AS a security tool, PIN numbers are made for the benefit of machines, not the humans who need to remember them.

Passwords are only marginally better and still require a good mnemonic (memory-aiding) device to stay firmly in memory.

Researchers at University of California at Berkeley have developed an authentication system, called Deja Vu, based on abstract art in order to help solve the problem of remembering passwords. And the chances are that companies will jump at the chance to use it.

The research team tested the Deja Vu prototype by offering 25 abstract pictures as an authentication challenge. Participants in the study had to pick the five images that made up their "passwords" from among the decoys.

The team then compared the results to how well the same users remembers PINs and passwords.

If a "password" based on abstract art sounds like just another piece of California, gee-wow useless technology, consider the Berkeley study's test results: 90 per cent of participants succeeded in authentication using Deja Vu, while only about 70 per cent passed using passwords and PINs.

In fact, Deja Vu reflects a new wave of image-based authentication systems that let you prove your identity in new and surprising ways, from asking you to pick a photo of a face you recognise to mixing drinks in a virtual reality cocktail lounge. What they all have in common is the aim of drawing on the human brain's astonishing ability to remember images.

"In many places, passwords are good but researchers agree that passwords are flawed because people don't pick good passwords," said Adrian Perrig, a UC Berkeley-based researcher and an author of the Deja Vu study. Weak passwords make easy pickings for hackers.

So why does this new form of picture password work so much better than a PIN or regular password? There are two reasons. First, the human mind is better at recognising an image than recalling information, such as a PIN.

"In general, it is much easier to recognise something you've seen previously

than to recall the same information from memory without help," according to Perrig and co-author Rachna Dhamija, a PhD student and fellow researcher at UC Berkeley. Perrig, who is completing his PhD in computer science at Carnegie-Mellon University, invented the prototype for Deja Vu with Berkeley PhD student Dawn Song. Dhamija wrote the prototype Web interface software and ran the user study.

PINS and passwords are what computer security academics refer to as "knowledge-based authentication systems". They rely on precise recall. In other words, if you can only remember three out the four numbers in your PIN, that ATM won't be doling out cash to you.

"Unfortunately, precise recall is not a strong point of human cognition," Perrig and Dhamija wrote in a paper presented at this year's USENIX Security Symposium held in Denver in August.

This explains the annoying guy in front of you at the supermarket check-out who repunches his PIN into the EFTPOS pad 20 times while you watch your ice-cream melt into the shopping cart.

The simple solution is to re-use PINS and passwords, something the population is apparently doing quite frequently.

In the Berkeley team's sample survey of 30 people, participants had between 10 and at least 50 instances (sometimes more) where they used passwords, but only one to seven unique passwords. Even these "unique" passwords were rarely different. Many were just variations on each other. Although the Berkeley study used a small survey sample, the authors said results mirrored findings from other larger surveys on the same subject.

The second reason for Deja Vu's success in lab tests is that the software program zeroes into another truth of the human brain: the mind likes pictures better than random numbers or letters.

"People have an almost unlimited memory for images," Perrig said.

It turns out the human brain doesn't like just any old picture; it seems to have an innate ability to remember faces in particular. Other authentication systems, such as Passface, by ID Arts, rely on this special ability by using photos of faces as an authentication challenge.

ID Arts runs Passcenter, which allows you to trial the face password system on-line. It offers up a grid of nine faces of strangers and you log in by clicking on the one that is your "password". The program makes you go through this process five times, presumably to reduce the risk of lucky guesses by impostor.

However, the Berkeley team found photos created a security risk compared to abstract art images. Their study tested people's memory using separate portfolios of photos, some of which included faces, and then of abstract art.

"People tend to pick faces that they are attracted to," Dhamija said. "They pick faces that look like their own."

For example, an Indian woman selected an Indian woman, and a Chinese woman selected an image of a Chinese man, she said.

The predictability of this aspect of human nature makes it much easier for a stranger to guess someone's picture password, hence the security risk. ID Arts' Passcenter works around the problem by taking away the user's ability to choose a particular face. The program simply assigns photos arbitrarily.

Another picture-authentication system, v-Go by Passlogix, in New York, skips photos of faces in favor of images of everyday things, such as a pack of cards. To prove your identity with v-Go, you select a certain hand of cards, say a flush, as your password. Alternatively, you might mix up a cocktail by clicking on a collection of bottles in the program's virtual Cocktail Lounge. You can also make a "meal" in the kitchen by choosing a set of ingredients, or even select from a periodic table of chemical elements.

There are, however, some security concerns with v-Go as well. The Berkeley research team's USENIX computer security paper concluded that "the weaknesses of their system are manifold", including allowing people to pick poor passwords, such as all the aces in a pack of cards.

To overcome these security risks in their own program, the Berkeley team turned to the funky, computer-generated abstract art of Andrej Bauer instead. A PhD student in pure and applied logic at Carnegie-Mellon University in Pittsburgh, Bauer wrote software that creates "random art" by generating a random formula and drawing a corresponding picture based on it.

The random formula assigns a color value to each pixel, with, for example, one shade of red having a different value than a shade of blue.

The result is a fresh piece of art that defies description - exactly the quality that financial institutions and other companies are looking for to improve security.

After all, if you can't describe the abstract picture to someone else, you won't be able to give them your "password".

Just to be sure, the Berkeley researchers asked study participants to describe their abstract art image passwords. The informal results suggested that human imagination clearly knows no bounds.

"Some people described them as 'aliens dancing'," Perrig laughed. "Then we gave that description to strangers (along) with the pictures and they couldn't guess it."

Surprisingly, the average person may not like this side of picture passwords. Why? It seems that we like giving out our passwords.

The Berkeley team's research showed that people viewed the ability to share passwords with others as a feature. In fact, almost all the participants in the study shared their bank PIN with family or friends. In some cases, people shared account passwords routinely because it offered a more convenient way of collaborating or transferring files.

This "feature" of PINS and passwords may not last forever, as businesses warm to the idea of swapping to picture-based passwords in future in order to save money on constantly handing out new passwords to forgetful customers.

"A number of people in business and some in the military have expressed interest in Deja Vu, ranging from website use to high security situations," Dhamija said.

"A bank was also interested in using this to reduce customer service calls from users who forgot their passwords to their accounts," she said.

Just how forgetful are customers? Very. So forgetful, in fact, it seems people don't only forget their passwords and PINs. In the Berkeley study, more than a quarter of the participants forgot their log-in names after just one week.

Image-based password systems may soon provide much-needed relief for company IT departments from the daily tedium of verifying employee's identities over the phone or in person and then handing out replacement passwords.

"We're hoping in the next six months to have something we are comfortable deploying to compete with passwords as a substitute," Dhamija said.

The future for image-based passwords may soon be looking abstract, as well as bright.

LINKS:

paris.cs.berkeley.edu/~perrig/projects/usenix2000/usenix.pdf

www.passlogix.com/

www.idarts.com

gs2.sp.cs.cmu.edu/art/random/archive/index.html

gs2.sp.cs.cmu.edu/art/random/howto/index.html

andrej.com/art