Misapplication of Psychology: Case of Graphical Passwords
There are lots of interesting and positive ways to apply psychological methods, principles, and findings to practical real world problems. Psychology is successfully applied in a range of contexts, from education and law, to ergonomics and product design. For example, psychology has been successfully applied in health to help patients effectively manage physical and mental disorders. It is also used by governments to promote social change, by coaches to enhance player performance in sport, and by schools to aid learning.
What about when psychology is misapplied?
As well as the abundant pseudo-psychology you hear repeatedly from friends and written in books (e.g., "women are better at multi-tasking than men"), the misuse of psychology occurs frequently in my field of study as a post-graduate researcher of human-computer interaction (HCI) and usable security.
I first noticed it when working as a research assistant in a User Experience (UX) team. I noticed that one of the most commonly drawn-on social psychological theories in HCI was the Elaboration Likelihood Model (ELM: Petty & Cacioppo, 1986) -- a dual processing model relevant to attitude change. This model proposes that there are two routes by which information is processed to inform a person's attitudes: one is a systematic, deep-level route; the other route relies on superficial strategies, such as stereotypes.
The ELM is only one model within a tradition of dual-processing theories. Despite being relevant specifically to attitude change, the ELM gets used even though more relevant or more recent models might better represent a finding or theory in HCI. In fact, the idea of different processing strategies or routes can be found in several areas of psychology, including problem-solving and rationality (e.g. Nisbett & Ross, 1980), encoding memories (e.g. Craik & Lockhart, 1972), and impression formation (e.g. Fiske & Neuberg, 1990).
What appears to be happening is that people hear an interesting and easy to describe psychological phenomenon or theory and then they run with it.
I’ll give you an example that many have heard of: the magical number 7. In 1956, George Miller presented the argument, and evidence to support it, that people are able to retain about 7 “chunks” of information in immediate memory (plus or minus 2 items). The problem is that the magical number 7 actually refers to a cognitive process involved in the retention of very simple stimuli in short-term memory; not complex information processing involved in everyday tasks. This means that the magical number 7 is often incorrectly or over applied.
The same can be said for the psychology used to prop up graphical passwords as an alternative to traditional text-based passwords.
Knowledge-based authentication is the most common means of authenticating to services, and it normally takes the form of a text-based password; there is now a well told "story of woe" surrounding the usability and security of these passwords. There are three main categories of solution:
Implement a biometric-based mechanism;
Implement a token-based mechanism; or
Improve knowledge-based mechanisms.
Graphical passwords are one proposed improvement to knowledge-based systems.
Before I continue, it is worth briefly outlining the three main types of graphical passwords. First, cognometrics, which involve recognising an image or images within an array of distractors, e.g., PassFaces or Expanded Password System. Second, locimetrics, which involve selecting points within a single image, e.g., PassPoints. Third, we have drawmetrics, which involve recreating a simple drawing or shape, e.g., Android Pattern Lock. You can (arguably) also get graphical passwords that are somewhere in between these, like the Windows 8 Picture Passwords or Background Draw-a-secret, BDAS which involve drawing simple shapes (like drawmetrics) at the right locations of a background picture (like locimetrics).
There are two main claims used to prop up graphical passwords as an alternative to traditional passwords. These claims are not incorrect per se, and they are also not necessarily independent of each other:
Pictures are remembered better and for longer than words due to the Picture Superiority Effect.
Recognition tends to outperform recall -- relevant especially to cognometric graphical passwords.
The Picture Superiority Effect
Studies have uncovered important differences in the way pictures and words are processed and remembered. In general, pictures show memory superiority over words on tests of both recall and recognition. For example, Nelson and colleagues (1976) found that when people were presented with long lists of words or pictures, they tended to remember 10% of words 3 days later, compared to 65% of pictures 3 days later.
Why might this be the case?
Concrete Concepts: People grasp and remember concrete concepts better than abstract ones. If you give someone a picture, it typically corresponds with a concrete object. As such, pictures tend to be better remembered than the corresponding word, which tend to be remembered better than abstract words.
Perceptual Distinctiveness: Pictures are more visually distinctive than words and produce a richer, sensory-perceptual representation in our minds, making individual pictures stand out.
Semantic Meaning: Pictures give the perceiver more direct access to meaning.
Elaborately Processed: Pictures are processed more elaborately than words in that pictures tend to be matched with existing prototypical images in your mind.
Dual Coding: Pictures are proposed to access two memory stores – one visual, one verbal – increasing the probability of retrieval. The same might also be claimed for words in that you can imagine an image to go along with the word, but this is less likely to occur spontaneously as it seems to do with pictures.
Many of these claims come from tests of episodic memory in which the participant is asked to recall a list of pictures or words. A typical recall test might ask you remember a series of words and then test your ability to recall them without any cues. This might be fine for a list of 7 items such as the one below; this test gets pretty hard as the list lengthens.
Clown Water Pillow Father Giraffe House Chair
This is because, in a free recall test, you typically have very few cues to help you remember all the items appearing in a list, which is especially hard for items appearing in the middle. In this case, that would be words appearing near the word “father”, while words appearing at the beginning and end of the list would typically be remembered better, due to the well documented recency and primacy effects.
If you had more cues, the items in the middle would be easier to remember. In a lab setting, cued recall usually involves pairing words together, so that when participants sees one word they should be more likely to remember the word that had been paired with it.
Finally, we have recognition, which is most likely to result in memory retrieval because there is a full copy of the word you are trying to remember in the cue.
The argument when it comes to graphical passwords is twofold.
First recognition is generally better, although not always, than recall because it relies on implicit and more automatic memory processes. This is why, for example, you are better able to recognise a picture of your own country than to draw it in all its detail from memory.
Second, our capacity for recognising images is better than our capacity for recognising words. In fact, Standing (1973), who tried to test our upper limits of recognition memory for pictures, found that people were able to recognise 10,000 pictures the following day by telling them apart from distractors.
However, we might not want to place too much emphasis on this.
Others such as Shepard (1967) found word recognition to also be very accurate – 90% accurate – if you forced participants to make a choice. Additionally, Standing (1973) found that retrieval time for words was better than for pictures, even though accuracy for pictures was better than for words.
And picture recognition is not immune to error.
Just like verbal memory, visual memory representations are subject to interference of items that are categorically similar. Interestingly, according to Konkle and colleagues (2010) at least, the perceptual distinctiveness of a picture, such as its shape or colour, has little impact on interference: an item is more likely to interfere with another item if it has similar category information; when categories have many different kinds of items belonging to it, people can remember more of them, even if the items belonging to the category all have similar shapes and colors (e.g., mobile phones and televisions).
This is because what we know affects what we retain in visual memory.
Detailed conceptual knowledge results in detailed mental representations that are later easier to retrieve. For example, some might know more about cars than others, and thus maintain a more detailed representation of each of the different cars in their head that they can accurately retrieve later.
Without sufficient existing knowledge, people maintain only gist-like representations that are abstracted away from the perceptual detail. This can lead to interference at retrieval.
This means that if graphical passwords were to be widely distributed, users could confuse images of the same category between services.
Keep in mind, also, that many of the experiments involve distinguishing old pictures from new pictures. This means that the user may not really be remembering pictures, and they do not necessarily recall all the details. This is important because graphical passwords require the user to do more than simply recognise pictures. They have to remember the order of pictures or mouse clicks, or how a shape was drawn.
I’ll describe an analogy to help get this point across; it’s called the “butcher on the bus” scenario: A man gets onto a bus and sees a man he recognises but he cannot remember who he actually is. Later, he goes to pick up some meat. This sparks a mental search process and it is at this point he realises that the man is his local butcher.
Recognising someone on the bus produced an immediate feeling that he “knew” the man, but recalling who he actually was took much longer and required an active search process. What I’m talking about here is the difference between remembering and knowing. Knowing is a fast hitting “feeling” of familiarity and relies more on semantic (rather then episodic) memory, whilst remembering is a slow, conscious process, and involves the recollection of contextual details, such as when and how information was learned.
Semantic memory refers to knowledge (e.g., the capital of France is Paris); episodic memory refers to memories for events occurring at a specific time and place (e.g., visiting Paris).
Can we really say that pictures are better “remembered” than words?
Even episodic memory tests that rely solely on recall (without retrieval cues) do not necessarily reflect pure episodic memories as we understand them. Recall may be affected by automatic states of awareness (i.e., familiarity, without the context in which information was encountered) and semantic knowledge, rather than conscious recollection.
What's the problem?
Misapplying or over-applying psychology to graphical passwords gives a sense that graphical passwords are a better solution than they are. The wider community may then be surprised if graphical passwords became dominant and we ended up with some of the same problems associated with traditional passwords in terms of usability and security.
For example, if you let users choose their own graphical passwords, they tend to do so in predictable ways, just as they do with traditional passwords, and these passwords tend to have lower entropy. Just like traditional passwords also, graphical passwords can be shoulder-surfed, or even voluntarily stored or shared using the camera on your smartphone. Additionally, despite claims that graphical passwords are more user-friendly, people do not seem to want to use them, perhaps because they take longer to login with. Finally, if graphical passwords become widely adopted, people would have to remember different graphical passwords for different sites, which could lead to interference and errors, just as they do with traditional text-based passwords.
If you take one thing from this post, I want it to be that there are always caveats when any psychological theory is discussed.
The psychology might be correct, but the conclusions drawn may not be entirely valid and there may be a bigger picture to consider.
Many of the claims made by people trying to uphold their own versions of graphical passwords are not in themselves incorrect. Recognition is generally better than recall, and there is such a thing as the "picture superiority effect". But, while it is true that a lot of information can be stored in visual long-term memory, both in terms of the number of items and the amount of information for each item, there are a number of ifs and buts.
If we're talking about a graphical password scheme that relies more on recall (such as drawmetric schemes), be aware that episodic memories are prone to interference and that you may not really be relying on pure episodic memories as much as you are relying on semantic memory and recognition. I would also caution how much emphasis you place on recognition being better than recall, since recognition misses much of the detail and contextual information you might need to enter your graphical password correctly across different services.
The take-home message from me is that whenever you hear about some psychological theory or phenomenon, don’t just take it at face value.
Baddeley, A. (2007). Working memory, thought, and action. New York: Oxford University Press
Brostoff, S., & Sasse, M. A. (2000). Are PassFaces more usable than passwords? A field trial investigation. People and Computers XIV – Usability or Else!, 405-424
Craik, F. I. M., & Lockhart, R. S. (1972). Levels of processing: A framework for memory research. Journal of Verbal Learning and Verbal Behavior, 11 (6), 671-684
Everitt, K. M., Bragin, T., Fogarty. J., & Kohno, T. (2009). A comprehensive study of frequency, interference, and training of multiple graphical passwords. CHI 2009
Fiske, S. T., & Neuberg, S. L. (1990). A continuum of impression formation, from category-based to individuating processes: Influences of information and motivation on attention and interpretation. In Zanna, M. P. (Ed). Advances in Experimental Social Psychology, 23, 1-74, New York: Academic Press
Grady, C. L., McIntosh, A. R., Rajah, M. N., & Craik, F. I. M. (1998). Neural correlates of the episodic encoding of pictures and words. Proceedings of the National Academy of Sciences of the United States of America, 95 (5), 2703-2708
Konkle. T., Brady, T. F., Alvarez, G. A., & Oliva, A. (2010). Conceptual distinctiveness supports detailed visual long-term memory for real-world objects. Journal of Experimental Psychology: General, 139 (3), 558-578
Marsh, E. J., & Roediger, H. L. (2012). Chapter 7: Episodic and autobiographical memory. In: Weiner, I. B. (Ed.) Handbook of Psychology: Experimental Psychology, vol. 4, New York: Wiley, pp. 472-494.
Mandler, G. (1980). Recognizing: The judgment or previous occurrence. Psychological Review, 87 (3), 252-271
Miller, G. A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63 (2), 81-97
Nelson, D. L., Reed, V. S., & Walling, J. R. (1976). Pictorial superiority effect. Journal of Experimental Psychology, 2 (5), 523-528
Nisbett, R. E., Krantz, D. H., Jepson, C. & Kunda, Z. (1983). The use of statistical heuristics in everyday inductive reasoning. Psychological Review, 90 (4), 339-363
Paivio, A. & Csapo, K. (1973). Picture superiority in free recall: Imagery or dual coding? Cognitive Psychology, 5 (2), 176-206
Petty, R. E., & Cacioppo, J. T. (1986). Communication and persuasion: Central and peripheral routes to attitude change. New York: Springer-Verlag
Rajaram, S. Brief Reports: The effects of ceonceptual salience and percetual distinctiveness in conscious recollection. Psychonomic Bulletin & Review, 5 (1), 71-78
Shepard, R. N. (1967). Recognition memory for words, sentences, and pictures. Journal of Verbal Learning and Verbal Behavior, 6 (1), 156-163
Standing, L. (1973). Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, 25 (2), 207-222
Sternberg, G., Radeborg, K., & Hedman, L. R. (1995). The picture superiority effect in a cross-modality recognition task. Memory & Cognition, 23 (4), 425-441
Stobert, R. & Biddle, E. (2013). Memory retrieval and graphical passwords. Symposium on Usable Privacy and Security (SOUPS)
Tulving, E. (1985). Memory and consciousness. Canadian Psychologist, 26 (1), 1-12