Scientists draw on new technology to improve password protection

Newcastle University News Newslink Article - October 24, 2007


An inventive way of improving password security for handheld devices such as iPhones, Blackberry and Smartphone has been developed at Newcastle University.

The software, which uses pictures instead of letters and numbers, has been initially designed for handheld devices, but could soon be expanded to other areas.

Those who took part in testing this system created passwords that were a thousand times more secure than ordinary textual passwords. Most testers also found them easy to remember.

Researchers now want to examine the system’s potential for helping people with language difficulties, such as dyslexia.

Today, the use of passwords is commonplace in everything from mobile phones to cash machines and computers. But in the wake of growing concerns about traditional ‘weak’ passwords created from words and numbers, Newcastle University computer scientists have been developing alternative software which lets the user draw a picture password, known as a ‘graphical password’.

“Many people find it difficult to remember a password so choose words that are easy to remember and therefore more susceptible to hackers,” explained computer scientist Jeff Yan, a lecturer at Newcastle University.

Along with his PhD student Paul Dunphy, Dr Yan has taken the emerging Draw a Secret (DAS) technology, a graphical password scheme where users draw their secret password as a free-form image on a grid, and taken this a step further.

In DAS, the user draws an image, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted.

By superimposing a background over the blank DAS grid, the Newcastle University researchers have created a system called BDAS: Background Draw a Secret. This helps users remember where they began the drawing they are using as a password and also leads to graphical passwords that are less predictable, longer and more complex.

The BDAS software encouraged people to draw more complicated password images e.g. with a larger stroke count or length, that were less symmetrical and didn’t start in the centre. This makes them much harder for people or automated hacker programs to guess. 'In essence, this is a very simple idea as it’s intuitive,” said Mr Yan. 'It may take longer to create the password initially but it’s easier to remember and more secure as a result.'

For example, if a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. It is recognised as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly.

'Most of us have forgotten a pin number or a password at least once, which is why we tend to make them so easy to guess,” said Mr Yan. “However, the human mind has a much greater capacity for remembering images, and it’s certainly true that a picture is worth a thousand words in this instance.'

People who took part in the Newcastle University study, which compared DAS and BDAS use, had to choose their own background from a selection of five images – stars, map detail, playing card, crowd and flower.

After creating their secret password images on the grid, they were asked to repeat what they had initially drawn. One week later, they were asked to re-create the same image and 95% BDAS users were able to do so within three attempts.

'The recalled BDAS passwords were, on average, more complicated than their DAS counterparts by more than 10 bits,' said Dr Yan. 'This means that the memorable BDAS passwords improved security by a factor of more than 1024. They were also more secure than current textual passwords by an even larger factor.'

He added that, of those who attempted to draw something, the creations were very much dependent on the participants’ artistic ability. 'Most people drew simple everyday objects such as cars, cups and houses, although one participant did write their name in Persian script,' said Mr Yan.

Mr Yan will be presenting these findings in the opening lecture at Association for Computing Machinery Conference (ACM)’s flagship conference on Computer and Communications Security in Washington next week. He received a £66,000 grant from Microsoft Research (MSR) to support his research into designing novel systems that are both secure and usable.

The MSR grant will also enable Mr Yan to carry out further research into how easily the BDAS system can be used by people who traditionally have difficulty with textual systems, such as those with dyslexia.

'The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security,' concluded Mr Yan.

The full paper: Do Background Images Improve “Draw a Secret” Graphical Passwords?, will be published at the Association for Computing Machinery Conference on Computer and Communications Security in Washington on 30th October.