SAN DIEGO -- Given the explosion of data now held in devices, and the fact many employees still use easily guessed words -- like pet names -- to access them, more companies are eyeing graphical password schemes. But, it appears, pictures of Fluffy are just as easy to crack.
New research suggests a major weakness in current graphics-based password programs, whether self-drawn or computer-generated, remains people picking obvious choices. This raises the success of brute-force attacks launched by illegal dictionary tools.
"We should be prepared for patterns to exist in what users chose as graphical passwords," warned Julie Thorpe, a Canadian scholar who presented research on graphical dictionaries' potential during the Usenix Security Symposium in San Diego.
One reason tools like Crack and John the Ripper can quickly root out text-based usernames and logins is because people tend to select word or number combinations that in total represent only a fraction of possible choices. Graphical combinations create a larger pool of possibilities and, based on psychology studies, are easier for humans to remember than words.
In a study of the password scheme Draw-A-Secret, in which users make a picture in a grid that's then replicated for access, users typically draw symmetrical, identifiable objects, such as a star, in the middle of the grid. Under certain circumstances, Thorpe's and partner Paul van Oorschot's research shows it takes only six days for a computer to run through all of the most common choices. Add 999 more machines and the time narrows to 8.7 minutes.
One way to up the odds would be for organizations using this program to require a minimum number of strokes (5 or greater) and more unique drawings, such as disjointed or off-center objects, Thorpe said.
Another, intercollegiate study targets a different password scheme: memorization of sequential photographs. But researchers found this method needs more work, too.
Billed as the largest empirical evaluation of the security of graphical passwords, 154 college students at Carnegie Mellon and Johns Hopkins universities used "face" or "story" schemes to access online course material, including their grades. Using homegrown software based on the commercial product PassFaces, users are presented nine portraits from which several are selected. The chosen sequence becomes the password.
Results showed students tended to chose the most attractive faces and/or those representing the user's ethnicity. "So the old adage 'Beauty is in the eye of the beholder' -- it's not true," said Carnegie Mellon professor Michael K. Reiter, who worked on the study with Johns Hopkins' Darren Davis and Fabian Monrose.
Results from the "story scheme" were more encouraging. This homegrown technology involves selecting a series of photographed people, places and things that tell a story only the user remembers. While more difficult to guess, the sequences were also more trouble to remember. Some students got the pictures right, but in the wrong order -- mainly because they failed to create a narrative around their selections.
"That says you better educate users to really create story or you'll have a lot of missed passwords," Reiter advised. For security administrators, that translates to surges in help desk calls to reset passwords.
Reiter cautioned that these results came from a small, specialized sample -- college kids, and computer science enthusiasts at that. "But there's evidence to suggest user-chosen graphical passwords can be very weak, just like text passwords," he said. System-generated passwords, while an improvement on security, make codes less memorable.
Despite discouraging results, researchers believe more devices will start using this type of user authentication on everything from PDAs to PCs. As Australian Greg Rose, vice president of technology for wireless giant Qualcomm Inc., noted during the presentations: "All problems we have in security are not whether things are secure or not, but whether we can use them securely or not."