How to defeat a paired picture based password?

Question

If a system has a set of 40 pictures and each user selects 20 pictures as their favorite pictures for password authentication.

The system will authenticate a user as follows: present 2 pictures and the user will select the one that is from his favorite pictures.

The system will repeat the process 20 times, hence 40 pictures.

If the user has selected their 20 pictures successfully from the 20-pair sets, they will be logged in.

What is the search space for an attacker to crack the system and login as a user?

Here is my try: I thought that the attacker will use a program and brute force as much as 2²⁰ times.

Is this system more secure than a standard password authentication system?

Answer 1

I see it as impossible for this to be more secure than a standard password-based system.

Look at it this way: if I use a password that is 12 characters long, based on a standard US keyboard being able to produce 96 different characters, that is 612,709,757,329,767,363,772,416 different combinations (96¹²).

Your picture-based system, on the other hand, only has 1,048,576 different possible combinations (2²⁰).

In summary, your picture-based system would be cracked in just 0.000524288 seconds! The password-based system, however, would take 9.7 million years to brute force!

^{(Based on: number of possibilities ÷ 2,000,000,000 = number of seconds)}

Answer 2

First of all, the user experience might be bad. Choosing 20 pictures out of 40 in 20 iterations may take long time and might be boring. Even if users decide to go through it, they may prefer pictures easier to remember, because accurately remembering 20 pictures itself is not a simple task.

As analyzed above, the password space is not so big. And, users may have strong tendencies to choose pictures. For example, a user may prefer a specific color or theme, something like that, which makes it easier to attack than simple brute force.