Credentials - An alternative login system

Credentials is an experimental authentication system that improves user experience without compromising security.

Old habits die hard

Authentication has always been an hassle for users when they log in their accounts. The passwords either get complex and mistypes occur or they simply become too hard to remember. Typically what is considered to be a good password involves a string with more than 6 alphanumeric characters (some websites requiring the capitalisation of letters) followed by the good security practice of creating different passwords for different websites. With the growing number of websites to log in such as Gmail, Facebook, Twitter, LinkedIn, Dropbox, etc., we end up having to remember a great number of different and complex passwords. On top of that, if we take into account the senior citizen, things get more complicated since our memory ability naturally decreases with age. Browsers try to help by memorising passwords for us, but every time a different browser or device is used there’s a strong possibility that we end up having forgotten what the password for that website was.

Microsoft’s take on the subject

In late 2011, Microsoft announced a new feature to be included in Windows 8 called Picture Password, an alternative login system that allowed users to choose an image and mark on it several points of interest as the password. From the usability point of view it was a very good idea, the login process would be faster and more fun to deal with. However, many claims that the system was easily cracked start spreading all over the internet. One of the biggest flaws being pointed out was that users would choose simple images with predictable points of interests (ex.: photos of relatives), making it easy to guess the password. The system has limited login attempts to decrease the chances of hacking but, all in all, it was not considered as an improvement over the standard alphanumeric password, being instead an easier alternative for users that wished to use it. And that’s perfectly fine.

Credentials login system

When designing my own CMS solution the login issue inevitably came up - “another password for my clients to remember”. I thought about Microsoft’s Picture Password usability advantages, balanced the pros and cons and ended up creating my own approach to an alternative authentication system. Credentials is what I came up with.

To log in the system, users are only required to select from 5 to 7 symbols in a specific order and then hit the submit button. Selecting a symbol briefly activates its colour as feedback for selection and beneath the symbol grid a counter displays dots as symbols get selected. Finally, there's an option to clear all selection and start the process all over again. At the current development stage, Credentials combines user identification and password into a single action, making it a solution oriented to websites were few users log in, for example CMS's.

Having to choose simple, easily recognisable shapes as the access combination, users should have less trouble remembering them. Our brain is very good at perceiving the world in terms of shapes, colours and contrast, but a language is something that needs to be learned and trained daily, otherwise we end up forgetting parts of it (just as passwords). Since we are better at memorising shapes than words, it is expected that using Credentials reduces the cognitive load needed to perform the task. But at what costs?

Users create patterns

When looking at Microsoft’s approach to this subject we learn that the biggest flaw of their system was actually that users tend to create predictable patterns, which is no wonder as we always try to make things easier for us. As pointed out by critics, users tend to select personal photos that can make things more predictable (ex.: pictures of relatives or vacations), allowing hackers to exploit this behaviour and build algorithms to analyse the images and try the predictable patterns first. Complex pictures such as flowers can be more secure because they have more (both in quantity and in abstract qualities) points of interest, but that can also lead to some ambiguity, making it harder for users to memorise. At the end of day, however, it’s still up to the user to choose between the complex garden picture or the one with the granddaughter smiling.

Credentials offers a fixed set of simple shapes to choose from, setting the base for abstraction. From the human point of view, it’s harder to establish any connection between the user and the shapes displayed since we first learned them when we were just babies, making them familiar to pretty much everyone. Users can still be compelled to choose predictable patterns, selecting the same symbols or the ones in the corners, but it’s up to the system to forbid those combinations. To hackers, the shapes don't really matter at all. The malicious algorithms will just try to brute force all possible combinations until it gets the correct one. They can be discouraged from running those algorithms by limiting the number of attempts for a successful login, for example three attempts, which, in case of failed authentication, the system falls back to the standard username/password system.

Comparing solutions

Security should not be regarded only as the number of possible combinations a system can provide because as technology advances, computers also process combinations faster. That’s why websites require users to create bigger (and harder to remember) passwords, to increase the number of possible combinations. Continuing with this security strategy will end up with passwords being really hard to remember and users may start to make them simpler and more predictable as a response to the growing complexity of forming a password.

Let’s compare the 3 discussed login systems and look at the math of possible password combinations that can be made with 5 and 7 items, respectively:

Microsoft's Picture Password

Passwords with a length of 5 gestures, using multi-gesture:
398.046.621.309.72 possible combinations.
Passwords with a length of 7 gestures, using multi-gesture:
Number too big to display.

Alphanumeric password

Passwords with a length of 5 characters (26 lowercase + 26 uppercase + 10 numbers):
916.132.832 possible combinations - (26 + 26 + 10)^5.
Passwords with a length of 7 characters (26 lowercase + 26 uppercase letters + 10 numbers):
3.521.614.606.208 possible combinations - (26 + 26 + 10)^5.


Passwords with a length of 5 symbols, from a grid of 24 items:
7.962.624 possible combinations - 24^5.
Passwords with a length of 7 symbols, from a grid of 24 items:
4.586.471.424 possible combinations - 24^7.

At a first glance, Microsoft seems to have hit the jackpot and found the perfect solution, while Credentials seems to be a poor choice. Surprisingly, despite the numbers Microsoft’s Picture Password is actually considered easy to crack! It fails to fulfil its mathematical potential because users tend to select simple images with predictable points of interest. Our "shortcut" mentality leads us to choose simple images because we want to make it easy to remember. Maybe Microsoft gave users too much control over the Picture Password settings.

Alphanumeric passwords offer high number of possible combinations and forces users to add numbers and capital letters into the mix. This "dictatorship" prevents really basic passwords such as “password” or “secret” from being set, making the worst case scenario something like “pAsswoRD275” or “37seCreT”. Alphanumeric passwords offer very good protection but in the end it’s a battle between technology’s increasing ability to process combinations and our decreasing memory ability that comes with ageing. A battle that machines will win.

Credentials, on the other hand, tries to balance things out by taking into account both technology’s advancements and our limited memory ability. It does so by allowing users to create combinations that can be easily memorised, being 5 to 7 an optimal number of items to store in our short-term memory, and the symbols themselves being very basic and recognisable shapes. Limiting login attempts to 3, for example, means that hackers only have 3 chances at guessing the correct combination in a universe that can range from 8 million (5 item combination) up to more than 4 billion (7 item combination) possible combinations. That’s an extremely low chance of successful hacking. To decrease chances even more, we can set the system to expect the combination in a specific order only. The general line of thought is, if the access combination is easy to remember there’s no reason to allow infinite attempts.

Of course not all are roses, Credentials is currently designed to combine both the username and password into a single user input, meaning only websites were few users log in should consider using it (CMS's). To sum things up, these are the current advantages and disadvantages.

Advantages of Credentials

> Easier and faster to perform authentication than using a keyboard
> Users can recall their password easier
> Provides very good security
> Allows better user input in touch devices
> Protects against key loggers (viruses that store keyboard typing)

Disadvantages of Credentials

> People near the user may see the combination being marked
> Users may create predictable patterns
> Websites with large number of users require a separate username identification


Credentials does not aim to be more secure than the traditional password system at this current development stage. It is instead a balanced alternative that provides good security and improves user experience. Most importantly, Credentials represent new insights to better develop future authentication systems. If you have any insights and opinions you wish to share, feel free to contact me and I’ll update this post accordingly.