The mind can accurately recall pre-selected areas on an image, even quite a complex image, more reliably than it can a sequence of numbers and characters, or so it is said by the makers of a new password management application, PicturePIN-XP.
With that principle to guide it, PicturePIN is a technology used to secure a password management application by asking the user to pre-select between one and seven target areas on a chosen image, entering them in sequence to gain entry.
A user selects their own image, choosing between one (= less secure) and seven (= more secure) small areas of that image to function as a sort of visual PIN code, which must be entered in the correct sequence to access the database. The image can be any image but the more ‘entropy' (complexity) the merrier because it creates a greater number of visual elements from which to construct an easily-remembered image PIN.
The size of the target PIN code areas can be reduced, which increases security but with the trade off of needing to recall which areas of an image have to be clicked with more precision. The user also sets a single area to click if a ‘reset' is needed, in case the PIN areas or their order are forgotten. The defence against an attacker guessing the correct areas and sequence (which in theory is as unlikely as guessing the correct sequence and characters of a password) is that a single mistake locks the app, logging the fact that an attempt has been made against it. The returning authorised user must then click the reset point and the correct sequence.
The database app itself is a bit basic, but allows the user to define a series of information fields for every protected entry, piling them up on top of one another. It works quite well for small numbers of entries, but becomes unwieldy if the numbers increase. There is no way to sub-divide the entries into useful categories (ie. ‘website logins', ‘router logins', misc passwords', etc) nor to launch straight to websites or devices through a browser, as there is with rivals apps. We'd also have liked a feature to asterisk key data to counter shoulder surfing.
In fairness, the PicturePIN password database looks more like a demo application designed to garner interest in areas such as banking or e-commerce, where it might be employed to its strengths. Stuck in front of a password database that could just as easily be protected using a competent password, it is overkill.
As with any access system, PicturePIN stands or falls on the basis of two things. First, is it easy to use? Second, it is easy to crack? Access security is always a balance of these elements; imbalance in either one creates problems.
PicturePIN ticks the second element, that of access security, because it is hard to see how an attacker could possibly choose the right image elements in the right order to break it. It's also unlikely that a user could (or would need to) write down the image elements used to create the picture password, which enhances security further. As to question one, usability, once the slightly fiddly, under-developed setup routine has been overcome, it is fairly easy to work with which is, after all, the point of the system.
A third question hangs over all of this, which is harder to answer. Is it better, worse or much the same as using a conventional secure password? Not everyone, after all, finds it hard to remember passwords. On the whole, it's much the same level of security and usability in a visual rather than alpha-numeric form. Expert users will not see much point in using it, but they are probably not its target market.
You'd suspect that the migration hassle to companies adopting such a system to protect their data Internet resources might outweigh any benefits from their users logging in by clicking areas on an image. Banks might be one market, but banks were reluctant to adopt leading-edge ideas in user-facing technology during the boom years so it's hard to see them bothering now that most of them are being washed down the drain. Inertia rules.
Under-developed and a bit wasted on such a low-key app it might be, but there is the germ of a very interesting idea in PicturePIN that deserves further development. Passwords have failed to secure the Internet age, for a variety of reasons, but including the fact that people can't remember lots of them. It's hard to say whether they would really remember lots of PicturePINs either, but using images instead of long passwords might at least allow the world to migrate to logins based on greater complexity rather than the typical seven-character alpha-numeric formats used today.
Postscript: The ‘XP' part of the name refers to the operating system target market, though it officially works on Windows 2000 and Vista. We encountered problems getting the app to work on Vista that we were unable to resolve at the time of going to press.
Password databases such as Password Manager Deluxe or KeePass are better places than PicturePIN-XP for holding large volumes of login and other encrypted data. PicturePIN is better seen as a technology in search of a decent application.