Graphical passwords are an authentication
mechanism for computer systems. The difference between a VP and the
currently dominant alphanumeric password is that with a VP, a user's
password is represented by where that user clicks on an image. Thus, an
application using graphical passwords for authentication would show a picture
to the user. The user would then click in a number of places on the picture,
and the coordinates of the clicks would be stored by an application. During
authentication, the user has to click on the established points. (The
system, of course, allows for configurable error tolerance, since it is not
realistic to expect a person to click on exactly the same point each
Graphical passwords attempt to deal with the same problem as do the
usual alphanumeric passwords. However, graphical passwords also try to address
some drawbacks that are inherent in alphanumeric passwords--hopefully
without introducing any drawbacks of their own.
There are some basic
requirements that are built into authentication systems based on "what you
know." The password should be easy to remember by the legitimate user, but
should be hard to guess by everybody else. Unfortunately, those requirements
are in conflict. If the password is easy for a user to remember, very likely
it is made up of some word and/or some significant number for that user. The
word can be either some significant name of a person or place, which can
either be found in a dictionary or from basic knowledge about the person,
and the same can be said about dates. To summarize, alphanumeric passwords
are generally easy to guess. Also, harder passwords or the ones for many
different systems are usually written on stickie notes, which makes them
A graphical password offers a much larger key-space than an
alphanumeric one, which is limited to roughly 64 ASCII characters. For
example, if we have a 600-by-800 image and an error tolerance of 10 pixels,
it would result in 4,800 possibilities. Also, the graphical password is much
harder to write down or even tell to some other person. Last but not least,
another benefit of graphical passwords is the cued-recall, which helps users to
remember a password based on the picture displayed, and not just on memory
alone.From a usability point of view, we conduct experiments to see
whether graphical passwords are at least as easy for people to use as
alphanumeric passwords. We address both the technical security, which
involves the transmission and storage of the password in a secure manner, as
well as the user security, which involves an analysis of whether people use
the system in a secure or insecure way. The latter is an analysis of how
people choose the graphical passwords, and whether they are vulnerable to
guessing or dictionary attack.
Resources:Graphical Password Homepage
 A. E. Dirik, N. Memon, and J.C. Birget, Modeling user choice in the PassPoints graphical
password scheme ,Symposium On Usable Privacy and Security, SOUPS, 2007.
 J.C. Birget, Dawei Hong, Nasir Memon, Graphical passwords based on robust discretization, IEEE Transactions on Information Forensics and Security, 1(3) (Sept. 2006) 395-399.
 S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, PassPoints: Design and longitudinal evaluation of a graphical password system, International J. of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security), 63 (2005) 102-127.
 S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, Authentication using graphical passwords: Effects of tolerance and image choice, Symposium on Usable Privacy and Security (SOUPS), 6-8 July 2005, at Carnegie-Mellon Univ., Pittsburgh.
 S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, Authentication using graphical passwords: Basic results, Human-Computer Interaction International (HCII 2005), Las Vegas, July 25-27, 2005.
 J.C. Birget, Dawei Hong, Nasir Memon, Robust discretization, with an application to
graphical passwords, Aug. 2003. (Cryptology ePrint archive, http://eprint.iacr.org/2003/168)
Back to Projects