Humans are not good at remembering alpha-numeric passwords, if the passwords are complicated enough to be secure. Graphical passwords seem easier to remember and to use. Here, an image is displayed and the user chooses a few places in the image. To log in, the user has to click close to these places again. Older systems use preprocessed images with predefined click regions, among which a user has to choose. The investigators designed systems that allow users to choose any points as click points, and that allow users to import their own images. The investigators invented a ``robust discretization'' of images; this enables users to produce exactly the same discrete password even though they cannot click on exactly the same pixels at each login. Passwords are vulnerable to ``shoulder surfing'', which consists of a user being observed, or filmed, during login. The investigators designed password systems that are immune to shoulder surfing.
One of the objectives of this proposal is a human factors study, concerning learnability, memorability, speed, security (unsafe practices), and user satisfaction of graphical password systems. A second objective is to design new graphical password systems, based on curves, movement, and three-dimensional scenes, as well as to design ``bundles'' of passwords that a user can use on different accounts, and that are easy to remember (and distinguish) as a group. New robust discretization algorithms and probabilistic analyses of the security of graphical password systems will be developed.
