New

Description Papers & Talks Quick Start In the News Project Staff


The Royal Society SSE08 logo

Royal Society Summer Science Exhibition update
(Clicking the above link to check whether you have won an iPod Shuffle! )


Description

The use of text passwords (i.e. alphanumeric passwords) for user authentication is ubiquitous. However, this common practice has some well-known weaknesses. For example, many people find it difficult to remember strong passwords, and they tend to choose easily memorable passwords that are easy to guess.

Many of the deficiencies of text passwords arise from the limitations of human memory. Numerous cognitive and psychological studies have revealed that people perform far better when remembering pictures rather than words: as the saying goes, a picture is worth a thousand words. Background Draw a Secret (BDAS) is a novel graphical password scheme we have developed. Extending the Draw a Secret (DAS) scheme developed by researchers from New York University, Bell Labs and AT&T Labs, BDAS delivers much enhanced usability and security.

In BDAS, a password is a free-form drawing that a user creates on a grid underlaid with a background image of their choice. Those who took part in testing this new system created passwords that were much more secure than the state of the art, and most testers also found them easy to remember. The background image is key to this technique's success - it encourages people to make their drawing passwords more complicated and less predictable, and aid people to re-create them in the correct locations on the drawing grid. Potentially, BDAS is also very good for people with dyslexia or who can't read or write well.

Our experimental studies compared DAS and BDAS use. The BDAS passwords recalled in a one-week memorability test were, on average, more complicated than their DAS counterparts by more than 10 bits. This means that the memorable BDAS passwords improved security by a factor of more than 1024. They were also more secure than the currently ubiquitous text passwords by an even larger factor.

In particular, we observed that user drawings in the BDAS group show: In the meantime, people creating these much more complicated BDAS passwords found them just as easy to remember as their DAS counterparts.

Of course BDAS does not eliminate weak drawings, however it gives users a better environment with which to create a good one. It is our vision any implementation of BDAS would include our Proactive Graphical Password Checker we call GraphiCheck.

We have also been looking into the potential threat of and defence against shoulder surfing, where attackers steal passwords by simply looking over a victim's shoulder.


Papers & Talks


Quick Start

How BDAS works

This article from cs4fn.org - 'Computer Science for Fun', an interesting magazine - turns out to be a nice writeup!

In the News

BDAS has been in the news, here is a snippet of some media coverage we have received:


Project Staff

Please send Questions or Comments to Jeff Yan.
Lab of Security Engineering