image based authentication using php

Posted on 2009-04-18
Last Modified: 2012-05-06
hi....... i have a project on image based authentication to compare it with the traditional text password based authentication  and i want to use php to make a site that authenticates users.
im thinking that the site will display a set of images that have  associated check boxes so that the users can select their own images during registeration phase  (the images like cars or birds or any other kind of images that is esy to remeber) .
the selected images will be  password for the user.
can anyone help my by any hint or what i should do to finish this site....thank you for helping me
Question by:sermed100
    LVL 6

    Accepted Solution

    Yes it works, create 20 or 30 images, name it by example 00.jpg, 01.jpg etc etc ... Then, when sign up, the user must select 2 or 3, then you stores in the user profile record of database  the numerical value of the filename.

    Later, when user logins you read the numerical value of the selected images,  then compares with the stored values in profile. If equals then login, else reject.

    Hope helps.
    LVL 12

    Expert Comment

    Keep in mind that, from a security perspective, selecting a few images from a choice of 20 or 30 is a much weaker identification than an equivalent password, since order doesn't matter. In statistics, it's the difference between combinations (where order doesn't matter) and permutations (where order does matter). In fact, since you can't select the same picture twice, the picture password is combinations without repetition.

    Let's assume you have 25 pictures from which you will select 4. The number of possibilities for this is 25! / (4! * (25-4)!), which comes out to 12650 possibilities.

    An equivalent 4 character text password has 26 possibilities, where order does matter (abcd is different than dcba). The number of possibilities is 26*26*26*26 = 456976 possibilities. Make it case insensitive and add numbers, and it increases to 62*62*62*62 = 14776336 possibilities.

    Making the order of selection count for the pictures strengthens the password, but decreases the chance that the user will remember the password since our brains aren't wired to remember sequences of images.

    It would be interesting to explore the social engineering side of password cracking, though, where images are used. In a password, people tend to use predictable sequences, which allows tools like John the Ripper to succeed. Perhaps people would tend to select some combinations of images more than others.
    LVL 3

    Assisted Solution

    Yeah what segurah said is good... definitely at least 30 images and don't choose less than 4 or more than 6.  

    The only thing is having 30 images on your page might look somewhat cluttered and funny.  Especially if the images aren't similarly styled.

    Another way can be to have all the images blank/gray squares and let them make a pattern -(if you can record the order in which they do it).  Use a higher order matrix for more security.  The Android phone uses this method to unlock the phone.

    Check it out here:

    Also best to limit the number of attempts that a person/IP address can have...

    LVL 3

    Expert Comment

    yeah what hfraser said about security is also very important.  The text password is definitely the most secure method.  The pattern method is definitely not very secure..  The odds of guessing a pattern on a 3x3 matrix are less than one in a 100 and less than 1 in a 1000 unless you give them the option of moving anywhere.  But like hfraser mentioned...patterns might be hard to remember, especially when you can move anywhere!

    Anyway... project sounds fun!

    Author Comment

    thank you for comments my project will be a comparision between image based and text based by doing a resarch... i need i good stating point to do it.what images do you suggest???.how can i associate the images with the check boxes and save the selected image to the database????
    LVL 107

    Expert Comment

    by:Ray Paseur
    sermed100: This may not be an answer to your question, but as hfraser correctly points out, you may be asking the "wrong" question about using images for a password.  Images are commonly used for CAPTCHA tests but not for passwords.

    One other place I have seen images used is in site identity verification.  When a client registers, they are given a few images to choose from.  Every subsequent time they visit the site, they will see the image they chose at the time of registration, and that is one way they can know that they are not on a "spoof" site.  Of course, PayPal simply uses your real name on the site and in its email messages and that is good enough for their purposes.

    Anyway, good luck with your project.  ~Ray
    LVL 6

    Expert Comment

    I think that compare captcha mechanism with image recognition in probability terms is not so good, i will try to explain:

    In security, authentication is based on 2 principles (some people say 3)

    1.- What i know (like password)
    2.- What is have (like tokens)
    3.- What I'm (like biometrics, but also is number 2 because is something that i have)

    Well, text captcha is in the principle #1 but .... it's not secret, why? a good mechanism (at client side) of ocr can 'read' the image and decode it. Today it occurs.

    With image recognition we are in principle 1 also, but, what kind of machine can disassemble my mind and 'see' which are the images stored in my brain?

    Probabilities are not the same .....

    A huge bank in my country uses the mechanism that you proposed in then internet banking site, should not be so bad ....

    My suggest :

    1.- Use login password as 1st factor of authentication
    2.- Use image recognition as 2dn factor of authentication

    Hint: As mention in my past post, don't use more than 20,30 images. If not it can confuse to the user

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
    These days socially coordinated efforts have turned into a critical requirement for enterprises.
    Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
    This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now