I’ve tried out a few of these visual recognition password technique things, and to tell you the truth they didn’t work for me, not at all.
I clicked the requisite 3-4 spots on the image, and remembered them, but when I tried to login it wouldn’t accept it.
A password that uses images instead of numbers could give some people access to secure information on personal electronic devices or at ATMs within the next year.
The image authentication system uses a pair of digital images instead of a string of numbers to make logging in simple for the legitimate user, but difficult for impersonators.
“It is expected that many of the conventional user authentication systems would be able to be replaced with our scheme, since recognition of images is significantly easier for human beings than precise recall of passwords,” said team leader Masakatsu Nishigaki, a professor of informatics at Shizuoka University in Japan, where the system is being developed.
Source: Discovery Channel
There is a simple implementation of it I saw called Passclicks over at mininova
http://labs.mininova.org/passclicks/
Passclicks is a new way to login to websites without users having to remember thir old style textual password. Studies have revealed that humans are way better in remembering visual things than textual things. With passclicks your normal textual passwords are replaced with a sequence of clicks on an image.
It is true most people remember things a lot better visually.
I think the Japanese 4 ‘digit’ icon type password might be pretty good though, as a different form of pin number.
Mariam Ayyash says
I tried it, i remembered only four clicks! it is very possible for me to keep forgetting one click :s so it doesnt always work, does it?
Navaho Gunleg says
I think the concept itself is original and pretty neat: the more happening on the image, the more possible locations one could click on, so the harder it will be to brute-force the password. Sure the demo is just a proof-of-concept, and it’s probably configurable in the end, but one shouldn’t even limit it to only 5 clicks.
It could even be a bit ‘stronger’ if the person that wants to log-in has to choose one image out of many, first, and not always show the same scenic image of Amsterdam in the Netherlands…
Problems though are, like happened to Mariam, that one could easily forgetting a click. Or one does remember the clicks, but forgot in what exact order.
Then again, people have even worse problems remembering an alpha-numeric password at least 12 characters in length.
I can definately see this type of thing taking off. It would suck pretty badly for existing text-based services though (such as SSH). Don’t get me wrong, some ASCII art looks pretty cool, but there may be some problems there. ;)
But for websites it could do the job perfectly.
Though, if it’s only to prevent people from forgetting their passcodes, I do not think that’s going to be solved. I grew up in the age of PIN codes and passwords so I don’t have any problems with remembering them, as long as I frequently use them. Most people will forget them because of exactly that. So this authentication scheme could fail just as much…
Just my two cents…
Darknet says
Mariam: No password works if you forgot 20% of it ;)
Navaho: Yah it’s definately an interesting concept, how are you going to brute force the image? I did think of that though, the backend has to have some kind of image map which sends the co-ordinates or something similar to the server, so theoretically can’t you just send all combinations of all co-ordinates to the backend, in time ‘brute-forcing’ the image verification? I guess the entropy would be increased hugely if you used multiple random images like you said. Definately good for websites and things like PDA/smart phones where they already have visual navigation aids.
Navaho Gunleg says
Darknet: Well, if the image would only show, say, portrait of someone, it could be possible for somebody else to guess the clicks looking for obvious spots to click. That’s the type of brute-forcing I meant. (One could also attempt random clicks every time until one succeeds but that’s pretty tedious.)
So, in that respect, images are a better solution than a password in text. For the sake of argument, lets assume a password, in text, can only consist of 255 different characters.
An image of 250×250 dimensions would give far greater ‘randomness’ — more possible pixels than characters in a text-password, thus brute-forcing isn’t as trivial as with text.