Forget
passwords, what about pictures?
By H. Asher Bolande, WSJ
Interactive Edition
November 27, 2000 5:07 AM PT
We're drowning in passwords, and our
brains are rebelling. Most of us have one of two
strategies for remembering all these new strings of
letters and numbers: use the exact same password across
the board, or keep written reminders of the various
secret phrases. Either way, the entire purpose of
passwords -- security -- is undermined.
Two researchers in the U.S. are
suggesting a third way: scrap the character-heavy
password altogether. They're aiming to harness the acute
visual memory all humans are born with, a memory far
more powerful than our ability to recall precise
sequences of symbols. Their prototype, dubbed Deja Vu,
holds special relevance for Asia, where the foreign-ness
of the Western alphabet makes it even less helpful in
setting and recalling keywords.
Frustrated by password overload, one
of the researchers, Adrian Perrig, started racking his
brains for possible solutions two years ago. "I
counted all the passwords and PIN [personal
identification number] sets that I knew at that time,
and it counted up to 60. ... It was mind-boggling,"
he says. "Even the photocopier down the hall had a
PIN."
That led Perrig and co-researcher
Rachna Dhamija to design a security system based on
users' recognition of abstract images. Early experiments
have yielded encouraging results. The pair asked 20
computer users to log in with self-chosen traditional
passwords, and then again with Deja Vu's visual
passwords, which consist of geometric patterns in bright
colors.
After one week, "90 percent of
all participants succeeded in authentication tests using
Deja Vu, while only about 70 percent succeeded using
passwords and PINs," Dhamija and Perrig, both based
at the University of California, Berkeley, write in a
paper presented at the Usenix Security Symposium in
Denver, Colorado, earlier this year.
In fact, more than a quarter of the
users failed to recall not only self-chosen passwords
but the first half of the equation -- their usernames.
Visual recognition vs. written
passwords
Here's how the Deja Vu prototype
works: Instead of creating a password, users select a
personal "pass portfolio" of five abstract
color images from thousands generated by a random-art
computer program. It's necessary to commit them to
memory by examining them carefully. Then, when they want
to log into a secure system, they are challenged to
identify the five out of a line-up of 25, most of them
random decoys.
While precise recall of written
passwords is an active mental exercise, visual
recognition -- as the name Deja Vu implies -- is passive
and more or less automatic, Perrig says. "It's,
'Ah, I've seen that before." We use that for
authentication," he says.
The human brain not only stores these
images in memory far more durably but can retain an
almost limitless number of them, Dhamija says.
"There is a lot of cognitive research that suggests
our memory for images is almost infinite," she
says. Indeed, teaching techniques for memory-improvement
usually encourage people to imagine visual cues in their
minds, like a house with a series of rooms in it.
"At the moment we're born, the
eyes focus in on the mother, and after one day we can
recognize the mother's face. ... It's an innate
ability," she says.
Pet names, birthdays, phone
numbers?
Seventeen-year-old Little Li, a
computer junkie in Guangzhou, China, is fed up with
verbal passwords. "They're really annoying,"
he spouts off in a Web portal chat room. "I want to
get inside quickly, so I just enter the same thing
everywhere" -- a numerical code from his address.
"All those ABCs and numbers are too hard to for me
to remember clearly."
System administrators say this is
commonplace. "Asians do tend to choose passwords
that are either their birthday or their ID number or
their home phone number," says Pristine
Communications co-founder Philip Diller, who managed
tens of thousands of Taipei customers when the company
was an Internet service provider, before it became a
Web-site development firm. (The system administrators
say U.S. users are more verbal in their password choice,
but no more sophisticated; they tend to use the name of
a pet, parent, or child -- handles that would be obvious
to anyone who knew that person.)
Deja Vu's creators say they're in
discussions with several potential partners, including a
Silicon Valley-based start-up Internet bank, the
venture-capital arm of one of the Big Five consulting
firms, and a Smart Card manufacturer, though they
decline to be more specific.
The challenge for Perrig and Dhamija
is to make their system faster. Though visual
recognition is quick, at the moment users have to scan
through at least 25 images -- five separate screens of
five images each -- to provide adequate security.
Impatient users like Li might still
prefer a weak password over delays getting online. Paul
Robertson, a senior system developer with northern
Virginia-based security consultancy TruSecure Corp.,
says any alternative to passwords will ultimately be
judged on whether it is both secure and convenient.
If you want to sell a diving stock
online, he says, "you want to do it now."
This story was printed from ZDNN,
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2657540,00.html
