Computers, bank accounts and smartphones all require a password. And, for our own security, they should all be unique and difficult, like, say: X32$q#fs@Gg92. Of course, nobody does that, opting instead for something easier to remember – and easier to hack. “123456” is the most common password on the internet; the runner-up is “password”.
As web security suffers from the limits of human memory, some psychologists and developers are experimenting with new kinds of passwords that play to the brain’s knack for remembering faces. Science shows that random letters and numbers are tricky to remember. But faces? Those are easy.
A set of experiments from researchers at the University of York in England, explore memory’s powerful connection with images of people. They discovered that to a stranger, different pictures of the same person often appear to be of different people. But when we look at people we know – from any angle, wearing sunglasses, whatever – we recognise them.
The scientists call their system Facelock. It’s not on the market yet, but here’s how it might work: a website asks us to choose a few people we recognise – the more disparate in our life, the better. A good mix, for example, might be a best friend from high school, a cousin, a colleague and a favourite folk cellist (it can’t be anyone too recognisable, or else it’s a security risk).
We’d be asked to select a few different images of each of these people. Then, the next time we log in, we’re presented with a series of three-by-three face grids – each one displaying eight random faces and one that we’ve chosen. Find a familiar face four times in a row, and we’re in.
Choosing the person we know is simple. For an intruder, it’s a guessing game. “If you are familiar with that face, you see through all those superficial changes in that image without even noticing,” psychologist Rob Jenkins, the lead author on the study, says.
There’s apparently only one similar face-based password system currently on the market. The technology, created by Virginia-based company Passfaces, assigns faces to clients (as opposed to clients personally picking them). “So far, adoption has been slow,” CEO Jon Shaw says. “Lots of companies look at passwords as free, even though they can have a high cost in a number of ways.”