skip to main content
research-article
Free access

Visual passwords: cure-all or snake-oil?

Published: 01 December 2009 Publication History

Abstract

Introduction
Users of computer systems are accustomed to being asked for passwords -- it is as universal as it is frustrating. In the past there was little tolerance for the problems experienced remembering passwords, and many users still remember, with embarrassment, having to go hat-in-hand to request a password change and being treated with disdain by a lofty administrator. Latterly there is more understanding of the problems experienced by users, especially since the "password conundrum" has reached epidemic proportions for Web users, who are asked for passwords with unrelenting predictability.
The problems with passwords are clear -- users cannot remember numbers of meaningless alphanumeric strings with ease. Hence, they react by choosing simple and predictable words or numbers related to their everyday life, and engaging in insecure practices, such as writing passwords down or sharing them. These practices cause a breach affecting even the most secure and protected network system. Hence the user is often called the weakest link of the security chain, with system administrators despairing of trying to maintain security with the weak link so often reaching breaking point. Users forgetting passwords has serious economical consequences for organizations.
Both academia and industry have been investigating alternatives to passwords, with varying degrees of success. One of the most well-known solutions is the biometric -- measurement of either behavioral or physiological characteristics of the end-user. This is obviously superior to the password because it removes the burden on the user's memory. So why don't we just switch to biometrics and give the poor user a break? There are some valid and hard-to-overcome reasons for the slow uptake of biometrics, but before we can discuss them we need to consider the mechanics of authentication.

References

[1]
Adams, A. and Sasse, M A. Users are not the enemy. Comm. of the ACM 42, 12, (Dec. 1999), 40--46.
[2]
Davis, D., Monrose, F. Reiter, M K. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, Aug. 2004, San Diego, CA.
[3]
De Angeli, A., Coventry, L., Johnson, G., Renaud, K. Is a picture really worth a thousand words? On the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, special issue: HCI research on Privacy and Security, 63, 1--2, (July 2005), 128--152.
[4]
Epstein, R. and Kanwisher, N. A cortical representation of the local visual environment. Nature. 1998. 476--84.
[5]
Epstein, R., Graham, K S. and Downing, P E. Viewpoint-specific scene representations in human parahippocampal cortex. Neuron, 37, 5, (Mar. 2003), 865--876.
[6]
Henderson, J M. and Hollingworth, A. High-level scene perception. Annual Review of Psychology 50, (1999), 243--71.
[7]
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D., The design and analysis of graphical passwords. Proceedings of the 8th USENIX Security Symposium, 1994, 1--14.
[8]
Madigan, S., Picture memory. Yuille J.C. (Ed.), Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio. Erlbaum, Hillsdale, NJ, 1983, 66--89.
[9]
Renaud, K V. and De Angeli, A. My password is here! Investigating authentication schemes based on visuospatial memory. Interacting with Computers 16, 6, (2004), 1017--1041.
[10]
Renaud, K V. and Olsen, E. DynaHand: Observation-resistant recognition-based Web authentication. IEEE Technology and Society. Special Issue on Usable Security and Privacy 26, 2, (2007), 22--31.
[11]
Thorpe, J. and van Oorschot, P. Graphical dictionaries and the memorable space of graphical passwords. In 13th USENIX Security Symposium, 2004.
[12]
Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A. and Memon, N. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1--2, (2005), 102--127.

Cited By

View all

Comments

Information & Contributors

Information

Published In

cover image Communications of the ACM
Communications of the ACM  Volume 52, Issue 12
Finding the Fun in Computer Science Education
December 2009
127 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/1610252
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2009
Published in CACM Volume 52, Issue 12

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Popular
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)325
  • Downloads (Last 6 weeks)62
Reflects downloads up to 01 Mar 2025

Other Metrics

Citations

Cited By

View all
  • (2024)AI-Powered Dynamic Images: A New Frontier in Graphical Password Authentication2024 International Conference on Emerging Research in Computational Science (ICERCS)10.1109/ICERCS63125.2024.10894909(1-8)Online publication date: 12-Dec-2024
  • (2024)How memory anxiety can influence password security behaviorComputers and Security10.1016/j.cose.2023.103589137:COnline publication date: 1-Feb-2024
  • (2022)Enhancing the user authentication process with colour memory cuesBehaviour & Information Technology10.1080/0144929X.2022.209147442:10(1548-1567)Online publication date: 15-Jul-2022
  • (2020)A survey exploring open source Intelligence for smarter password crackingForensic Science International: Digital Investigation10.1016/j.fsidi.2020.30107535(301075)Online publication date: Dec-2020
  • (2020)Visual Password Scheme Using Bag Context Shape GrammarsIntelligent Systems Design and Applications10.1007/978-3-030-49342-4_4(35-47)Online publication date: 15-Aug-2020
  • (2019)LocPass: A Graphical Password Method to Prevent Shoulder-SurfingSymmetry10.3390/sym1110125211:10(1252)Online publication date: 8-Oct-2019
  • (2019)Can Individuals’ Neutralization Techniques Be Overcome? A Field Experiment on Password PolicyComputers & Security10.1016/j.cose.2019.101617(101617)Online publication date: Sep-2019
  • (2018)A Preliminary Experiment on Grid Densities for Visual Password Formats2018 9th International Conference on Awareness Science and Technology (iCAST)10.1109/ICAwST.2018.8517236(122-127)Online publication date: Sep-2018
  • (2018)I know what you streamed last night: On the security and privacy of streamingDigital Investigation10.1016/j.diin.2018.03.00425(78-89)Online publication date: Jun-2018
  • (2018)A continuous smartphone authentication method based on gait patterns and keystroke dynamicsJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-018-1123-6Online publication date: 9-Nov-2018
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Magazine Site

View this article on the magazine site (external)

Magazine Site

Login options

Full Access

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media