new login feature

[GoogleCodeExporter]

I had 12 people at the hold-up, who were brainstorming around our problem with 
the passwords. The challenge was to find a way that first time users would

* remember their password,
* handle their password on their own and
* not share their password with anyone.

So, I made it quite abstract, explaining that there are cultural differences 
that also concern personal spaces and possession of things. After giving 
constraints such as

* no email reminders,
* no sms,
* keep in mind different languages and
* low budget.

I was very happy to see how eager everyone was to find a solution despite some 
initial skeptics of some people. The main thing I learned was that we need to 
involve emotions and story telling, if possible.

Have a look at the attached photos. I think the SenseMakers' best idea was to 
give the new users a selection of 50-100 icons/pictures on the landing page and 
let them think of a story or tell them a story, e.g. the dog chased the cat up 
the ladder, where they found an apple and looked at the sun (should be a bit 
more colourful of course ). Then, at first login, they have to drag the 
pictures that describe the story best (they can choose themselves) into an 
order. With every dropped picture appears one letter of their password that we 
generate for them as usual. Now, there is a second text field in which they 
have to copy by hand what they see. Only if they are correct, they are logged 
in. Every time they want to login again they can start with the story - which 
they won't forget! - and then practice typing the password. If they feel 
confident they can skip the first step and type it in directly.

I hope that I explained it well enough. To me, it sounds relatively easy to 
implement into awarenet (if generating a story out of pictures can count as a 
first password change perhaps?). Correct me if I am wrong and let me know what 
you think of the concept and if you think that can be done at some stage (when 
there is time and capacity). 

Original issue reported on code.google.com by a...@villagescribe.org on 9 Sep 2013 at 9:47

Attachments:

• [SenseCamp Berlin - 28.jpg](https://storage.googleapis.com/google-code-attachments/awarenet/issue-369/comment-0/SenseCamp Berlin - 28.jpg)
• [SenseCamp Berlin - 29.jpg](https://storage.googleapis.com/google-code-attachments/awarenet/issue-369/comment-0/SenseCamp Berlin - 29.jpg)
• [SenseCamp Berlin - 30.jpg](https://storage.googleapis.com/google-code-attachments/awarenet/issue-369/comment-0/SenseCamp Berlin - 30.jpg)

[GoogleCodeExporter]

Firstly, this is a brilliant concept.  In case some of the kids are copying 
stories one can add some entropy via selection of one's own initials. This 
selection would impact the letter revealed by the picture. Thus a picture does 
not stand for a letter in this scheme, rather it is calculated according to the 
letter or pictogram before it.

Original comment by Ooskapenaar@gmail.com on 11 Sep 2013 at 7:58

[GoogleCodeExporter]

I don't understand. The sequence of letters is generated automatically and has 
nothing to do with the pictures actually. But perhaps I miss the point here... 
:-)

Original comment by a...@villagescribe.org on 12 Sep 2013 at 6:15

[GoogleCodeExporter]

Original comment by a...@villagescribe.org on 13 Sep 2013 at 8:36

• Added labels: Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

I think that it is a good idea but then again I can not see that it will be 
quickly developed (at least by me ;-)). It is flashy and might look good but 
thinking about it, every person needs some computer training and up till now 
computer training always taught the concept of a username and password, because 
you just find it everywhere.

Oops, I seem to out myself as a critic.

How young is the youngest awarenet user, can't be younger than grade 3? These 
kids will understand and use username and passwords quickly? Do cultural 
differences really apply here? Is it not that schools in general and awarenet 
in specific represent a kind of culture where a student learns about its ways 
and integrates him/her self with it when he uses it? Schools inherently have 
the concept of individual and ownership (your teacher, your class, your 
homework, your projects, your exam, your result) so the child student will 
automatically apply these concepts when doing awarenet through the school? The 
problem of a lost password can be solved by the teacher/admin generating a new 
one?

But let me not stand in the way if this is needed. Taking my experience with it 
into account so far, then I might be busy with that for a few of my working 
weeks ...

Original comment by appiapp...@gmail.com on 21 Nov 2013 at 8:41

[GoogleCodeExporter]

Thank you for your thoughts here, Michael. I understand that you have your 
doubts or that you don't really understand why this would be necessary. I would 
strongly recommend that you have a chat with Terri and Strix about that topic 
and ask her how much time she spends with passwords. Real experience is also a 
good way to understand. I invite you to join Terri, Antje or Rieke to a 
relatively new class one day to see for yourself how well passwords are 
remembered (or not). 

We would not have a problem if we could send password reminders, but for 
several reasons that isn't possible at this stage. However, I am happy to 
discuss a different solution if you have one.

Strix, Ron and I have all agreed that this solution is very innovative, 
exciting and could really work, so I am happy to try it out, even if it will 
take you some time. How many weeks would be "a few weeks" by your judgement?

Original comment by a...@villagescribe.org on 25 Nov 2013 at 8:12

[GoogleCodeExporter]

Hi Michael,
can you integrate the login feature for SciFest, please? 

The SciFest theme is "Into Space" and we are preparing a project about public 
and private space in the Internet incl. security. There will also be posters at 
SciFest explaining what e.g. Internet security means and how to surf in a save 
way. 

A very important part of this topic are passwords, and I would like to take 
this opportunity to introduce the new login feature to the public! 

awarenet sessions start in the 4th calendar week, and you are welcome to take 
part and see for yourself how passwords are handled in a new awarenet group. 
Please, coordinate with Terri. Thank you. 

Original comment by a...@villagescribe.org on 10 Jan 2014 at 12:49

• Added labels: Priority-Critical
• Removed labels: Priority-High

[GoogleCodeExporter]

I will start looking into this. First I have to find the "interception point" 
for the login to introduce my own code into the processing. Once I found this I 
will look for the best way of implementing this. I am not sure if I will manage 
to attend to workshops but will do should it be absolutely necessary in order 
to understand what needs to be done.

Original comment by appiapp...@gmail.com on 15 Jan 2014 at 10:52

[GoogleCodeExporter]

Ok. 

There will be several newbies now e.g. at Ntaba Maria and also VG. Please, stay 
in contact with Terri about times. She organises everything now.

I found an icon generator in the web. Perhaps you or the volunteers would like 
to play around with this: http://mashable.com/2014/01/14/icon-font-generators/

Original comment by a...@villagescribe.org on 15 Jan 2014 at 10:57

[GoogleCodeExporter]

I found the interception point for the login. Now I can start implementing it...

Just to make sure that I am going ahead with this in the proper way:

The requirement is that the user can drag and drop pictures into a field in 
order to compile a story. Each selected picture represents a letter. For 
example a picture of a dog might represent the letter 'd'. With the example Dog 
chases cat up the ladder (3 pictures = dog, cat, ladder) might generate a 
password 'dcl'. Do we want a minimal size of the generated password (at least 5 
pictures)? The user then copies (re-types) the generated password into the 
password field and clicks login.

Is this what needs to be done?

Original comment by appiapp...@gmail.com on 21 Jan 2014 at 10:54

[GoogleCodeExporter]

Hi Michael,

this would be fine, except there are two problems:

1) I was thinking all the children know their initials to seed the algorithm 
**. --> NB so they need to be taught to always enter them the same way  (ETN, 
NET, TEN, EN these might be the four ways one child initials depending on mood, 
weather, etc.) -- which is an important lesson for passwords, "almost correct", 
or "I know what I meant" does not work!  anyway, they only need to enter their 
initials first, and then you calculate a number N out of that. then you don't 
start from  1,  but from N and modulo around the list of images.  So for one 
person picture of tree is 'T', but for another it it 's'....  (very little 
extra work)

2) Anna is saying that in addition to the login screen, some kids have already 
got passwords and we'd need to (of course only once they have logged in) be 
able to show them their row of pictures, reverse engineered, so that they can 
think up a story for their password after the fact.  Of course, they can change 
their story and thus their password....

** What is the story with usernames, btw.  these are pretty complex and could 
be used instead of entering initials...

What do you think, Michael?

Ron

Original comment by Ooskapenaar@gmail.com on 21 Jan 2014 at 8:05

[GoogleCodeExporter]

Well, I hope that YOU understood, Michael, because I don't, and I don't know if 
this would be what I and the Sense Makers had imagined, and if this will work 
out with the kids who already have a password, so please, also get a feedback 
from Strix and let us know what you think. Thank you, Anna

Original comment by a...@villagescribe.org on 21 Jan 2014 at 8:14

• Changed state: Started

[GoogleCodeExporter]

I do not understand exactly what Ron's reason for applying an algorithm is? Why 
can't each picture represent the same letter throughout the whole user base? 
For example a picure of a dog does not have to be a 'd' because this might be 
too anglizised so it could represent an 'x' or 'f' or whatever, this for all 
languages and creeds of users. So the password would therefore be kind of 
language neutral. 

The way I was seeing it was that a) each image represents a fixed assigned 
letter, b) user can eiter type in password directly on the login or c) push a 
pictures button where you are redirected to a page where pictures get dragged 
and dropped, resulting in a password that is composed by the resulting letters. 
The user then clicks a button ('take password') to get back to the landing 
page, where now a field is filled in with the composed password (next to the 
'pictures' button). The user then retypes the password in the password field 
and then logs in.

This for the login, for the changing of passwords, a user will see, once logged 
in the pictures representing his password and he will be able to change them 
around, replace pictures in order to modify the password, resulting in a new 
password string that gets stored in the database.

In short I propose to keep it simple, which means a picture always represents 
the same letter, number, character. I propose that we have 26 pictures to 
start, covering the 26 letters of the english&german alphabet.

Is this ok?

Original comment by appiapp...@gmail.com on 22 Jan 2014 at 10:08

[GoogleCodeExporter]

Hi Ron, Would Michael's idea work with the 3000 passwords which we already have?

Original comment by a...@villagescribe.org on 22 Jan 2014 at 11:33

[GoogleCodeExporter]

uups, what this would mean that we probably need more pictures than 26 to
also cater for special characters, which we might allow for passwords.

Otherwise as I see it, the picture functionality is just a GUI thing that
has no bearing on the database.  It is just an action that translates
pictures into letters and vice versa.

Original comment by appiapp...@gmail.com on 22 Jan 2014 at 11:41

[GoogleCodeExporter]

from Ron:

In very brief:  the kids love to copy each other.  they WILL all copy each 
other.  ==>  they will all have the same password.

they need to learn that passwords should be different...

the change I suggested is practically trivial, it involves:
1) algorithm for key_string => integer,
e.g. (val_of_char + val_of_char + val_of_char) % N_IMAGES
--> gives you a number 0 < N < N_IMAGES

2) Your mapping  PICTURE --> LETTER  is an array

so instead of doing   letter = mapping[PICTURE]

you do  PICTURE --> NUMBER    NUMBER --> LETTER

letter = mapping2[ mapping1[PICTURE] + N ]

@Anna I cannot post this to a public website now, but I thought it is urgent so 
just responding via email 

Original comment by a...@villagescribe.org on 22 Jan 2014 at 11:53

[GoogleCodeExporter]

digesting what Ron said, a user types in his initials, produces the
pictures and through the use of the alghorithm described given the same
pictures, different initials will result in a different letter combination
for the password. Instead of initials one also just could take the username
so that this stays a complete GUI thing without needing access to database.

Did I understand it correctly Ron?

Original comment by appiapp...@gmail.com on 22 Jan 2014 at 12:10

[GoogleCodeExporter]

I understood correctly and will now start implementing it.

Original comment by appiapp...@gmail.com on 23 Jan 2014 at 8:41

[GoogleCodeExporter]

Great! I am glad that you understand each other. :-)

Original comment by a...@villagescribe.org on 23 Jan 2014 at 4:37

[GoogleCodeExporter]

I researched the font generators and settled for the moment for 
www.Fontastic.me and generated 122 icons! Now I have to figure out how to 
generate the page to show all the icons and then drag & drop the selected ones 
into a the picture password field ...

Original comment by appiapp...@gmail.com on 24 Jan 2014 at 9:39

[GoogleCodeExporter]

Ok. Sounds good. Thank you.

Original comment by a...@villagescribe.org on 24 Jan 2014 at 10:42

[GoogleCodeExporter]

I implemented the password generating page (dragging & dropping pictures to 
generate a password that then has to be copied to the 'real' password field). 
What is missing is to apply Ron's algorithm (at the moment I have direct 
mapping (picture 3 represents character 'c'). I will implement that tomorrow. 

Then next is to mend the change password page so that it displays the picture 
icons representing the password. And the ability to change the password by 
moving these icons around or add new ones.

Original comment by appiapp...@gmail.com on 28 Jan 2014 at 11:40

[GoogleCodeExporter]

Thank you for the update. Getting excited... :-)

Original comment by a...@villagescribe.org on 28 Jan 2014 at 8:59

[GoogleCodeExporter]

Login page is done and working. What I now need to do is to check if I 
generated enough icons to cover small caps, large caps and special characters 
and add all these to the picture login page.

After that I will add the picture login functionality to the "change password 
page".

Original comment by appiapp...@gmail.com on 29 Jan 2014 at 11:14

[GoogleCodeExporter]

Cool. Ask Antje and Rieke if they can test it for you sometimes next week, when 
there will be more time.

Original comment by a...@villagescribe.org on 29 Jan 2014 at 12:09

[GoogleCodeExporter]

It took me a while to get the reversal from picture to password going. The 
reason for this was that I used an algorithm to create the pictures that was 
not reversible (application of modulus at the wrong place). All is fine now. 
This means that a) The login part is done and b) the changing password part is 
done as well. So we have full functionality!

I will spend tomorrow and one or two days more to clean up and comment code, 
build a package that can be installed and write a user's guide because it might 
not be fully clear of how to 'work it'. 

After that I will install it on mothsorchid and you guys will be able to test 
it! Enough time to get it right for Scifest (layout changes etc.)

Original comment by appiapp...@gmail.com on 11 Feb 2014 at 12:27

[GoogleCodeExporter]

Great. Sounds very good. Looking forward to testing it.

Short advise, make the guide as short and simple as possible. Not too many 
words. Perhaps Antje & Rieke can draw something???

Original comment by a...@villagescribe.org on 11 Feb 2014 at 7:37

[GoogleCodeExporter]

I will make the guide as short as possible!

I noticed problems during testing. The main problem is that once you want to 
change the order of pictures or replace pictures via drag and drop then 
assignment of these pictures to the field area that hosts the pictures is not 
happening correctly. I am busy trying to find out what is going wrong there. 

Original comment by appiapp...@gmail.com on 14 Feb 2014 at 11:00

[GoogleCodeExporter]

Ok, I managed to reorganise drag & drop and now it works as I intended it.

Will create Package, install it on mothsorchid and write a short user's guide 
on Monday.

Original comment by appiapp...@gmail.com on 14 Feb 2014 at 5:17

[GoogleCodeExporter]

I have updated the following in SVN and Packages:

1) created a new picturelogin module in SVN
2) added picturelogin Package to awarenet.eu/code
3) updated users module in SVN: changepassform.block.php
4) updated users Package at ekhayaict/code: changepassform.block.php
5) updated home module in SVN: home.page.php
6) updated home-3 Package at awarenet.eu/code: home.page.php

Original comment by appiapp...@gmail.com on 20 Feb 2014 at 8:58

[GoogleCodeExporter]

Here is the User's Guide for the Picture Login. Please haste with Feedback 
about functionality so that I still have time to correct/ammend/add to it 
before the Science Festival.

I hope that the whole things is not too unwieldy ... I tried my best to frame 
the functionality such that it fits the requirement ...

Original comment by appiapp...@gmail.com on 20 Feb 2014 at 12:01

Attachments:

• picturelogin.odt
• picturelogin.pdf

[GoogleCodeExporter]

Picture login as described in the User's Guide is online on Mothsorchid! Happy 
Testing!

Original comment by appiapp...@gmail.com on 20 Feb 2014 at 12:56

[GoogleCodeExporter]

About the picture selection:
I like the simple icons and the great variety of pictures. However, there are a 
few doubles that could confuse users, e.g. 
* the pencils, 
* the music notes, 
* the bins,
* the stars,
* two identical rockets,
* the light bulbs (although for us one of them stands for an idea - but not for 
everyone)
* the dogs (although one might be a watch dog), 
* house and hut (might only make sense for Africans, but there are two huts),
* computer and screen
* video camera and film

It will help if the pictures are displayed in some sort of an order, i.e.
* lock and unlock
* all clouds, sun, moon, stars and lightning
* all animals
* all people
* all smileys/emoticons, heart, thumbs up/down
* all transport
* all media
* all food
* etc.

One icon does not mean anything to me - could be a highway??? Perhaps take out?

Original comment by a...@villagescribe.org on 21 Feb 2014 at 12:04

[GoogleCodeExporter]

Users who have already changed their password, cannot use the picture login any 
longer. This is not clear on the landing page. Is there a possibility to hide 
the picture login when a password has been changed?

Alternatively, there needs to be a note.

Original comment by a...@villagescribe.org on 21 Feb 2014 at 12:15

[GoogleCodeExporter]

There is something that I still don't understand: How are new users registered 
now, only with their name? Do they generate their first password themselves?

Original comment by a...@villagescribe.org on 21 Feb 2014 at 12:23

[GoogleCodeExporter]

Hello to All,

I tested the new password feature, today. I think it's a great idea, but I 
struggled with the folowing problem:
I changed my password with the "Password through Pictures" feature. I used the 
following story:
On a sunny day, a man walked  his dog. Suddenly it started to rain and the man 
ran inside his hause. 
So you can find the corresponding pictures in the attachement. 

After I changed my passowrd, I couldn't log in again.

Original comment by rieke.he...@gmail.com on 24 Feb 2014 at 10:48

Attachments:

• [new password feature.jpg](https://storage.googleapis.com/google-code-attachments/awarenet/issue-369/comment-35/new password feature.jpg)

[GoogleCodeExporter]

Hi, Rieke was just doing some testing and found a situation where she could not 
log in with the generated password when this password begins with an angle 
bracket: <

This could be a unicode or HTML escaping / urlencoding thing, will probably 
affect some other non-alphanumeric characters.  Noticed also that Rieke was 
recording her password in an MS Word document and then copying and pasting it.  
This sounds like the sort of thing a user would do, but could create confusion 
when MS Word automatically converts plain punctuation, eg simple simple quotes 
to opening and closing quotes, so a mapping for these code points might be 
worth adding.

Suggest mapping '<' to 'oab' to work around this and similar charset issues.

Original comment by awarenet...@gmail.com on 24 Feb 2014 at 10:55

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Comment for #32
As said before I use www.Fontastic.me to generate the font containig all the 
icons instead of characters.  will regenerate the font loosing the doubles but 
I am not sure if I can sort them into groups using that generator.

Some sorting of the icons will probably have to be done by me, programmatically 
... 

Original comment by appiapp...@gmail.com on 24 Feb 2014 at 7:22

[GoogleCodeExporter]

Comment for #33
Why can't these users not use the picture login anymore? They can log in with 
their current password and either "learn' their picture icons by going to My 
Account and go to the Picture Password functionality there (using the "Generate 
Pictures" push button) or change the password there altogether.

Picture password is just a GUI functionality, no pictures get stored in our 
database. The database stores the normal passwords as usual.

Original comment by appiapp...@gmail.com on 24 Feb 2014 at 7:30

[GoogleCodeExporter]

Comment for #34

Picture login is just a GUI functionality that allows a user to remember his 
password using pictures. Nothing changes when we generate a user/password 
combination. All the user has to do is type in the generated password to login 
normally, then go to My Account and either 'learn' the pictures belonging to 
this password or better create a new story with pictures and change the 
password there.

Again, nothing has changed with login! The user still has to type in a password 
in the password field. All the pictures do is to allow him a different way of 
how to memorize/remember that password!

Original comment by appiapp...@gmail.com on 24 Feb 2014 at 7:33

[GoogleCodeExporter]

Comment to #35/36
Copy/paste should be greatly discouraged - at least I thought that is what we 
wanted! The reason for this is that I thought we wanted to train the user to 
remember his password eventually. This memorizing/remembering happens best if 
the user types the password manually in the password field after seeing it 
generated by the picture login functionality. Was this not the idea?

With regards to special characters I will try to introduce such a mapping as 
proposed by Strix ASAP.

Original comment by appiapp...@gmail.com on 24 Feb 2014 at 7:42

[GoogleCodeExporter]

Comment for #33 and #34

Alright, I understand much better now. Ron and I tried it out together and 
discussed it.
Yes, it works and makes sense. :-)

So, the initial piece of paper is only needed on the first day and should be 
thrown away after the first day of training in password functionality. Yay!

Original comment by a...@villagescribe.org on 24 Feb 2014 at 8:00

[GoogleCodeExporter]

Comment for #38 and #41

So I would say the new feature can go live once the mapping is done.

Icons can be sorted in a second step and awarenet updated when done.

Original comment by a...@villagescribe.org on 24 Feb 2014 at 8:05

[GoogleCodeExporter]

Have generate a font/pictures without ambiguities (tried, can't see the forest 
for the trees) and uploaded it but it only makes sense to check for doubles 
once I sorted them (not all pictures are currently showing).

Will now focus on the special character mapping and then sort the pictures at 
the end.

Original comment by appiapp...@gmail.com on 24 Feb 2014 at 8:43

[GoogleCodeExporter]

Comment for #44

New new icons are better, a greater variety, and I would say except the two 
bins there are no doubles anymore, but let's see what it looks like after 
sorting. - It really is hard to tell. ;-)

Original comment by a...@villagescribe.org on 3 Mar 2014 at 8:34

[GoogleCodeExporter]

Managed to delete doubles, sort pictures and implement the special character 
mapping. Was not able yet to upload my changes unto awarenet.eu codebase and 
mothsorchid. Hope that the technical difficulties disappear soon and then will 
be able to do so tomorrow.

Original comment by appiapp...@gmail.com on 4 Mar 2014 at 4:10

[GoogleCodeExporter]

Yes, I hope that we can have the picture login on mothsorchid on Monday and on 
awarenet on Tuesday.

Original comment by a...@villagescribe.org on 7 Mar 2014 at 11:05

[GoogleCodeExporter]

The picture login on awarenet.eu looks very nice now. Thank you, Michael. :-)

I will ask the volunteers after SciFest to create a little HowTo in pictures 
that can be added to the page.

Original comment by a...@villagescribe.org on 12 Mar 2014 at 1:12

[GoogleCodeExporter]

Thanks Michael, looks good.  There are a couple of other pages where users 
enter passwords, can you add there as well?

  modules/users/actions/signup.page.php
  modules/home/actions/403.page.php

Original comment by awarenet...@gmail.com on 13 Mar 2014 at 8:59

Attachments:

• [awareNet - Not allowed.jpg](https://storage.googleapis.com/google-code-attachments/awarenet/issue-369/comment-49/awareNet - Not allowed.jpg)

[GoogleCodeExporter]

Hi Michael, have you been able to look into the other login pages as well?

Original comment by a...@villagescribe.org on 28 Mar 2014 at 12:55