Slashdot Mirror

← Back to Stories (view on slashdot.org)

Picture Passwords More Secure than Text

Posted by CowboyNeal on from the my-scribble-is-my-password dept.

Hugh Pickens writes "People possess a remarkable ability for recalling pictures and researchers at Newcastle University are exploiting this characteristic to create graphical passwords that they say are a thousand times more secure than ordinary textual passwords. With Draw a Secret (DAS) technology, users draw an image over a background, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted. If a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. The "passpicture" is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly. The software has been initially designed for handheld devices such as iPhones, Blackberry and Smartphone, but could soon be expanded to other areas. "The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security," says computer scientist Jeff Yan."

11 of 261 comments (clear)

  1. Meh. by mingot · · Score: 3, Insightful

    I'd have to train myself to remember the strokes to draw something with the same movements and pen lifts. Sounds like a pain in the nuts to me.

    1. Re:Meh. by wish+bot · · Score: 5, Insightful

      Ordinary people have been doing this for hundreds of years. It's called a SIGNATURE.

      --
      lemonade was a popular drink and it still is
  2. Sounds hard by dontthink · · Score: 5, Insightful

    I can't even consistently write my signature, let alone some arbitrary picture.

  3. Normal signature by LiquidCoooled · · Score: 5, Insightful

    A normal signature is a picture drawn in a certain fashion with a specific flow and strokes.
    We have had signature recognition for a while.
    Whats new?

    --
    liqbase :: faster than paper
  4. Damnable Security! by roguetrick · · Score: 5, Insightful

    I wonder how many users will just end up drawing Stars, Hearts, and Smiley Faces?

    --
    -The world would be a better place if everyone had a hoverboard
  5. And "shoulder surfing". by khasim · · Score: 4, Insightful

    If you have to draw a picture to login, it's going to be very easy for people to see what you're drawing just by being near you.

    With typed passwords that is a lot more difficult.

  6. 2 characters. by Kaenneth · · Score: 5, Insightful

    Or you could add 2 alpha-numeric characters to an existing text password, for more than 1000 times security.

    1. Re:2 characters. by Dirtside · · Score: 3, Insightful

      Adding two alphanumeric characters (a-z, A-Z, 0-9, for 62 characters) would increase the keyspace by a lot (a factor of 3,844, to be precise), but it doesn't increase overall security by that much except against brute force attackers. It certainly doesn't make it a thousand times harder to shoulder-surf, or keylog, or social engineer, or...

      --
      "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
  7. Easy dictionary attack by Doppler00 · · Score: 3, Insightful

    How many people will use a picture password of a stick man, tree, or a happy sun?

  8. Re:I don't belive it. by Anonymous Coward · · Score: 3, Insightful

    You draw whatever picture you want. The background image is just to give you a frame of reference so you know where you started.

    I think most people will associate the same things to the same background (eg. flowers->bee) resulting in even less combinations... also, the universe of "drawable things" is smaller than the universe of words, and that is smaller than the universe of pass...

  9. SHA by h4rm0ny · · Score: 3, Insightful

    But on the subject of security, how would these passwords be stored? One nice thing with plaintext is that you never have to store anyone's actual password, only the hash of it. I suppose you could still create a hash of "1. stroke 47degrees 3%, 2, stroke 270degrees 22%" or whatever the password device spits out, but it seems to me that as this system requires a more sophisticated way of interpreting fuzzily matched movements, there might be problems with this approach or it could introduce weaknesses.

    You could use some algorithm to simplify the users drawing, rounding angles (I punned! :D ), adjusting lengths, perhaps. But this would probably have the effect of narrowing the password space making it easier to crack the passwords. I'm not an expert in this area, I'd be interested to know if they've thought about this or if anyone else knows a bit more about it.

    --

    Aide-toi, le Ciel t'aidera - Jeanne D'Arc.