As traditional textual passwords suffer from many known limitations, graphical passwords (GPs) are proposed as one promising alternative to complement the existing authentication systems. To obtain a large password space, map-based GPs (geographical passwords) have been developed that allow users to choose one or more places on a map for authentication. For example, PassMap requires users to choose two places as their credentials, and GeoPass enables users to click only one place for authentication. Some research studies have reported that choosing only one place as a password may be not secure enough, whereas selecting two places may decrease the system usability. In this work, we first conducted a study to learn how users would choose two places under PassMap, and found that users may choose two similar locations due to time consideration. Motivated by this observation, we then design CPMap, a click-points map-based GP scheme that allows users to choose one place on a world map at first and then click a point or an object on an image relating to the previously selected location. To investigate the performance of CPMap, we conducted another user study with up to 50 participants. It is found that users could achieve promising results with our scheme in the aspects of both security and usability.