Picture This: A Password You Never Forget

Since the brain retains memories of images, especially faces, very accurately, new security systems are going graphical

By Alex Salkever

Have you ever passed a person whose face you know but whose name escapes you? Or seen someone at a restaurant who works in your office building but whom you don't know by name? You probably had no trouble recognizing the face. After all, that's the way people have been verifying identity for thousands of years. Our brains are wired that way to recognize faces quickly and tell friend from foe.

This neat, evolutionary trick is the rationale behind PassFace, a system put together by RealUser (www.realuser.com). PassFace replaces the letters and numbers in passwords with sequences or groups of human faces. It's one of several applications that rely on graphical images for the purpose of authentication.

All of these graphical solutions are built on the premise that the brain remembers images more easily than letters or numbers. And not just faces, either. Authentication-management company Passlogix (www.passlogix.com) has a system where users can mix drinks in a virtual saloon or concoct chemical compounds using an onscreen periodic table of elements as a way to log-on to computer networks.


  Although these systems aren't widely used now, in the future, graphical password systems will be more common. Why? Because people have a tendency to avoid using the most secure passwords -- those consisting of randomly generated sequences of numbers and letters more than seven-characters long that change regularly. Asking the human brain to remember and retrieve those types of secure passwords is like trying to hammer a square peg into a round hole. The result: We are constantly forgetting passwords.

Meanwhile, businesses spend millions on administering, retrieving, and resetting passwords. According to estimates from such technology analysts as the Gartner Group and MetaGroup, the cost to businesses comes to between $50 and $300 per computer user each year.

This is where PassFace shines. It presents a series of five randomly generated, lifelike faces to the user, either over the Internet or the corporate Intranet. Next, the user goes through a five-minute training session where he repeatedly picks out the faces from a series of grids filled with more faces. By picking the correct faces out of the crowd, users effectively type in their password. "This is absolutely reliable. You never forget your faces," claims RealUser CEO Paul Barrett.


  These types of graphical passwords will become ever-more important as handheld- and mobile-computing devices become ubiquitous. These devices lack traditional keyboards and rely on handwriting-recognition software, such as Palm Computing's Graffiti. "Can you imagine scribbling in an eight-character password in Graffiti?" asks Mark Boroditsky, CEO of Passlogix.

Graphical systems also make it far easier to take password privileges with you to any Web terminal. And they save time by making preferences, settings, and bookmarks more transferable. "Think about what it takes to reset passwords when you [use] another computer or buy a new one," explains Barrett.

There are other benefits. Unlike biometric passwords, such as fingerprints or facial recognition, graphical passwords are easy to change. PassFace can select a different sequence of faces, but the individual will always pick the ones most familiar and pleasing. That means a malicious hacker trying to break into the system is aiming at a two-dimensional target, a much taller order than hitting a static code system. (In voice recognition biometrics, the same effect is achieved by changing the spoken code word and forcing cybersnoops to break the encryption algorithm in addition to the password).


  Of course, not everyone likes graphical recognition. Meta Group analyst Chris Byrnes fears this approach wouldn't work in mission-critical applications because people could forget their set of faces or images too quickly. Furthermore, graphical password systems are far from a panacea. They can't replace cryptographic systems currently used in digital certificates. Those certificates use complex algorithms to create matching keys that allow connections between the machine and a remote server.

Both Passlogix and PassFace acknowledge that their systems aren't complete security solutions and that they work best in conjunction with other measures. For now, PassFace is offered only as a consumer product with a beta version available for free on the Internet. And has several thousand users (I tried it out and liked it very much). Passlogix has deployed graphical passwords to about 100,000 corporate users as part of a broader overall authentication product.

I predict that more graphical security solutions will emerge, either as stand-alone products or as features within established systems. After all, I'd rather mix myself a martini than remember an eight-random-character password any day. Wouldn't you?

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.