Graphical passwords for better security

Graphical passwords for better security

Summary: You all know that passwords are relatively easy to steal, especially because we don't pick difficult ones. So computer scientists from Rutgers University-Camden have developed graphical passwords to enhance your computer security.

TOPICS: Security

You all know that passwords are relatively easy to steal, especially because we don't pick difficult ones. So computer scientists from Rutgers University-Camden have developed graphical passwords to enhance your computer security. One solution works by picking 'click points' on an image previously selected by the user. And another one, designed to avoid 'shoulder surfing,' works by clicking on random icons located inside a collection of other icons chosen by the user. If these solutions can be fine for your main system, they will not help you when you need to create a new password for an online service.

Jean-Camille Birget, a professor of computer science, and his team have developed graphical passwords. Instead of entering a password consisting of numbers and letters, the user selects areas of a picture, called "click points," which are easier for the user to remember and, due to the somewhat random selection process, more difficult for someone else to guess.
"You can let users even choose the picture," says Birget of the new computer security program, which would help users remember their original click points. The selected picture must be complex, like a landscape or cityscape, to be a secure system so that there are many possible click points.

Below is an example of such a landscape (Credit: Rutgers University-Camden).

Graphical passwords

And here are more details extracted from a paper published by The Rutgers Scholar (Volume 4, 2002).

The [above] example, while very unsophisticated, illustrates how a simple graphical password matches the security of its alpha-numeric counterparts. To login, the user is required to click within the 4 circled red regions in this picture. The user chose these regions when he or she created the password. The choice for the four regions is arbitrary, but the user will pick places that he or she finds easy to remember. The user can introduce his/her own pictures for creating graphical passwords. Also, for stronger security, more than four click points could be chosen.

The other technique developed by these computer scientists wants to prevent "shoulder surfing," the process of password theft through surreptitious monitoring.

In the Rutgers-Camden study, users picked 10 icons, which then were scrambled with approximately 200 others. In order to gain entry into the system, users found shapes, such as triangles, that used their chosen icons as the corners, and clicked inside that shape. Users then repeated the same game 10 times.
"The main idea behind our model is to allow a user to prove knowledge of a secret, without revealing the secret itself to either the authenticating party or a potential observer," says Leonardo Sobrado[, who was part of the research team.] "The question, or challenge, changes every time and so does the answer. But the secret knowledge stays the same."

Below is an example of how this icon-based password looks like (Credit: Rutgers University-Camden).

Icon-based passwords

Once you've selected your icons, here is how the system works.

To accurately simulate a graphical password system, you must not reveal the pass-icons to any potential observer. In fact, you should not as much as point or click to a pass icon in a way that would reveal to an observer that you're identifying a pass-icon. Doing so completely defeats the purpose of the system. Once you have clicked anywhere inside the convex hull, the system will re-arrange the icons. You should set the icon speed low enough so that you can track some of the pass-icons as they move. This will make it easier to find them on the next screen. If a pass icon leaves the screen, a new one will replace it.

If you want to test this technology, you can download the program or simply run an interactive simulation.

And for more information, The Graphical Passwords Project home page contains several links to technical papers.

Now, tell me: will you use such a technique to protect yourself?

Sources: Rutgers University-Camden news release, January 4, 2006; and various web sites

You'll find related stories by following the links below.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sounds tedious

    There's got to be a better way.
    • May be tedious but...

      it's necessary until all websites and computers are able to tolerate fingerprint or ocular passwords. Biometrics will be the way to go in the future.
      • I doubt it

        While Biometrics at first glance look like an effective method they do in fact have very large flaws. There are ways to crack a biometric lock, and it has been done. I know that fingerprints and retnial scans have been bested. The problem is, When your fingerprint has been cracked, How do you get a new fingerprint?
        • Use a different finger?

          Read only thumbdrive type devices could do the job and the code could be tweaked to how paranoid you want to be. Think of it 128bit or 524288megabit passwords its up to you. Load software and issue the keys.

          ps the 64megabyte password does seem A bit extreme unless your securing a cheap method of turning raw sewage into plutonium.
          Hrothgar - PCLinuxOS User
  • neat idea....

    particularly for web site security. But all the same is this really better than certificate authentication?
  • Bank of America already does it

    Just recently they added 1 more step of security on their site. First you need to enter your personal id if not pre saved on the system, 2nd you need to choose a picture out of about 100 to be your unique picture wherever you sign on. The computer you sign on most of the time will keep the pic there. You simply go to the 3rd step which is entering your password. 3 levels of online security. I wish my home bank had this, though they require me to change my password every 30 or so days.
  • Must be the same guy that invented the donut dipper.

    Must be the same guy that invented the donut auto dipper.
    Better have a picture of a naked women, so I will remember the parts I picked.
  • Note on Bank of America

    A better choice for picture would be if you can upload your own picture, nearly unduplicatable.
  • Bad idea, needs work

    People who are visually impaired and use a computer and a screen reader have trouble with graphics. Imbedding text in a graphic does not work for them. Asking them to refer to sections of a graphic image will not work.

    People who are colour blind will also have a problems.

    One way to improve: incorporate an audible component to the security procedure.
    • I should know that...

      I have a blind sister. Audibility would help. I think what banks and major online retailers need to do is create text based, not html based webpages alongside their html sites.
  • skeptical

    i just dont think this will ever fly. it seems too complex for the average person.
    • Yes,

      Yes you are right. A person can not click on the exact location where he/she did while entering the password very first time.
      The idea is good but it needs to improve at all.
  • something like it

    This is nothing new. Color Sequence Protection from CJWSoft has been available as a free download for years now. see
    • Sounds easy to crack to me

      Passwords are still harder. I imagine it will take an advanced hacker about 20 minutes to cipher a program to run through all the picks and the co-ordinance in minutes. I have been around for a while but this is a mere annoyance for the user and the hacker. It seems difficult to ordinary people but to a hacker this is a piece of cake any normal game program goes through more Coordinates in a matter of minutes. Not to mention spoofing. Better not fool yourself into even thinking this is any way near secure. How ever the unique code generated by the binary based image would make a nice password for something like PGP. Figure that one out and you might impress me.
      • Breaching this scheme

        I can't imagine this is an unbreachable security scheme. Somewhere, there is data that records click points on an image, as well as the image, I guess. A hacker will need to figure out how to retrieve this info and interpret it.

        Some things I'm not sure about though. Are the click points indicated on the image, and the person logging in must click in a certain sequence, or a subset of points? If the points aren't shown then there must be some "play" if the mouse is flaky or the hand is not very precise. Will the program merely look at coordinates for the click? Or will it compare the data representing a clicked area to the previously established click point?

        It sounds interesting, and by introducing more data than 8 chars and digits of typical passwords makes the breaching of the scheme less probable, I guess.
  • This is easy to crack. A broker is still better.

    Even if there's 20000 combinations of click points, a program could decypher that in minutes, or at worst case hours.

    The ultimate security solution will involve some kind of broker and certificate. If Verisign and the other security companies could make it integrated enough, a process could be made to be highly secure.

    For example, a site requires you to have a valid VeriSign cert on your PC to access it. You would have to go through a painful process ONE TIME to get it, have lots of personal information checked, and verified. Then once you have it on your PC, any site using it could check for it. You'd ALSO enter in a password so somebody could not take your machine and access the site easily.

    There's no perfect solution other than a magical future of scanning the DNA on your hand every time. Even then, just like in SpaceBalls, all the crook would need is your dead hand.
  • "Stuff" happens...

    ...but I hope this crapola never makes it to fruition. I'm a photographer so I?m quite visually oriented but this memorizing points in a photo thing is foreign to people?s daily life. It's bound to be a customer relations nightmare where the customer is locked out of their own accounts. Further more I doubt the hardness of such a system. Because this "Password" can?t be quickly entered by a person who touch types it will be burdensome to many.

    My take on these "Researchers" ... too many video games and poor nutrition.
  • Security Issues

    I am giving graphical password, but some one sitting near me, will come to know about my password, as it may not be possible for the text password if I type speedily.
    Moreover, if I want to login to my yahoo account, then yahoo must provide me the same image which I selected. It propagates to the storing of images also, which is difficult.
    Please tell me the solutions for these. You must have thought about it, but is not given in this article and even in your website also.
    Thank you,
  • Graphical passwords

    Hi this seems 2 b a good innovation.Ii like it.
    keep d gr8 work going on. but i think you can make it simpler also.
  • Solving a problem that isn't there

    Even dictionary words can be safely used as passwords IF (and it's a big if) the password prompt is delayed for a few seconds between iterations. That stops instant repeated dictionary attacks. Further, if the system is set to close a profile down after three unsuccessful attempts then most password crack algorithms will be useless.

    There's no need for this graphical stuff. Set your system up right with delayed pasword prompts, a maximum number of attempts and a password algorithm that allows reasonable passwords and disallows the obvious stupid ones.