Picture Passwords More Secure than Text

Hugh Pickens writes "People possess a remarkable ability for recalling pictures and researchers at Newcastle University are exploiting this characteristic to create graphical passwords that they say are a thousand times more secure than ordinary textual passwords. With Draw a Secret (DAS) technology, users draw an image over a background, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted. If a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. The "passpicture" is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly. The software has been initially designed for handheld devices such as iPhones, Blackberry and Smartphone, but could soon be expanded to other areas. "The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security," says computer scientist Jeff Yan."

I dont think so

[Pazy]

I doubt this will really work, most people when they draw and write so it slightly diffrent each time. They may have to sit down and aim exactly and prepare which will take too much effort for most people. I doubt this will take off its the old security vs convenience. At this point ill take the convenience of a text password.

Easier in Asia...

[Anonymous Coward]

You say that, but it's EXACTLY what you have to do to learn kanji or kana... or hanzi, for the Chinese.

That's right, there's a proper way to write every one of the thousands of characters, right down to stroke order and placement.

Two serious problems

[adminstring]

1. An artistically-inclined person looking over your shoulder might be able to draw your image about as well as you can. With a conventional keyboard password, I can block the keyboard with my body so others can't see what I'm typing, and I can pretend to press keys that aren't in my password so even if they can see, they are thrown off. There is less you can do to block a screen you have to look at to draw properly.

2. Some people's hands shake when they've had too much caffeine, most people's fingers get stiff when they've been out in the cold, and some people have degenerative diseases which make typing a one-letter-at-a-time proposition. Drawing would be very difficult in all of these circumstances. Perhaps this is why TFA says that 5% of users couldn't recreate their image within three attempts a week after first coming up with it.

I don't think this technology is going anywhere any time soon.

Re:Easier in Asia...

[Nexx]

Not only that, but people who learn it the "wrong" way quite often write it the wrong way throughout their lives. I experience this a lot with my parents -- the stroke order they learned is different from the stroke order I learned, so anytime I watch them write, it looks a bit odd.

Been there. Done that.

[Kainaw]

If you remove the background picture and the act of displaying what you draw to everyone within eye-shot, I've already done that at http://shaunwagner.com/index.html?page=Projects%2FJavascript%2FMouse+Password [shaunwagner.com]

Does it work? No. It is far too difficult to draw the same image twice without seeing what you are drawing. If you can see what you are drawing, so can everyone else - then they can draw the same image.

Re:Normal signature

[schmiddy]

Yeah.. different methods of signature recognition have been around for quite some time, and never really caught on. A friend just did his senior undergrad thesis on a survey of techniques for signature detection [slyengineer.net], and it's actually a pretty informative read. Long story short.. even the advanced models have too high false-positive rates, especially from skilled forgers who have time to practice copying your signature at home, or even casual over-the-shoulder copying.

The only real future use of this I see is as one component in a highly secure, long-term, yet convenient, authentication mechanism.. perhaps for accessing a lockbox at a bank, something you'd need to have around for many years without remembering and changing a password. And even then, they'd have to additionally use at least "something you know" (name,SSN, etc that you won't forget) and possibly another "something you have" (fingerprint reading, perhaps) in order to get the false positive and false negative rates acceptably low.

Re:And "shoulder surfing".

[fredklein]

it's far more difficult to watch someone's hand and imagine exactly how they typically draw a password.

It's not as difficult as you think. It's a standard magicians trick to secretly watch a persons hand/pen movements and then 'magically' re-create the drawing they made.

Re:I don't belive it.

[Rob Simpson]

Yes. Also the picture will require at least one instance each of cross-hatching, scumbling, and stippling.