Saul wrote:
> I'm looking to build some new security features for a website which
> will need stronger levels of password access, but I'm conscious from
> experience that users aren't very good with passwords and keep losing
> them or forgetting them so I don't want just bigger and better
> passwords. What I was wondering was whether image files would be
> better:

....
Have the site send the user an image; the user uses key encryption to
encode the image data and return it to the web site which authenticates
the result. This process would be similar to PGP.

The advantage is that an attacker sniffing at the results would find
it much more difficult to 'find' the authentication key inside the
junk of the randomly selected image, while the authenticator already
knows what the image was and what the bits should look like when
receiving it after the image is encrypted with the key.