Graphical Passwords

Alphanumeric passwords are a prevalent form of user authentication, and many people must remember several passwords in their day-to-day lives. Often, these passwords must fulfil specific requirements: for example, they must be a certain length or contain both numbers and letters. Though these requirements are intended to increase password security, they can inhibit memorability and so cause users to develop workarounds that decrease security, such as using one password repeatedly or writing passwords down.

The notion of the picture superiority effect suggests that graphical passwords are a better method of user authentication. Because the brain is better able to recall images than strings of letters or numbers, passwords can theoretically be both memorable and secure. However, it is possible that the same problems encountered with alphanumeric passwords would arise were graphical passwords widely used.

This project examined the security and usability of exemplar graphical password schemes. We designed and evaluated methods to support users’ engagement in particular security behaviours through interaction design and judicious selection of images. We performed empirical studies to explore the usability of our interventions, and developed novel methodology to help resolve the phenomena of password sharing and shoulder surfing. Throughout the course of the project, we found that multi-touch interaction can be used to defend against shoulder surfing attacks on graphical passwords. We also found ways to increase the security of some current graphical password schemes. The verbal sharing of Passfaces passwords, where users identify pictures, could be made harder through judicious presentation of images to users. We encouraged users to choose stronger passwords on another type of graphical password scheme, Draw a Secret, by adding a background image to the drawing grid on which the password is entered.

Press release: Scientists draw on new technology to improve password protection

Date: Sep 2008-Aug 2012

Supervisor: Patrick Olivier