Graphical Passwords Enhance Computer Security Thanks to Rutgers-Camden Research

January 04, 2006

CONTACT: Mike Sepanic, Rutgers-Camden communications office, (856) 225-6026, msepanic@camden.rutgers.edu

For Immediate Release

CAMDEN -- How safe is your online information? Not nearly enough, due largely to the secrecy of personal passwords being easily compromised by hackers and “shoulder surfers.”

A research team at Rutgers University—Camden has developed a unique solution to this growing problem: forget about words and numbers when crafting passwords for your computer and online accounts, and use images instead.

This next wave of computer password security could very well result in greatly enhanced security for online retailers and sensitive information stored on computer hard drives.

According to Jean-Camille Birget, a professor of computer science at Rutgers University-Camden, violations of personal information and access to both networks and individual computers is due largely to the relative ease for a criminal to co-opt a private password. “In order to make your password secure enough, you have to make it harder to remember, which means that you’re more apt to forget it” says Birget, who also notes that people rarely pick random passwords and instead choose something familiar that might not be hard for someone else to guess.

In response to this ever-mounting security problem, Birget and his Rutgers-Camden team have developed graphical passwords. Instead of entering a password consisting of numbers and letters, the user selects areas of a picture, called “click points,” which are easier for the user to remember and, due to the somewhat random selection process, more difficult for someone else to guess.

Users wouldn’t need to hit on the same pixels every time. Instead, Birget and his colleagues have developed a three-grid system will allow users to click in a range of the original choice. Users never see the grid – it’s all in the computer.

“You can let users even choose the picture,” says Birget of the new computer security program, which would help users remember their original click points. The selected picture must be complex, like a landscape or cityscape, to be a secure system so that there are many possible click points.

This system takes slightly longer to log into than typing in a password, though Birget says that this could be because people are less familiar with using a mouse than with typing.

The Rutgers-Camden researcher also has developed a system that would help prevent “shoulder surfing,” the process of password theft through surreptitious monitoring.

“There are cameras everywhere,” says Birget, “and you never know who could be looking over your shoulder in a crowded area, or even in your office.”

As part of the study team, Leonardo Sobrado, then an undergraduate at Rutgers University-Camden, applied these graphical password principles to develop a system that thwarts shoulder surfing. The system looks and plays like a video game.

In the Rutgers-Camden study, users picked 10 icons, which then were scrambled with approximately 200 others. In order to gain entry into the system, users found shapes, such as triangles, that used their chosen icons as the corners, and clicked inside that shape. Users then repeated the same game 10 times.

“The main idea behind our model is to allow a user to prove knowledge of a secret, without revealing the secret itself to either the authenticating party or a potential observer,” says Sobrado. “The question, or challenge, changes every time and so does the answer. But the secret knowledge stays the same.”

Since users never click on their chosen icons, someone looking to steal their password would have a difficult time doing so.

“If you have enough icons and if you have to go through the system enough times, the possible icon combinations are in the billions,” says Birget.

The drawback of an icon system is that more time is required for users to enter the system than with a regular, typed password. On the plus side, Birget believes that it could be developed into a video game that would be fun for people to play.

“Some of our researchers’ children tested the system and they loved to play it as a game,” he says. Learn more about the system online.

Birget and his Rutgers-Camden team completed their research with the support of a $150,000 grant from the National Science Foundation’s Program on Trusted Computing. Visit the Graphical Password Project at Rutgers-Camden for more information.

A resident of Lower Merion, Pa., Birget regularly teaches courses in cryptography and computer security, object-oriented programming, and computational theory at Rutgers-Camden.

-30-