Passwords composed of alphanumeric characters are very commonly used for identifying users and for limiting rights of use. Passwords have a long history of use as a means for protecting computers, databases, telecommunication systems and Internet pages against unauthorized users.
However, the use of passwords entails many well-known problems. In order to help remembering the passwords, the users write the passwords on pieces of paper that are easy to find or use easily guessable letter combinations as passwords. In addition, in terminal devices that are only equipped with a numeric keypad, such as mobile phones, it is tempting to use only a combination of numbers as a password, because typing letters is laborious. For this reason, it is often fairly easy to break into systems protected with passwords in practice.
In some known user authentication systems, a password composed of alphanumeric characters has been replaced by a string of images, or a kind of graphical password. In one of such systems, a large number of different facial images of people have been saved in the database. Using facial images is based on the fact that research has shown that people easily remember a face they have seen. When a new graphical password is created for the user, the system or the user randomly selects from the image archive in the database five facial images, for example, and brings them to the display of the terminal device connected to the system to be viewed by the user. After this, the user is allowed to view the images for a suitable period of time, such as 3 to 5 minutes. After the viewing period, the user has been given a graphical password composed of a string of images, which in the future authenticates the user and thus provides access to the system.
When the user wants to sign into the system, the system asks the user to recognize the images belonging to the graphical password from the images produced on the display of the terminal device. The recognition takes place image by image so that the system produces a small number of images, such as nine, on the display, one of which is the “right” image belonging to the password and the rest eight are “wrong” images. The user must point out the right image from the group. After this, the system produces a new group of nine images on the display, among which there is again only one right image, which the user must point out. This is repeated as many times as there are images in the password. When all the images of the graphical password have been found, the system admits the user into the system. A graphical password provides the advantage that it is much easier for the user to remember a group of facial images than an alphanumeric character string. In practice, it is also impossible to write the graphical password on a piece of paper which could end up in the hands of unauthorized persons.
However, the use of a graphical password also entails some problems. To make sure that the graphical password would be clearly different for each user and would provide a sufficiently large number of alternative images when the user is signing into the system, there must be at least several hundreds, preferably thousands of different images saved in the system database. Maintaining such a large image archive naturally consumes a large amount of the system's memory capacity.