Pictographic password. Result
This is the end, this is the beginning.
There were 4000 entries in the base of using the pictogram, thanks to all the participants. Let's look at the statistics and at the same time I will express the considerations that have arisen to me and the commentators.
Just numbers: average password length — 3.5 characters, average password entry time — 26 seconds, average error — 63%! The experiment can be considered successful; a bad result is also a result.
Time input depending on the length of the password
The percentage of errors of the password length, the only logical schedule
')
The following two graphs clearly symbolize a decrease in the enthusiasm of participants in the experiment.
Input time depending on the number of attempts
The percentage of errors in the number of attempts
Statistics can be found here.
I think the results of the experiment are not indicative, because strongly dependent on the specific implementation, and the motivation to see the inscription “Now you are in the system” is too low to make an effort to remember the password. Field studies are required on real systems — this idea has yet to mature. The most serious argument against which I agree is unusual. The second strong objection, the consequence of the first one, is that the pictograms are remembered worse than letters-numbers; I think they are remembered worse than words , but better than just symbols . You need to have the skill to memorize them — when we use icons (icons) in GUI programs, we all remember what they mean and what sequences to click.
Here are some thoughts. -
And now dessert. It was expressed in the comments, and the thought occurred to me that the captcha from pictograms (pictocapcha?) Is wonderful.
Namely: how do you get such a captcha in one click?
Or more reliable for two:
Could be so:
- That's about a captcha, still think.
There were 4000 entries in the base of using the pictogram, thanks to all the participants. Let's look at the statistics and at the same time I will express the considerations that have arisen to me and the commentators.
Just numbers: average password length — 3.5 characters, average password entry time — 26 seconds, average error — 63%! The experiment can be considered successful; a bad result is also a result.
Time input depending on the length of the password
The percentage of errors of the password length, the only logical schedule
')
The following two graphs clearly symbolize a decrease in the enthusiasm of participants in the experiment.
Input time depending on the number of attempts
The percentage of errors in the number of attempts
Statistics can be found here.
I think the results of the experiment are not indicative, because strongly dependent on the specific implementation, and the motivation to see the inscription “Now you are in the system” is too low to make an effort to remember the password. Field studies are required on real systems — this idea has yet to mature. The most serious argument against which I agree is unusual. The second strong objection, the consequence of the first one, is that the pictograms are remembered worse than letters-numbers; I think they are remembered worse than words , but better than just symbols . You need to have the skill to memorize them — when we use icons (icons) in GUI programs, we all remember what they mean and what sequences to click.
Here are some thoughts. -
- Do not rotate icons. According to the information from this good article (which deals with the recognition of human faces, but this should also be related to other images), the rotation of the image greatly reduces the ability of a person to recognize it, while for a computer it is just one more variable. From there it follows that scaling vertically and horizontally, blurring, the imposition of noise and small objects, cutting or replacing small parts of the image, changing the color and brightness weakly impair human recognition, and cause significant problems to the machine. Alas, the exact limits and methods of distortion can only be established by practical consideration.
- Icon password can act as an additional way to log in to systems with a text password. As a block from automatic access, it is especially good. Also suitable for use on public computers, as a master password or to lock the device.
- This is not a panacea — in what a method really has an advantage — the impossibility of mass processing. Those. in a situation where passwords are hacked by thousands, “villains” get a large amount of data requiring manual processing and hacking becomes too expensive.
- To determine the user-selected icon, I used a simple measurement of the distance between the center of the icon and the coordinates of the click, if the distance did not exceed the icon radius (16px), then true. It may be worthwhile to use a less clear method: if the distance is less than the radius, then assign a weight of 1.0, and if it is greater than the radius but less than the diameter, then the weight is 0.5, we assume the arithmetic average of the weights, if more than 0.5, then true.
- In technical terms, implementing the pictopol on a single site is problematic. I already started writing control for asp.net, but suddenly (once again) I found out that my hoster gdi + is not working on the server, maybe I am doing something wrong, but in any case it’s a bad decision to process graphics on cpu but to give it to the client in this case is impossible. It will be correct to create a service on a separate server with a graphic card.
And now dessert. It was expressed in the comments, and the thought occurred to me that the captcha from pictograms (pictocapcha?) Is wonderful.
Namely: how do you get such a captcha in one click?
Or more reliable for two:
Could be so:
- That's about a captcha, still think.
Source: https://habr.com/ru/post/137020/
All Articles