image based authentication using php

hi....... i have a project on image based authentication to compare it with the traditional text password based authentication  and i want to use php to make a site that authenticates users.
im thinking that the site will display a set of images that have  associated check boxes so that the users can select their own images during registeration phase  (the images like cars or birds or any other kind of images that is esy to remeber) .
the selected images will be  password for the user.
can anyone help my by any hint or what i should do to finish this site....thank you for helping me
Who is Participating?
segurahConnect With a Mentor Commented:
Yes it works, create 20 or 30 images, name it by example 00.jpg, 01.jpg etc etc ... Then, when sign up, the user must select 2 or 3, then you stores in the user profile record of database  the numerical value of the filename.

Later, when user logins you read the numerical value of the selected images,  then compares with the stored values in profile. If equals then login, else reject.

Hope helps.
Hugh FraserConsultantCommented:
Keep in mind that, from a security perspective, selecting a few images from a choice of 20 or 30 is a much weaker identification than an equivalent password, since order doesn't matter. In statistics, it's the difference between combinations (where order doesn't matter) and permutations (where order does matter). In fact, since you can't select the same picture twice, the picture password is combinations without repetition.

Let's assume you have 25 pictures from which you will select 4. The number of possibilities for this is 25! / (4! * (25-4)!), which comes out to 12650 possibilities.

An equivalent 4 character text password has 26 possibilities, where order does matter (abcd is different than dcba). The number of possibilities is 26*26*26*26 = 456976 possibilities. Make it case insensitive and add numbers, and it increases to 62*62*62*62 = 14776336 possibilities.

Making the order of selection count for the pictures strengthens the password, but decreases the chance that the user will remember the password since our brains aren't wired to remember sequences of images.

It would be interesting to explore the social engineering side of password cracking, though, where images are used. In a password, people tend to use predictable sequences, which allows tools like John the Ripper to succeed. Perhaps people would tend to select some combinations of images more than others.
ChimerazaConnect With a Mentor Commented:
Yeah what segurah said is good... definitely at least 30 images and don't choose less than 4 or more than 6.  

The only thing is having 30 images on your page might look somewhat cluttered and funny.  Especially if the images aren't similarly styled.

Another way can be to have all the images blank/gray squares and let them make a pattern -(if you can record the order in which they do it).  Use a higher order matrix for more security.  The Android phone uses this method to unlock the phone.

Check it out here:

Also best to limit the number of attempts that a person/IP address can have...

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

yeah what hfraser said about security is also very important.  The text password is definitely the most secure method.  The pattern method is definitely not very secure..  The odds of guessing a pattern on a 3x3 matrix are less than one in a 100 and less than 1 in a 1000 unless you give them the option of moving anywhere.  But like hfraser mentioned...patterns might be hard to remember, especially when you can move anywhere!

Anyway... project sounds fun!
sermed100Author Commented:
thank you for comments my project will be a comparision between image based and text based by doing a resarch... i need i good stating point to do it.what images do you suggest???.how can i associate the images with the check boxes and save the selected image to the database????
Ray PaseurCommented:
sermed100: This may not be an answer to your question, but as hfraser correctly points out, you may be asking the "wrong" question about using images for a password.  Images are commonly used for CAPTCHA tests but not for passwords.

One other place I have seen images used is in site identity verification.  When a client registers, they are given a few images to choose from.  Every subsequent time they visit the site, they will see the image they chose at the time of registration, and that is one way they can know that they are not on a "spoof" site.  Of course, PayPal simply uses your real name on the site and in its email messages and that is good enough for their purposes.

Anyway, good luck with your project.  ~Ray
I think that compare captcha mechanism with image recognition in probability terms is not so good, i will try to explain:

In security, authentication is based on 2 principles (some people say 3)

1.- What i know (like password)
2.- What is have (like tokens)
3.- What I'm (like biometrics, but also is number 2 because is something that i have)

Well, text captcha is in the principle #1 but .... it's not secret, why? a good mechanism (at client side) of ocr can 'read' the image and decode it. Today it occurs.

With image recognition we are in principle 1 also, but, what kind of machine can disassemble my mind and 'see' which are the images stored in my brain?

Probabilities are not the same .....

A huge bank in my country uses the mechanism that you proposed in then internet banking site, should not be so bad ....

My suggest :

1.- Use login password as 1st factor of authentication
2.- Use image recognition as 2dn factor of authentication

Hint: As mention in my past post, don't use more than 20,30 images. If not it can confuse to the user
All Courses

From novice to tech pro — start learning today.