Graphical passwords for better security

Summary:You all know that passwords are relatively easy to steal, especially because we don't pick difficult ones. So computer scientists from Rutgers University-Camden have developed graphical passwords to enhance your computer security.

You all know that passwords are relatively easy to steal, especially because we don't pick difficult ones. So computer scientists from Rutgers University-Camden have developed graphical passwords to enhance your computer security. One solution works by picking 'click points' on an image previously selected by the user. And another one, designed to avoid 'shoulder surfing,' works by clicking on random icons located inside a collection of other icons chosen by the user. If these solutions can be fine for your main system, they will not help you when you need to create a new password for an online service.

Jean-Camille Birget, a professor of computer science, and his team have developed graphical passwords. Instead of entering a password consisting of numbers and letters, the user selects areas of a picture, called "click points," which are easier for the user to remember and, due to the somewhat random selection process, more difficult for someone else to guess.
"You can let users even choose the picture," says Birget of the new computer security program, which would help users remember their original click points. The selected picture must be complex, like a landscape or cityscape, to be a secure system so that there are many possible click points.

Below is an example of such a landscape (Credit: Rutgers University-Camden).

Graphical passwords

And here are more details extracted from a paper published by The Rutgers Scholar (Volume 4, 2002).

The [above] example, while very unsophisticated, illustrates how a simple graphical password matches the security of its alpha-numeric counterparts. To login, the user is required to click within the 4 circled red regions in this picture. The user chose these regions when he or she created the password. The choice for the four regions is arbitrary, but the user will pick places that he or she finds easy to remember. The user can introduce his/her own pictures for creating graphical passwords. Also, for stronger security, more than four click points could be chosen.

The other technique developed by these computer scientists wants to prevent "shoulder surfing," the process of password theft through surreptitious monitoring.

In the Rutgers-Camden study, users picked 10 icons, which then were scrambled with approximately 200 others. In order to gain entry into the system, users found shapes, such as triangles, that used their chosen icons as the corners, and clicked inside that shape. Users then repeated the same game 10 times.
"The main idea behind our model is to allow a user to prove knowledge of a secret, without revealing the secret itself to either the authenticating party or a potential observer," says Leonardo Sobrado[, who was part of the research team.] "The question, or challenge, changes every time and so does the answer. But the secret knowledge stays the same."

Below is an example of how this icon-based password looks like (Credit: Rutgers University-Camden).

Icon-based passwords

Once you've selected your icons, here is how the system works.

To accurately simulate a graphical password system, you must not reveal the pass-icons to any potential observer. In fact, you should not as much as point or click to a pass icon in a way that would reveal to an observer that you're identifying a pass-icon. Doing so completely defeats the purpose of the system. Once you have clicked anywhere inside the convex hull, the system will re-arrange the icons. You should set the icon speed low enough so that you can track some of the pass-icons as they move. This will make it easier to find them on the next screen. If a pass icon leaves the screen, a new one will replace it.

If you want to test this technology, you can download the program or simply run an interactive simulation.

And for more information, The Graphical Passwords Project home page contains several links to technical papers.

Now, tell me: will you use such a technique to protect yourself?

Sources: Rutgers University-Camden news release, January 4, 2006; and various web sites

You'll find related stories by following the links below.

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.