Picture Passwords More Secure than Text

Hugh Pickens writes "People possess a remarkable ability for recalling pictures and researchers at Newcastle University are exploiting this characteristic to create graphical passwords that they say are a thousand times more secure than ordinary textual passwords. With Draw a Secret (DAS) technology, users draw an image over a background, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted. If a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. The "passpicture" is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly. The software has been initially designed for handheld devices such as iPhones, Blackberry and Smartphone, but could soon be expanded to other areas. "The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security," says computer scientist Jeff Yan."

Prior Art

[mlwmohawk]

The movie "Safe House" with Patrick Stewart had something similar.

Similar Idea for PalmOS - Prior Art?

[jerel]

Back when I depended on my Palm III for keeping track of my schedule and contacts, I also stored credit card numbers and passcodes etc. that needed to be secure. I purchased a product called OnlyMe which allowed pseudo-graphical entry of passwords. They encouraged you to enter a password using a series of strokes without lifting your stylus. From their site:

To allow extremely quick and easy password input, OnlyMe's keys allow you to "press" them without lifting your stylus from the surface of the device! You may choose a password composed of keys that allow you to enter the password as one, quick sweep of the stylus - a single gesture of your own design. This quick sweep of the stylus may start from or go outside the bounds of the OnlyMe "window." ... For a high level of security, we recommend that you use two gestures of at least four keys each. With this level of security, an intruder's best bet for accessing your data is to contract with someone with specialized knowledge to access the device's memory.

FWIW, IANAC but I estimate that using their two-gesture recommendation would result in something over 2 million possible passwords. This is a great piece of software and well worth $20 for anybody still using one of these for anything important.

It's a small conceptual leap to go from this 1998 stroke-based password idea to the present idea of drawing a picture to capture strokes which are then turned into a password. Looks like prior art to me!

Re:Meh.

[rossdee]

"If I had a horrible accident and became a quadrapole, I could still recite my password to someone if need be... good luck doing that with this kind of authentication."

I think you mean quadraplegic. According to Wikipedia:

A quadrupole is one of a sequence of configurations of electric charge or gravitational mass that can exist in ideal form, but it is usually just part of a multipole expansion of a more complex structure reflecting various orders of complexity.

Re:And "shoulder surfing".

here's the short version:

=8{O}8=

Re:SHA

[Darius_Acriter]

They are not storing the picture, but rather the way you draw the picture. Let's say they break the drawing area up into 9 squares. What they are encoding is the steps. Pen down quad 2,2 to 2,1 to 1,1, pen up. pen down quad 2,2 to 2,3 to 3,3 to 3,2, to 2,2 pen up. As long as I stay within the 'resolution' of their encoding I will be generating the same hashed file