Vassar Technology Today | The future of passwords looks to pass-up rote memorization

Matthew Leung Managing Editor

Shortly after the creation of the personal computer in the 1970s, the slightly annoying idea of a “password” emerged. We have reached a time when Webmail, Facebook, Ebay, online banking, plus an endless list of online services all require unique passwords. These passwords contain a combination of numbers, symbols, and capitalized and un-capitalized letters that, by the way, should be changed once every few months. And in case you forget one of your 30 passwords, you will be presented a “challenge question,” the answer to which you must set and memorize beforehand. The advancement of technology seems to have no alternatives to the agonizing memorization of endless passwords.

With the emergence of fingerprint readers and digital cameras (for face-recognition), there were hopes for a new kind of hardware-based authentication that does not require memorization. However, it is not feasible to use them as replacements for text passwords, because they would severely complicate access—for instance, you would not be able to access your e-mail if the fingerprint reader or camera malfunctions, or if the computer you are using is missing one.

Hence, the only other solution that does not require extra hardware seems to be the use of graphic passwords in the place of text passwords. For example, a picture is displayed to the user, who must click on one or more correct sequences of spots to authenticate themselves. This is often used in personal digital assistants (PDAs). More advanced ones include a project at the University of California, Berkeley called Déjà Vu, in which the user chooses a correct combination of pictures as a password. To facilitate memorization, the combination of images represents a story the user remembers. A similar system is PassFaces (realuser.com), which was tested by students at Carnegie Mellon and Johns Hopkins universities to access their equivalent to our Blackboard. Passlogix (passlogix .com) has a more creative system in which the user is presented with a virtual saloon or a periodic table of elements, from which the user mixes the correct drink or chemical in order to login.

These systems have many weaknesses, such as their inability to make the big pictures from which the user selects his or her password smaller and more discreet (and thus less visible to prying eyes). Moreover, it seems presumptuous to assume in the first place that graphical passwords are a different kind of authentication that offer something truly different from text passwords. Contrary to the proposed logic, graphical passwords are always reducible to text passwords, meaning that they are merely text passwords in disguise. If this is true, then there is no reason to develop and implement graphical passwords.

For example, if a graphical password requires a user to choose a correct spot on a picture, the user must remember where the spot is anyway, such as “the hole under the tree that is next to the house.” It would be just as effective to write it out in words as a text password. The same applies to the more advanced combination of images that represent a story (or a drink or chemical).

What the graphics provide is not a new kind of authentication, but rather a reminder to help conjure up the password for the user. Clicking images on the screen with a mouse is like clicking on a graphical keyboard on the screen, which is in effect the same as typing text on the actual keyboard. What is needed to go beyond text passwords to a different kind of authentication is additional hardware that would allow for biometrics, face-recognition, or voice-recognition, all of which offer additional elements that are not present in text or graphical passwords.

This means that with only the keyboard and mouse at our disposal, text passwords are the best option that we have. Developments to alleviate difficulty in memorizing alphanumeric passwords will not be made in switching to graphical passwords, but in creating password hints, such as words or graphics; creative methods to facilitate memorization, such as stories or acronyms; and the centralization of multiple passwords. Let’s look to Microsoft’s incipient project called InfoCards, which provides a single sign-on to access different services like e-mail and online stores.

For tips on creative methods to remember an alphanumeric password, see the online edition at misc.vassar.edu.