Text-based password schemes are ubiquitous due to ease of use, inexpensive implementation, and user familiarity. However, they have the security and usability drawback of being typically difficult to remember, and they suffer from predictability if user-choice is allowed. This is because users tend to select weak passwords.

Graphical passwords have been proposed on the premise that humans are better at retaining visual information. However, it is a relatively young area of research and the studies conducted have several limitations. First, there is a lack of comparison between the different types of graphical password schemes; and similarly, there have only been a limited number of studies comparing graphical and text-based schemes. Secondly, there have been few studies conducted in the environment of use which is necessary to enable realistic evaluations of the use of graphical passwords. Lastly, none of the existing studies have been conducted in the context of social networks. This is important because performance constraints and goals differ depending on the intended environment of use. For example, in lower risk domains, like social networking it would be acceptable to have lower security schemes that provide high usability. While in a high risk domain like a banking scenario, it would be acceptable for the system to be less usable but providing high level security.

Our focus will be on evaluating these authentication methods for secure social networks, with all testing and comparisons done in this context.


  1. Which category of graphical password schemes is best suited for social networks: schemes based on recall or cued-recall?
  2. Are graphical password schemes a viable alternative to text-based schemes as a means of providing authentication for secure social networks?


Implementing the graphical password schemes

The two graphical password schemes were developed separately as Java applets.

The graphical password scheme ClickPoints is based on the original implementation of one of the first versions of graphical passwords, PassPoints. In ClickPoints the user is presented with a set of images to select as the basis of their password. After selecting an image, the user is then required to select 5 points on the image to comprise their password. During authentication, the user is required to re-enter in sequence points exactly like or very close (pre-defined acceptable range) to their original selected points.

The recall based system, Pluto, can be considered as an improvement upon the original design (DAS). Pluto is a 5x5 grid-based scheme that offers security which is similar to DAS. It differs from DAS in that it requires a user to select grid cells instead of drawing lines through them. As the user inputs his/her password, the chosen blocks are highlighted in yellow.

Integration with Hackmi2

After the development of the two password schemes, the next phase of the project involved integrating the two schemes onto Hackmi2. This was done by adding a Java plug-in onto the existing site to provide the capability of running the Java applets. A combination of Java and PHP were then used to re-direct the login procedures of the site to allow for user authentication via the graphical password schemes.



Future Work:

Future work will include implementing enhanced versions of the graphical password schemes that afford more usability and reducing the amount of time required by graphical passwords for password creation and log in