3 Proposed Class of Memorable Graphical Passwords
Since the entries of textual password dictionaries are based on words people recall better,
we are lead to examine what types of images people recall better (and thus presumably choose as graphical passwords).
In this section, we appeal to psychological studies and discuss the literature leading us to define
mirror symmetric graphical passwords as a class of memorable graphical passwords.
Generally, free recall is ordered along the concreteness continuum:
concrete words are recalled more easily than abstract words,
pictures more easily than concrete words,
and objects better than pictures [14].
Various studies support this result (e.g. [12, 4, 15]).
Another [3] found that a series of line drawings is poorly
remembered if the subject is unable to interpret the drawings in a
meaningful way.
The more concrete a drawing, the more meaningful it will be to the viewer.
The literature on visual memory often cites better results for
human visual recognition than visual recall. However, it has been noted [20]
that the methodologies used in studies that test visual recall are flawed
in that they depend on people's skill to recreate the image by
drawing and/or a well-defined and well-accepted theory of
visual similarity for comparison purposes.
Additionally, it is worth noting that most visual recall studies
allow at most a few seconds for the test subject to view and
memorize the image.
Given these flaws, one may question the commonly
accepted claim that visual recognition is significantly better than visual recall.
Even if visual recognition is better than visual recall,
visual recall is better than the recall of words. Thus, findings that
visual recognition is better than visual recall do not invalidate
the likelihood of an increased memorable password space in
recall-based schemes over that of recognition-based schemes.
What may invalidate the likelihood of an increased memorable password space
in graphical password schemes is if there are patterns in what
types of images people recall
better than others, creating classes of memorable and thus predictable
passwords. If such classes are small enough that
a brute-force attack is feasible, then the security of graphical password schemes may
be no better in practice, or even worse,
than that of the standard textual password scheme.
There appears to be little existing research
that examines the types of pictures people recall better.
However, one cognitive study with interesting implications showed
experimentally how visual recall progressively changed over time toward
a symmetric version of the image [21].
Given a set of asymmetrical, geometric images, when the test subjects
were asked to draw the image from recall, all changes made from the
originals were in the direction of some balanced or symmetrical pattern.
This change was progressive over time toward a symmetric pattern.
That people recall images as increasingly symmetric with time suggests
that people prefer images that are symmetric. Thus, the direction in
our research changed from finding the specific images people are more likely
to recall, to finding evidence that people have better recall for
patterns and images that are symmetric.
A representative overview of literature for human symmetry perception
[26] notes that many objects in our environment are symmetric.
Moreover, most living organisms and plants, as well as almost all forms
of human construction are mirror symmetric (reflective).
There is mirror symmetry in people, animals, leaves, flower petals,
automobiles, planes, trains, art, buildings, tools, furniture,
and religious symbols. The objects in the average office or home
are another example. There is also significant evidence [27]
that mirror symmetry has a special status in human perception over
other symmetry types such as repetition, translation or rotational symmetry.
While symmetry created by other means such as rotation or translation was
found to require scrutiny, mirror symmetry is
``effortless, rapid, and spontaneous" [26].
The classical studies mentioned earlier found that people
have better recall for pictures than words, and better recall
for objects than pictures. If people recall objects best,
and most objects are mirror symmetric,
this suggests that people may recall mirror symmetric patterns best.
That symmetry is recalled best is supported by an observation by Attneave [1]
that when subjects were given random patterns and symmetric patterns of dots,
the symmetric ones were more accurately reproduced than random patterns
with the same number of dots. Attneave theorized that this may indicate
that some perceptual mechanism is capable of organizing or
encoding the redundant pattern into a simpler, more compact,
less redundant form [1]. In a separate study,
French [7] observed that dot patterns that were
symmetric were more easily remembered. Intuitively, this is no surprise -
in the case of mirror symmetry, a subject must only recall half
of the image and its reflection axis in order to reconstruct
the entire image.
Mirror symmetry has a special meaning to human's visual perception,
particularly when the axis is about the vertical and horizontal planes.
Mirror symmetry has been found to be more easily perceived as having
meaning when it is about the vertical axis, followed by when it is
about the horizontal axis [27].
Supported by these collective studies, we propose the following: since people
are more likely to recall symmetric images and patterns,
and people perceive mirror symmetry as having a special status,
a significant subset of users are likely to choose
mirror symmetric patterns as their graphical password.
We suggest that the mirror symmetric patterns chosen are more likely to
be about vertical or horizontal axes, since mirror symmetry about these axes is
more easily perceived.
For graphical passwords, we thus define memorable password to mean
a password that exhibits mirror symmetry about a vertical or horizontal axis in its components (i.e. those
parts of a drawing that are visually distinct), meaning that each component is either
mirror symmetric in its own right, or is part of a mirror symmetric
pair of components.
More formally, these are Class I memorable passwords,
leaving the door open for future Classes II, III, etc.
We suggest that a
clever attacker may specifically try as candidate passwords, in a
brute-force attack, all memorable passwords in a graphical password space;
and more specifically, those passwords containing all possible symmetric components first with
symmetry about all possible vertical axes,
followed by those with symmetry about all possible horizontal axes.