When deciding on passwords, there's always a tradeoff: make it simple to remember and it's more likely to get hacked, or make it more complicated and risk forgetting it.
Yet even though we're constantly forgetting passwords, humans can remember familiar faces with close to 98 percent accuracy, scientists say.
Enter Facelock, a password alternative based on the psychology of facial recognition, designed by researchers at the University of York in the U.K.
Previous studies have shown that people can recognize familiar faces across a wide range of images -- even when image quality is poor. However, when unfamiliar faces are shown -- even different photos of the same person -- recognition is tied to a specific image.
Facelock builds upon this psychological insight by having users choose a selection of faces that are well known to them. Then when they want to log in or get access to a secure system, a series of face grids is created, and users must select the familiar face in each grid.
The developers say it's easy for users to select a familiar face from the crowd -- but tough for others to hack, since none of the faces will stand out to them.
In testing, they found that Facelock users could easily recall familiar images, even after one year, while unused passwords were forgotten within days.
This new research, published in the open-access journal PeerJ, builds on previous work. In a similar, earlier system known as Passfaces, images were used to authenticate users. However, it was susceptible to "shoulder-surfing attacks," in which fraudulent users could simply memorize the image from watching users over their shoulder and hack into the system.
To overcome that threat, Facelock uses a variety of different images of familiar faces, which are easily recognizable to people who know them but not so readily identified by strangers.
The researchers say shoulder-surfing and guessing were successful less than 2 percent of the time. Even people who knew the user only guessed correctly about 6 percent of the time. Facelock says security is also enhanced by offering users a large pool of target images to choose from.
Lead author Rob Jenkins said in a press release that "pretending to know a face that you don't know is like pretending to know a language that you don't know -- it just doesn't work. The only system that can reliably recognize faces is a human who is familiar with the faces concerned."
More research and development is needed, but the scientists hope that a Facelock-type system will be introduced for devices in the future.