Most people who are employed in a position where they access a computer using a username and password are probably all-too familiar with mandatory password changes. The basic password has been the weak link in computer security since the beginning of computer security. Like all things tech, it's only as strong as the person using it - and when selecting and changing passwords, all sorts of things can go wrong and users tend to choose a password which is easy to remember.
That leaves hackers with a fairly predictable pool to choose from; important dates, names of significant people in our lives, where one finished school, etc. Even the most random combination of letters and numbers can be brute-forced without too much effort, provided enough time and/or a powerful enough computer.
However, a meeting this week
of the Computer and Communications Security Division of the Association for Computing Machinery (what a title!) examined and discussed a new proposal in password security: the Draw a Secret method.
The DAS method relies on the fact that the human brain ties images into more synapses than it does words, so humans are able to recall complicated images better than they are able to remember random letter-number passwords. DAS isn’t a new concept, but it has always failed usability tests due to a user’s inability to redraw an image precisely enough for an algorithm to pick it up.
This new implementation provides the user with an existing image, then records where on the image the user draws the picture while allowing a higher tolerance for exact pixel reproduction. This also helps to trigger muscle memories in a user, enabling easier and more exact reproduction.
As of now the system is only intended for devices with a touch-sensitive input, which could include many smartphones, laptops, and even touchpads designed for PCs. In preliminary testing, users created passwords with an additional 10 bits of extractable data compared to passwords created without a background image. In addition, 95% of users were able to recall their passwords a week later.
Excited to draw your login, or is this just another gimmick? Share your thoughts over in the forums