Many of us now use our mobile devices for things like online banking, in crowded public places ... the sort of places where it would be easy for sometime to sneak a peek as we enter our passcodes. Researchers from New Jersey's Rutgers University, however, are working on a possible alternative to those typed codes. They've discovered that passwords consisting of hand gestures used to draw free-form lines on a smartphone or tablet screen are much more difficult for "shoulder surfers" to copy after seeing.
With a traditional PIN password, thieves can steal it simply by observing which numerical keys are pressed in what order. Additionally, people in general are notorious for creating very easily-guessed passwords. Even with newer 9-dot systems in which users "connect the dots" within a grid pattern, it's still just a matter of observing what dots are connected.
User-specific abstract line gestures, though, apparently aren't so easily replicated. This is partly because they don't rely on familiar numerals or grid points, that are easier to recognize and memorize.
They also allow for a greater number of variables that have to be successfully copied. These could include not only the shape and size of the lines, but also their location on the screen, the velocity and pressure at which they're drawn, and the number of fingers applied to the screen at once (in the case of multiple lines drawn simultaneously).
In a study that Rutgers carried out in collaboration with the Max-Planck Institute for Informatics and the University of Helsinki, 63 volunteers were required to come up with their own free-form line gesture passwords, that they had to successfully recall both immediately and 10 days later. When a group of seven shoulder surfers tried to replicate those gestures after spying on the volunteers, they were unable to do so with enough accuracy for a computer to consider it a match.
Although there are still some logistical challenges to be met (such as how someone would write such a password on paper to remind themselves, should they forget it), Rutgers states that the system appears to be "extremely powerful against attacks."
