A mechanism for using a graphic password test while providing the ability for detecting attempts by programs to decipher the password for malicious attack is disclosed. An access module provides a prompt to an entity attempting to access a protected resource. An image-substitution module provides a first or second graphic image to the entity (images display a first and second password, respectively). A programmatic interface that provides access to an image displayed on a computer screen can be modified to periodically provide a second image to a computer program that is different from the first image displayed to a human user. A receiving module receives a password in response to the prompt and a determination module determines if the password is first or second password. When the second password is received, it is likely a malware attempt at bypassing the graphic password test. An analysis module responds e.g., by collecting information about the entity that attempted access.