New techniques easier, more secure
Sunday, November 9 | 4:26 p.m.
BY TOM VOGT
COLUMBIAN STAFF WRITER
A computer’s random selection of one item from each category of supplied images can become your personalized visual password.
A selection of images assembled in a composite photograph might offer an alternative to hard-to-remember computer passwords consisting of random letters and numbers. (Photo illustration by Marsha Matta/The Columbian)
“Having used passwords myself, and understanding how humans try to remember them, it’s clear they’re quite a bottleneck for security.” Steffen Werner, University of Idaho Psychology Professor
A picture is worth a thousand passwords … and a lot easier to remember.
That’s the theory behind a project at the University of Idaho, where scientists are trying to create computer passwords that are easier to remember while providing better security.
“Humans are good at remembering meaningful things, but bad at remembering arbitrary sequences of digits,” said Steffen Werner, a psychology professor at the University of Idaho.
That’s why someone who might have trouble remembering “Lm4bV32Qi” might have better luck with a sequence that includes images of a nurse, an apple, a collie and a frog.
“I’ve been teaching a course in human-computer interaction, how to make it easier for human users,” said Werner, who is trained as a cognitive psychologist. The class includes psych as well as comp sci students, and one of them mentioned that the human element was a major issue in computer security.
“It’s a great topic for someone who is interested in memory,” Werner said. “That’s a key issue to most password systems: A person has to keep them in his memory, and then retrieve them. Having used passwords myself, and understanding how humans try to remember them, it’s clear they’re quite a bottleneck for security.
“The question is, how can we work on the element of the password to make it more memorable for the user, and make it as unpredictable and random as possible? The onus is on you to remember it. It’s a very one-sided arrangement.
“Usually, people have a base password and add something,” Werner said. “Or they write it down. Eventually, neither is safe.”
If that’s the question, where might people try to find an answer? Well …
“Visual memory is quite good,” Werner said. “People can extract a lot of information from a picture very efficiently.”
Werner said his research team showed images to test subjects for a minute or so, and then showed them nine-character strings of random numbers and letters.
“We don’t even tell them it’s a password test. After 30 minutes, they did really well with both sequences,” Werner said.
A month or so later, the subjects could identify 90 percent of the images that were part of their picture.
However, he said, “When we did the same thing with the alpha-numeric sequence, it was 25 to 35 percent. That shows the retention difference.”
In the system Werner is exploring, a composite password picture might include images in nine categories. They could include a man, a woman, a child, a pet, another animal, a piece of fruit, a musical instrument and a background.
“From our perspective, it’s better to have it generated by a computer and very random,” he added.
That is the picture a computer user must keep in mind while logging on, recalling the nine different images.
Here’s how it might work:
- When going through the password process, you would see a screen with anywhere from 16 or 36 different women: nurse, dancer, tennis player, chef, or whatever the password provider puts on the screen.
- You click on the woman who was part of your picture.
- Then you get 36 men: Click on your cowboy or logger or fisherman …
- Then 36 children …
“You go through nine different screens,” Werner said.
Researchers have tried offering the composite photo and having people click on the nine images in a particular sequence, but “One picture and nine clicks doesn’t work as well,” he said.
“We could let people choose the elements; but if we had 36 different dogs, maybe two-thirds of them would choose one particular dog,” he said.
Personal choice can be a security problem when people build letter-number passwords, Werner added. Whether it’s the name of their pet or the date of their anniversary, it can jeopardize security.
Werner doesn’t see this system as part of a daily log-on process.
“I wouldn’t want to replace a day-to-day password with something more cumbersome, but you could replace a password you use once a month or every two months,” Werner said. “Imagine your retirement account, or your 401(k). Within six months of not using a password, you probably won’t remember it. Or if you use the same password over and over, that’s not very safe.”
Werner also favors his approach over biometric passwords, which include fingerprint and voice recognition. Many of these tests can be fooled with a reproduction, he said.
Frustrated computer users aren’t the only victims of an evasive password, by the way.
“There are estimates that 20 to 30 percent of all help-desk calls are password related,” he said. “Not only could a business save money by eliminating those calls, it could greatly enhance its security.”
by Debbie Tegtmeier : 11/10/08 6:52am - Report Abuse
I used to work at a help desk and I would say it's more like 80 to 90 percent were password related. We always reset to password ID10T for the repeat offenders, such as the ones who couldn't remember their timesheet password from one Friday to the next. :-) You could create a Wordpad document with a list of password hints (not the passwords themselves), one for each account that has a unique password - such as "granddaughter birth year" or "street address in Mississippi" - and place that document on your computer desktop. Update it as soon as you make changes to your account passwords. Once we started making that suggestion, the calls dropped to 10 to 20 percent for passwords.