Forget your password? Picture this: The human mind is much better at remembering images than words. So we could soon be logging on by selecting our own private art gallery. By Suelette Dreyfus 9 October 2000 Imagine never forgetting your password or PIN. Better still, imagine never having to wait in the queue watching impatiently as the fellow in front of you forgets his PIN - for the third time. Does this sound like an impossible dream? It's not. A new wave of picture-style password systems may soon make it easier for people to prove their identities, while keeping hackers at bay and dodging the sticky privacy issues surrounding biometrics. Researchers at the University of California at Berkeley have been studying how people use passwords and PINs. They have also tested a new prototype system, called Deja Vu, that replaces these traditional forms of authentication with a "password" made up of abstract art images. Participants log-in by choosing five art images out of a group of 25 pictures. The results of the study suggest that picture passwords could make customers happier and companies more profitable, all by tapping into the human mind's almost limitless ability to remember pictures. The Berkeley team looked at how well a group of 30 people remembered their passwords after one week. They tested the participants using PINs, passwords, a portfolio of abstract art images generated by Deja Vu and a collection of photos, such as a face, a flower and the Golden Gate Bridge. "Our user study shows that 90 per cent of all participants succeeded in the authentication tests using Deja Vu, while only about 70 per cent succeeded using passwords and PINs," the Deja Vu study's authors, Rachna Dhamija and Adrian Perrig, wrote in a paper presented at the Usenix Security Symposium in Denver recently. Apparently, PINs (personal identification numbers) are not the only things people forget. "More than a quarter of the people in the study forgot their 'log-in names' after one week," said Dhamija, a PhD student and researcher at UC Berkeley. It's a statistic familiar to corporate IT helpdesks around the globe. It seems we've developed some simple solutions to the fact that PINs and passwords are made more for the convenience of the machine than the human. The Berkeley study showed that participants had at least 10 to 50 passwords or PINs, sometimes more - but everyone only used between one and seven unique passwords. Surprise, surprise - the Berkeley study reveals what most of us already know from first-hand experience; people reuse their passwords and PINs all the time. Why? The brain is relatively poor at recalling information compared with recognising images. To make matters worse, PINs and passwords demand precise recall - you need all the numbers in your PIN in order to get into your bank account. This precise recall is also not a strong point of the human mind, according to Dhamija and Perrig. When Perrig, a Swiss computer scientist working as a researcher at UC Berkeley while completing his PhD at Carnegie Mellon University, suggested testing images as an alternative to PINs for authentication, Dhamija jumped at the idea. "I was immediately attracted to the idea because I'm horrible with passwords and PINs," she laughed. "I have hundreds of them and I forget them all the time. For a [computer] security person it's embarrassing! I've had to write them down - I've broken all the rules." Instead of relying on old-style technology that forced people to break security rules, Dhamija, Perrig and fellow Berkeley researcher Dawn Song worked on a way of making it easier to remember passwords. They turned to Random Art, a software program that generates funky abstract art on the fly. Written by Andrej Bauer, a Slovene PhD student in pure and applied logic at Carnegie Mellon University, Random Art generates a random formula and draws a corresponding picture based on it. "The colours of pixels are determined by different values just like the colours on your TV are determined by the strength of the electronic beam that illuminates the phosphor pixels on the TV screen," Bauer explains. "So when you see 'white snow' during off-programming hours, that's TV random art. It doesn't look good because it is too random. The trick is to strike a good balance between randomness and determinism," he said. The advantage of all this is that while you can recognise an image, you can't really describe it to others. That means the "password" stays safely in your memory and nowhere else. It's every financial institution's dream come true. Whether password users are willing to accept this is another question. One of the most surprising findings of the Berkeley study was that people view being able to share their passwords with others as a "feature". Almost everyone in the study shared bank PINs with family or friends, and some people shared account passwords. This might give other image-based authentication systems such as Passface by ID Arts and v-Go by Passlogix in New York, an advantage over Deja Vu in the eyes of computer users. Both these systems also rely on the innate ability of the human brain to recognise images, but their images can be easier to describe. To log in using v-Go, you might mix up a cocktail by clicking on different bottles at the virtual reality cocktail bar. The combination of ingredients would form a password. Alternatively, you can whip up a "meal" in the kitchen, or pick a hand at cards, such as a full house. Passlogix's Passface relies on photographs of human faces. At the company's Passcenter, the program presents you with nine faces, and you pick one as your password. To decrease the chance of a lucky guess, the program makes you go through the process five times. All the faces belong to strangers, not supermodels or famous actors. However, these two systems do have some security limitations beyond possibly being able to describe your password, according to a critical assessment in the Berkeley team' s paper. With v-Go, you can end up picking a "poor" password, meaning it is easy to guess, such as all the aces in a deck of cards. Also, the number of possible passwords is relatively small in parts of the program. Passface has different limitations, mainly that most people display a tendency to choose pictures of faces which most closely resemble their own. This means, for instance, that if a hacker knows what you look like, it is that much easier to guess your password. The Passcenter seems to address this by arbitrarily assigning you with your face-passwords - and taking away all the sense of ownership that comes with consumer choice in the process. This might make it more difficult to remember the passfaces. The problem of predictability is serious when it comes to computer security. "Often users are the weakest link [in computer security]. Hackers know this and take advantage of it," Dhamija said. The Berkeley team found that when they asked participants in the study to pick picture passwords from a collection of photos of known objects, some results were easy to guess. "Men picked red things, cars and airplanes. Women picked flowers, horses or nature stuff," Perrig said. "It just shows that having pictures that have too much context are not good for security,' he added. This predictability illustrates clearly the appeal of Random Art - images with no context. When people in the study tried to describe their Random Art passwords, they came up with explanations like "aliens dancing". Creative, certainly, but not terribly helpful in revealing the password image, as the team discovered when they informally showed the same images to other participants and asked them to find the aliens. They couldn't pick out the tangoing space-visitors. Dhamija said that a number of businesses, including a bank, and someone from the military, had expressed a significant interest in Deja Vu. "The bank was particularly interested in using this to reduce customer service calls from users who forgot their passwords to their accounts," she said. The businesses saw possible Deja Vu applications in a range of authentications, including e-commerce websites, high security situations and, surprisingly, mobile devices such as Palm Pilots or GSM phones. Dhamija and Perrig hope to have a version of Deja Vu that could be ready in the next six months. Random Art: andrej.com/art Information on Deja Vu: www.sims.berkeley.edu/~rachna/dejavu PDF version of the Usenix paper: paris.cs.berkeley.edu/~perrig/projects/usenix2000/usenix.pdf Passlogix: www.passlogix.com Passface: www.idarts.com