With the growth of the Internet, user authentication to computers and networks has become increasingly important. User authentication systems typically associate a user identifier (userid) and a password, and store these values in a mapping. Each time a user attempts to access a resource, an authentication system may require that the user enter his or her userid and password. The authentication system will typically grant the user access to the resource if the entered userid and password match the stored mapping. However, the authentication system will typically deny access to the resource if the entered userid and password do not match the stored mapping.
The strength of such a method of user authentication may be based to some extent on the length and randomness of the password. Generally speaking, the longer and more random the password, the harder the password will be to guess or to discover using an exhaustive search. Nonetheless, some users may pick passwords that are short and easy to remember. Often, it is relatively easy for a third party to discover a weak password of a user, either by guessing the password through trial and error, by using personal information about the user, or by an exhaustive search.
Alternative authentication schemes have been developed such as those based on biometrics, random passwords, and/or graphical passwords. Each of these mechanisms has its own advantages and disadvantages, and none provide an ideal solution. One of the main reasons why password-based authentication is still widely used is that upgrading or changing to technology that supports one of these alternative authentication schemes may entail significant changes to the infrastructure of an authentication system. These changes could be costly and complicated. Thus, it may be desirable to develop an authentication scheme that is easy and intuitive to use, robust against attacks, and works using existing hardware and software infrastructure.