An Investigation into the use of Images as Password Cues

TL;DR

This study explored using images as password cues to improve memorability, but found that users did not effectively leverage the cues, limiting the approach's practical benefits.

Contribution

The paper introduces a novel image-based cueing technique for passwords and evaluates its effectiveness through experiments, revealing limitations in user engagement.

Findings

Inkblot images (cueblots) were identified as effective in initial metrics.

Users did not significantly benefit from or utilize the cues during authentication.

The approach did not improve password memorability or usability as intended.

Abstract

Computer users are generally authenticated by means of a password. Unfortunately passwords are often forgotten and replacement is expensive and inconvenient. Some people write their passwords down but these records can easily be lost or stolen. The option we explore is to find a way to cue passwords securely. The specific cueing technique we report on in this paper employs images as cues. The idea is to elicit textual descriptions of the images, which can then be used as passwords. We have defined a set of metrics for the kind of image that could function effectively as a password cue. We identified five candidate image types and ran an experiment to identify the image class with the best performance in terms of the defined metrics. The first experiment identified inkblot-type images as being superior. We tested this image, called a cueblot, in a real-life environment. We allowed users to tailor their cueblot until they felt they could describe it, and they then entered a description of the cueblot as their password. The cueblot was displayed at each subsequent authentication attempt to cue the password. Unfortunately, we found that users did not exploit the cueing potential of the cueblot, and while there were a few differences between textual descriptions of cueblots and non-cued passwords, they were not compelling. Hence our attempts to alleviate the difficulties people experience with passwords, by giving them access to a tailored cue, did not have the desired effect. We have to conclude that the password mechanism might well be unable to benefit from bolstering activities such as this one.