This paper investigate security of graphical authentication tokens against educated guess attacks. Results of two user studies indicate that, if we use original photos as authentication tokens, the authentication tokens are vulnerable to educated guess attacks. The results also demonstrate that we can mitigate the vulnerability using distorted pictures.