****** available] *** *** ***** a******** ********* ******** **** Philips, *****, ***, *** T-Mobile. *******, ******* *** have *********** ********** ******** new ******** ** ****** or ********** *** ******** through ******* ******.

Vote / ****

Versus ************

*** ******** ******** ************, Shayype ***** ** ** interesting *** *** ******** access ******* ** ******* for *** ** ****** readers.  ****** **** ******* stagnant **** **** *** quickly ** ********* ** observed ** ************ *****, Shayype ***** ******* '*********** security' ** ******* ** using * ********* ****** of ********** ***** *****.

**** '**** ********' ******* that ********* ***** ******* are ****** ******* **** still **** ****** ***** stolen **** ********, ** the ***** ** *** code **** *** ****** nor **** *** ********* the ******* ******. ****** forms ** ************ **** like *****, ** ***** in *** ***** ******* ****: ******* ****:

******* *********** ******** *** security ** **** ** not ***** ***** ********* at ***, ******* ************* a *********** **** **** of ****** **********.

Still ***** ** ******

** *** ********* *** Shayype's *******-***** ****, *** the ****** *** ******* needs ** *********** ** can ** **** **** effectively *** ********, ***** the **** ** ***** record *** **** ********.

Comments (16)

I know that a canadian company Cryptocard had something similar to this. I thought it was patented. Now Cryptocard was sold to Safenet, which is now part of Gemalto. I wonder if these people will get sued. :)

 

That's a good find!

Here is a video of Gemalto's GrIDsure:

The similarities here are strong.  I'll ask Shayype to comment on where/why/if their system is different.

I emailed Jonathan Craymer, one of the developers of Shayype, to ask about the similiarities between it and Gemalto's GrIDsure.  His response:

"I was the originator of Gridsure (Wikipedia https://en.wikipedia.org/wiki/GrIDsure ) with Stephen Howes, who I hired in as a jobbing technician to do some programming.

However Shayype is a far more developed version, offering scalability for millions of users and the addition of a high security version.

You’ll also notice from the Wiki text that a mathematician Mike Bond criticised Gridsure because in theory a hacker who records the grid display and the characters typed in say 2-3 times could perhaps work out the user’s pattern.

For this reason we’ve created a high security version (Shayype HSS) which doesn’t use the device’s keyboard, preventing a hacker knowing which characters have been typed in. This means in our view that an attacker would have to record/film the login operation several thousand times – which of course they’re unlikely to do."

Essentially, Craymer says that Shayype's separate keypad/ not matrix screen touchpad and obscured displayed inputs (*, not a number) make observation more difficult than the Gemalto version.

 

For this reason we’ve created a high security version (Shayype HSS) which doesn’t use the device’s keyboard, preventing a hacker knowing which characters have been typed in. 

Since the public information regarding Shayype HSS  is apparently limited to this one line,

its hard to evaluate it.

However, in regards to the viability of an access control application;

if it indeed forgoes the embedded device input for one using a mobile device, I would wonder what the point is anyway, since many other less cumbersome options exist already, if a smartphone is required.

While more difficult to explain than PINs, Shayype patterns can still be explained or sketched out and given to unauthorized users.

1 6 31 36 15 22 may not need much explaining :)

This makes it more challenging for a casual shoulder surfer to catch your pin, but a determined person might catch video of the session, and the users pattern can then be determined as long as the session pattern and the entered pin are captured.

Maybe it's unlikely to be able to get this on video thanks to a polorized filter limiting the angle of view and a well-obscured key pad in which case I guess it's pretty good at preventing stolen credentials.

But it's only marginally more difficult to share the pattern with a friend as a pin. Their demonstration video shows just how to do it. A quick scribble on a sticky note and the credentials are shared.

And any modern ACS should support resetting the password via an email link. Every WordPress blog out there does it, and it's free, so that doesn't really excite me. It should be standard.

If you want to prevent sharing of access control credentials, use dual factor authentication, anti pass back, and strong company policy against sharing.

The multifactor authentication itself will strongly limit the possibility of stolen access credentials, and scheduled access along with anti pass back will pretty much limit unauthorized access to the folks who are going to get in no matter what electronic measures are in place.

Afaik, all of this is already available on the market so as innovative as shayypes system appears to be, imo it is not adding significantly more security than what is already available in the market.

Just me?

but a determined person might catch video of the session, and the users pattern can then be determined as long as the session pattern and the entered pin are captured.

No, that would not be enough due to the duplicate digits in the grid.  For instance, Brian's 411022 one-time password yields many thousand compatible patterns, not just his valid one of four corners and two  center, so you would not be able to try them all before lock-up.

On the other hand, if you were able to secretly catch video of several logins by the same person, each with their own key grid, you could eventually determine the pattern, by deduction.

Maybe a quant could work the math correctly, but it would go something like each numeric code might be compatible with 50,000 patterns, ~6^6.  Each attempt would yield another 50,000.   Any patterns not in the patterns from the previous attempts would be discarded, since the correct pattern would have to be present in all keys.

Rinse and repeat till there is only one left.  Maybe you could do it with just a handful of tries, or maybe they do something that would make it  much harder, but one login definitely is not enough.  

Unless you're really lucky :)

 

 

 

 

Gah, you're right. My mistake! Still, that is pretty much the only attack this addresses and it seems to me it can be reasonably addressed with existing technology. But if you can add this to the list of available security features, why not I guess.

Can I Phish it by creating a fake image of the box to capture the pattern? It seems that all I need the pattern and it doesn't matter what the ransom numbers are.

The attack just changed from capturing the the random numbers to capturing a static pattern. 

Each number appears multiple times, so even a phising attempt would require multiple observations to understand a pattern.

I'll ask Shayype for specifics, but a single phising attempt will not likely divulge the pattern.

It's phishing the pattern, not the random numbers 

But they don't draw the pattern, they only give you numbers back that correspond to many patterns, only one of which is the one that the user set up.

If you were to make every number on the your displayed grid unique your method would work, but since there are 36 squares normally, only using the digits 0-5, such a grid would clearly be a forgery.

 

So if I were to present you a fake page that had the image and layout of the the matrix layout with arbitrary numbers, you were to click on the on the fake matrix and then i would be able to know your pattern and order.  

I wouldn't be able to login at that moment, but I accomplished my goal. 

Once I have your pattern and order, I can go to the real site, click on the real squares, grab the real random numbers to login to the real site 

Then there is the MITM attack. 

 

 

So if I were to present you a fake page that had the image and layout of the the matrix layout with arbitrary numbers, you were to click on the on the fake matrix....

There is no clicking on any matrix to log in, look at Brian's video above.

The only time you click on the matrix is when you setup the pattern for the first time, and then there are no numbers.

Conceivably, you could phish them to change their pattern, but that doesn't help you know their previous, still valid pattern.

However, it can be done, you just need several attempted logins with different grids to deduce, as I wrote above.

 

Yes, That makes sense 

This is correct, Shayype users do not touch a pattern on the matrix.  They visualize the pattern but never physically divulge it.

Read this IPVM report for free.

This article is part of IPVM's 6,445 reports, 867 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Don't Deceive. Lessons From Scott Schafer on Mar 20, 2020
Deception is bad. We can learn some important lessons from Scott Schafer, a...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
New: Mobile Access Proxy Releases 'World's Smallest Mobile Reader' on Mar 04, 2020
Mobile access provider Proxy claims its new Nano is 'the world’s smallest...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
HID Releases Lower-Cost Signo Readers on Mar 06, 2020
HID Global is releasing a new line of readers called Signo they claim read...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
IBM Video Analytics Reborn on May 01, 2020
IBM is back in video analytics and they are even offering AI-based fever...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Genetec Drops Support for Dahua and Hikvision on Jun 01, 2020
Genetec has dropped support for Dahua and Hikvision, citing US blacklisting...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...
Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020
Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series,...

Recent Reports

Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...