On CBS.com: Get More On Amazing Race Eliminated Team
BNET Business Network:
BNET
TechRepublic
ZDNet

January 18th, 2006

Graphical passwords for better security

Posted by Roland Piquepaille @ 9:49 am

Categories: Computers & Internet, Defense & Security

Tags:

You all know that passwords are relatively easy to steal, especially because we don’t pick difficult ones. So computer scientists from Rutgers University-Camden have developed graphical passwords to enhance your computer security. One solution works by picking ‘click points’ on an image previously selected by the user. And another one, designed to avoid ’shoulder surfing,’ works by clicking on random icons located inside a collection of other icons chosen by the user. If these solutions can be fine for your main system, they will not help you when you need to create a new password for an online service.

Jean-Camille Birget, a professor of computer science, and his team have developed graphical passwords. Instead of entering a password consisting of numbers and letters, the user selects areas of a picture, called "click points," which are easier for the user to remember and, due to the somewhat random selection process, more difficult for someone else to guess.

"You can let users even choose the picture," says Birget of the new computer security program, which would help users remember their original click points. The selected picture must be complex, like a landscape or cityscape, to be a secure system so that there are many possible click points.

Below is an example of such a landscape (Credit: Rutgers University-Camden).

Graphical passwords

And here are more details extracted from a paper published by The Rutgers Scholar (Volume 4, 2002).

The [above] example, while very unsophisticated, illustrates how a simple graphical password matches the security of its alpha-numeric counterparts. To login, the user is required to click within the 4 circled red regions in this picture. The user chose these regions when he or she created the password. The choice for the four regions is arbitrary, but the user will pick places that he or she finds easy to remember. The user can introduce his/her own pictures for creating graphical passwords. Also, for stronger security, more than four click points could be chosen.

The other technique developed by these computer scientists wants to prevent "shoulder surfing," the process of password theft through surreptitious monitoring.

In the Rutgers-Camden study, users picked 10 icons, which then were scrambled with approximately 200 others. In order to gain entry into the system, users found shapes, such as triangles, that used their chosen icons as the corners, and clicked inside that shape. Users then repeated the same game 10 times.

"The main idea behind our model is to allow a user to prove knowledge of a secret, without revealing the secret itself to either the authenticating party or a potential observer," says Leonardo Sobrado[, who was part of the research team.] "The question, or challenge, changes every time and so does the answer. But the secret knowledge stays the same."

Below is an example of how this icon-based password looks like (Credit: Rutgers University-Camden).

Icon-based passwords

Once you’ve selected your icons, here is how the system works.

To accurately simulate a graphical password system, you must not reveal the pass-icons to any potential observer. In fact, you should not as much as point or click to a pass icon in a way that would reveal to an observer that you’re identifying a pass-icon. Doing so completely defeats the purpose of the system. Once you have clicked anywhere inside the convex hull, the system will re-arrange the icons. You should set the icon speed low enough so that you can track some of the pass-icons as they move. This will make it easier to find them on the next screen. If a pass icon leaves the screen, a new one will replace it.

If you want to test this technology, you can download the program or simply run an interactive simulation.

And for more information, The Graphical Passwords Project home page contains several links to technical papers.

Now, tell me: will you use such a technique to protect yourself?

Sources: Rutgers University-Camden news release, January 4, 2006; and various web sites

You’ll find related stories by following the links below.

Roland Piquepaille lives in Paris, France, and he spent most of his career in software, mainly for high performance computing and visualization companies. For disclosures on Roland's industry affiliations, click here.
  • Talkback
  • Most Recent of 39 Talkback(s)
I should know that...
I have a blind sister. Audibility would help. I think what banks and major online retailers need to do is create text based, not html based webpages alongside their html sites.... (Read the rest)
Posted by: robspcfixerupper@... Posted on: 12/09/06 You are currently: a Guest | | Terms of Use
Sounds tedious  ordaj@... | 01/18/06
May be tedious but...  robspcfixerupper@... | 01/18/06
I doubt it  Ragon2727 | 01/23/06
Use a different finger?  Hrothgar - PCLinuxOS User | 01/29/06
neat idea....  JoeMama_z | 01/18/06
Bank of America already does it  robspcfixerupper@... | 01/18/06
Must be the same guy that invented the donut dipper.  tedman | 01/18/06
Note on Bank of America  robspcfixerupper@... | 01/18/06
Bad idea, needs work  wmroc | 01/18/06
I should know that...  robspcfixerupper@... | 12/09/06
skeptical  will_b_z | 01/18/06
Yes,  kedesol | 01/18/06
something like it  cwilliams77 | 01/18/06
Sounds easy to crack to me  IceTheNet@... | 01/18/06
Breaching this scheme  cgraham_z | 01/19/06
This is easy to crack. A broker is still better.  danformen@... | 01/18/06
"Stuff" happens...  mr_speedlight | 01/18/06
Security Issues  kedesol | 01/18/06
Graphical passwords  justpks81@... | 01/18/06
Solving a problem that isn't there  bportlock | 01/19/06
Show me da money  TheOtherITGuy | 01/19/06
Incredibly stupid idea  obrad | 01/19/06
I finally figured out how to use a cell phone  BarbieLee | 01/19/06
violates accessability laws  deepee912 | 01/19/06
Censorship  Roger Ramjet | 01/19/06
Give me a break!!!  Narg | 01/19/06
Graphic Passcards  jiandja | 01/19/06
Graphic Passwords  jiandja | 01/19/06
It looks fun, but...  Angelsinthealley | 01/19/06
Screen Capture/Macro Recording?  Cave Kayaker | 01/19/06
Password theft is not the only problem  mystic100 | 01/19/06
Sounds intersting BUT ...  mwagner@... | 01/19/06
porn-pass  ssloan1700 | 01/19/06
The "Click Spoofing" could be eliminated by the server  Bernman93 | 01/19/06
Not universally applicable  Seething Ganglia | 01/20/06
Movie "Safe House"  cburgess-iPALADIN | 01/26/06
Don't use a pic of President Bush  RainDrummer | 02/01/06
They Weren't the First  mlibrescu4 | 02/01/06
More on Bank of America  kcarter@... | 02/13/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline