In a User-Friendly World, One Picture’s Worth 1,000 Passwords


Face it. Almost everyone suffers from a bad case of passworditis.

Think, for a moment, of the slew of daily chores that require passwords. The company computer. The home computer. Banking and ATM machines. Web sites. Voice mail. Car and home security systems. It doesn’t take long to accumulate a dozen or more passwords. Scribbling them down on Post-its or using the same password for everything is how most people cope with the overload. Either way makes it easier for hackers to invade computer privacy.

Now researchers are moving toward what may be an answer to the password conundrum--pictures.

A number of companies, including software behemoth Microsoft, are looking into various ways that images can be used to replace standard passwords, which usually contain letters and numbers and are, more often than not, easily forgotten. Pictures, on the other hand, are much easier to remember. So researchers are developing picture passwords that will make it simpler for the user and more difficult for the average hacker.


Take, for instance, the screens available through a New York company called Passlogix. One picture shows a wet bar. The password is created by concocting a drink from the various items pictured--glass, ice, vermouth, vodka and, voila, a martini. The order the items are selected becomes the password. Another screen might ask the user to choose elements from the Periodic Table in a certain order. Still another asks the user to select a number of food items from its “Make a Meal” screen.

Researchers at UC Berkeley who have studied the habits of computer users say laziness plays a major role in most people’s choices of passwords. Most people have a tendency to use familiar names, especially those of family members and pets, said Adrian Perrig, a member of the Berkeley team. A poll conducted by the British domain registration firm CentralNic found that 47% of all computer users choose family names in passwords.

“They pick the name of their cat or their dog and then add one digit at the end if they think they’re being clever,” said Paul Barrett, whose RealUser Corp. uses pictures of randomly chosen faces as passwords.

Another 32% of computer users choose sports, pop and movie stars, as well as cartoon characters and team names. Only 9% employed the more difficult “cryptic” passwords, those with the mix of upper- and lower-case letters, numbers and punctuation that are recommended to ensure security.

And that, said Perrig, makes the majority of computer users easy prey, particularly for hackers using programs that can run through thousands of words in a matter of minutes.

“They just try every single word in the dictionary,” said Perrig. “If you have a simplistic password, it will be in the dictionary and can be found.”

And that’s just the basics. Some hacking programs are so sophisticated they use thousands of first and last names, then add any number of character combinations at the beginning and end of the root word to sniff out passwords.

Forgetting passwords, however, is a more common problem of the computer era than hacking, particularly for major corporations that must maintain large help desks to service the company’s computer users--often around the clock. Estimates range widely about how much it costs a company each time an employee forgets a password, but the total is in the millions of dollars. Those who are pushing picture passwords contend they will save companies money because recalling images is much easier than the alternative.


Perrig said 90% of people in a test group that researchers evaluated were able to remember the pictures chosen from his Deja Vu program even a week after the test. In contrast, only 70% could remember their standard passwords. The reason, he said, is that passwords must be precisely written every time, but pictures demand only recognition.

“People are very good at recognizing images they have seen,” said Perrig. “People are not good at precise recall.”

And, researchers say, though far from foolproof, pictures are more difficult for hackers to crack than the simplistic passwords most people choose.

Those experimenting with picture passwords are working on several tracks. Perrig’s Deja Vu uses computer-generated images that are colorful and abstract. Microsoft is using an intricate picture, such as the various parts of a human skeleton. Barrett’s PassFace makes the user recognize five randomly selected faces in the right order to gain access to the computer. A new user goes through a five-minute training session in which the designated faces appear on the screen until they are memorized.


“It works for everybody,” said Barrett. “Only one person in 8 million can’t remember faces. Once you know a face, you never really forget it.”

There are downsides, of course. Rachna Dhamija, another of the Berkeley researchers, said what people choose is often predictable. She said if pictures are used, men tend to choose things like cars, bridges and coins, and women lean toward picturesque landscapes.

Another is the reluctance of businesses to move away from the old familiar passwords to the new pictures. Mark Boroditsky, the head of Passlogix, said his company decided to create a system in which only one password is needed to unlock a program that will catalog all the others. He said anything more difficult makes big businesses balk because employees will require retraining. That means lost productivity during training sessions.

“A [traditional] password is very well understood,” he said. “It may not be the best, but it’s familiar.”