User authentication is widely used in automatic teller machines (ATMs) and Internet services. Recently, ATM passwords have been increasingly stolen using small charge-coupled device cameras. This article discusses a user authentication method in which graphical passwords instead of alphabetic ones are used as passwords in order for it to be tolerant to observation attacks. Several techniques for password authentications have been discussed in various studies. However, there has not been sufficient research on authentication methods that use pass-images instead of pass-texts. This article proposes a user authentication method that is tolerant to attacks when a user's pass-image selection operation is video recorded twice. In addition, usage guidelines recommending eight pass-images are proposed, and its security is evaluated.