Drawings Latest Attempt At Improving Password Protection

Nov 13, 2007 4:32 PM

An inventive way of improving password security for handheld devices such as iPhones, Blackberry and Smartphone has been developed at Newcastle University, reports ScienceDaily.

The software, which uses pictures instead of letters and numbers, has been initially designed for handheld devices, but could soon be expanded to other areas.

Those who took part in testing this system created passwords that were a thousand times more secure than ordinary textual passwords. Most testers also found them easy to remember.

ScienceDaily reports that researchers want to examine the system's potential for helping people with language difficulties, such as dyslexia.

Today, the use of passwords is commonplace in everything from mobile phones to cash machines and computers. But in the wake of growing concerns about traditional 'weak' passwords created from words and numbers, Newcastle University computer scientists have been developing alternative software which lets the user draw a picture password, known as a 'graphical password.'

"Many people find it difficult to remember a password so choose words that are easy to remember and therefore more susceptible to hackers," explains computer scientist Jeff Yan, a lecturer at Newcastle University.

Along with his PhD student Paul Dunphy, Yan has taken the emerging Draw a Secret (DAS) technology, a graphical password scheme where users draw their secret password as a free-form image on a grid, and taken this a step further.

In DAS, the user draws an image, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted.

By superimposing a background over the blank DAS grid, the Newcastle University researchers have created a system called BDAS: Background Draw a Secret. This helps users remember where they began the drawing they are using as a password and also leads to graphical passwords that are less predictable, longer and more complex.

The BDAS software encouraged people to draw more complicated password images e.g. with a larger stroke count or length, that were less symmetrical and didn't start in the centre. This makes them much harder for people or automated hacker programs to guess. "In essence, this is a very simple idea as it's intuitive," Yan told ScienceDaily. "It may take longer to create the password initially but it's easier to remember and more secure as a result."

For example, if a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. It is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly.

"Most of us have forgotten a pin number or a password at least once, which is why we tend to make them so easy to guess," Yan says. "However, the human mind has a much greater capacity for remembering images, and it's certainly true that a picture is worth a thousand words in this instance."

People who took part in the Newcastle University study, which compared DAS and BDAS use, had to choose their own background from a selection of five images -- stars, map detail, playing card, crowd and flower.

After creating their secret password images on the grid, they were asked to repeat what they had initially drawn. One week later, ScienceDaily reports, they were asked to re-create the same image and 95 percent BDAS users were able to do so within three attempts.

"The recalled BDAS passwords were, on average, more complicated than their DAS counterparts by more than 10 bits," Yan says. "This means that the memorable BDAS passwords improved security by a factor of more than 1024. They were also more secure than current textual passwords by an even larger factor."

Yan will be presenting these findings in the opening lecture at Association for Computing Machinery Conference (ACM)'s flagship conference on Computer and Communications Security in Washington. He received a grant from Microsoft Research (MSR) to support his research into designing novel systems that are both secure and usable.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue