A new look for passwords

Click to follow
The Independent Online
THE Government's surveillance centre, GCHQ, is evaluating a new computer password system, which uses faces rather than letters, for top- security work. The system has already been adopted by a City merchant bank, which says it has ended the problem of computer users forgetting their passwords.

The system, developed by Visage, a Welsh private company, relies on humans' innate ability to recognise familiar faces within a fraction of a second. Yet as Hugh Davies, its chairman, points out: "You can't describe in words what is different about one face from another. But you can learn to recognise a previously unknown face in a few minutes, and that will stick for years."

The company has just been awarded British patents, and is applying for patents internationally. It is also talking to large software companies, including Novell and IBM, who are interested in incorporating the system into their products.

But Mr Davies is bitter that British venture capital companies have not backed the project, which has been kept going by a combination of awards from the Welsh Office and money from a wealthy individual, who has made repeated investments in return for 24 per cent of the equity.

"I think the British venture capital industry is one of those mythical creatures, like the Federation of Greek Islands' Master Plumbers," Mr Davies says.

Visage works by replacing the strings of letters and numbers used in modern, high-security passwords to defeat hackers with thumbnail pictures of faces. The average computer user has to hold six strings such as "orI4d3" in mind. But these are easily forgotten because the brain is not adapted to remembering them.

However, the brain is excellent at remembering human faces. To use the Visage system, the user first chooses a set of faces - typically three - from a given range of about 200 unknown individuals, and practises spotting them in a grid with six others. After five minutes' practice, almost anyone can "fix" their chosen faces.

In the working system, the faces are offered for less than a second in random positions in a grid on a computer screen, and the user must key in their positions. Only the intended user will spot the faces. Extra security can be generated by enlarging the grid and repeating this phase two or three times.

Security levels are kept high by not using famous faces or those of the user's family. GCHQ's tests of the system have all been positive, says Mr Davies. "We have been told by them that it is the single biggest advance in security since the invention of the password itself." The Home Office is understood to be interested in the system as an access control system.

At Charterhouse merchant bank, the system has been used for some time. "We never get any calls with people forgetting their passwords," says Neil Hare-Brown, the security manager. "Once they've learned this, you never hear from them again."