One common practice in relation to alphanumeric passwords is to write them down or share them with a trusted friend or colleague. Graphical password schemes often claim the advantage that they are significantly more secure with respect to both verbal disclosure and writing down. We investigated the reality of this claim in relation to the Passfaces graphical password scheme. By collecting a corpus of naturalistic descriptions of a set of 45 faces, we explored participants' ability to associate descriptions with faces across three conditions in which the decoy faces were selected: (1) at random; (2) on the basis of their visual similarity to the target face; and (3) on the basis of the similarity of the verbal descriptions of the decoy faces to the target face. Participants were found to perform significantly worse when presented with visual and verbally grouped decoys, suggesting that Passfaces can be further secured for description. Subtle differences in both the nature of male and female descriptions, and male and female performance were also observed.