A Picture May Be Worth
A Thousand Passwords

By H. ASHER BOLANDE
Staff Reporter of THE WALL STREET JOURNAL

We're drowning in passwords, and our brains are rebelling. Most of us have one of two strategies for remembering all these new strings of letters and numbers: use the exact same password across the board, or keep written reminders of the various secret phrases. Either way, the entire purpose of passwords -- security -- is undermined.

Two researchers in the U.S. are suggesting a third way: scrap the character-heavy password altogether. They're aiming to harness the acute visual memory all humans are born with, a memory far more powerful than our ability to recall precise sequences of symbols. Their prototype, dubbed Deja Vu, holds special relevance for Asia, where the foreign-ness of the Western alphabet makes it even less helpful in setting and recalling keywords.

Frustrated by password overload, one of the researchers, Adrian Perrig, started racking his brains for possible solutions two years ago. "I counted all the passwords and PIN [personal identification number] sets that I knew at that time, and it counted up to 60. ... It was mind-boggling," he says. "Even the photocopier down the hall had a PIN."

That led Mr. Perrig and co-researcher Rachna Dhamija to design a security system based on users' recognition of abstract images. Early experiments have yielded encouraging results. The pair asked 20 computer users to log in with self-chosen traditional passwords, and then again with Deja Vu's visual passwords, which consist of geometric patterns in bright colors.

Deja Vu technology uses abstract images to replace traditional passwords.

After one week, "90% of all participants succeeded in authentication tests using Deja Vu, while only about 70% succeeded using passwords and PINs," Ms. Dhamija and Mr. Perrig, both based at the University of California, Berkeley, write in a paper presented at the Usenix Security Symposium in Denver, Colorado, earlier this year.

In fact, more than a quarter of the users failed to recall not only self-chosen passwords but the first half of the equation -- their usernames.

Here's how the Deja Vu prototype works: Instead of creating a password, users select a personal "pass portfolio" of five abstract color images from thousands generated by a random-art computer program. It's necessary to commit them to memory by examining them carefully. Then, when they want to log into a secure system, they are challenged to identify the five out of a line-up of 25, most of them random decoys.

While precise recall of written passwords is an active mental exercise, visual recognition -- as the name Deja Vu implies -- is passive and more or less automatic, Mr. Perrig says. "It's, 'Ah, I've seen that before." We use that for authentication," he says.

The human brain not only stores these images in memory far more durably but can retain an almost limitless number of them, Ms. Dhamija says. "There is a lot of cognitive research that suggests our memory for images is almost infinite," she says. Indeed, teaching techniques for memory-improvement usually encourage people to imagine visual cues in their minds, like a house with a series of rooms in it.

"At the moment we're born, the eyes focus in on the mother, and after one day we can recognize the mother's face. ... It's an innate ability," she says.

Seventeen-year-old Little Li, a computer junkie in Guangzhou, China, is fed up with verbal passwords. "They're really annoying," he spouts off in a Web portal chat room. "I want to get inside quickly, so I just enter the same thing everywhere" -- a numerical code from his address. "All those ABCs and numbers are too hard to for me to remember clearly."

System administrators say this is commonplace. "Asians do tend to choose passwords that are either their birthday or their ID number or their home phone number," says Pristine Communications co-founder Philip Diller, who managed tens of thousands of Taipei customers when the company was an Internet service provider, before it became a Web-site development firm. (The system administrators say U.S. users are more verbal in their password choice, but no more sophisticated; they tend to use the name of a pet, parent, or child -- handles that would be obvious to anyone who knew that person.)

Deja Vu's creators say they're in discussions with several potential partners, including a Silicon Valley-based start-up Internet bank, the venture-capital arm of one of the Big Five consulting firms, and a Smart Card manufacturer, though they decline to be more specific.

The challenge for Mr. Perrig and Ms. Dhamija is to make their system faster. Though visual recognition is quick, at the moment users have to scan through at least 25 images -- five separate screens of five images each -- to provide adequate security.

Impatient users like Mr. Li might still prefer a weak password over delays getting online. Paul Robertson, a senior system developer with northern Virginia-based security consultancy TruSecure Corp., says any alternative to passwords will ultimately be judged on whether it is both secure and convenient.

If you want to sell a diving stock online, he says, "you want to do it now."

Write to H. Asher Bolande at hyam.bolande@awsj.com