OPUS: preventing weak password choices
Computers and Security
High dictionary compression for proactive password checking
ACM Transactions on Information and System Security (TISSEC)
A Model of Saliency-Based Visual Attention for Rapid Scene Analysis
IEEE Transactions on Pattern Analysis and Machine Intelligence
Efficient Graph-Based Image Segmentation
International Journal of Computer Vision
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
Towards Secure Design Choices for Implementing Graphical Passwords
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
PassPoints: design and longitudinal evaluation of a graphical password system
International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Have the cake and eat it too - Infusing usability into text-password based authentication systems
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Cognitive Authentication Schemes Safe Against Spyware (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Human selection of mnemonic phrase-based passwords
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Graphical dictionaries and the memorable space of graphical passwords
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
On user choice in graphical password schemes
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Biometric authentication revisited: understanding the impact of wolves in sheep's clothing
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
A future-adaptive password scheme
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
A second look at the usability of click-based graphical passwords
Proceedings of the 3rd symposium on Usable privacy and security
The effectiveness of generative attacks on an online handwriting biometric
AVBPA'05 Proceedings of the 5th international conference on Audio- and Video-Based Biometric Person Authentication
Graphical passwords based on robust discretization
IEEE Transactions on Information Forensics and Security
A second look at the usability of click-based graphical passwords
Proceedings of the 3rd symposium on Usable privacy and security
Do background images improve "draw a secret" graphical passwords?
Proceedings of the 14th ACM conference on Computer and communications security
Order and entropy in picture passwords
GI '08 Proceedings of graphics interface 2008
A framework for reasoning about the human in the loop
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Centered discretization with application to graphical passwords (full paper)
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Securing passfaces for description
Proceedings of the 4th symposium on Usable privacy and security
Use Your Illusion: secure authentication usable anywhere
Proceedings of the 4th symposium on Usable privacy and security
Towards practical biometric key generation with randomized biometric templates
Proceedings of the 15th ACM conference on Computer and communications security
The practical subtleties of biometric key generation
SS'08 Proceedings of the 17th conference on Security symposium
Influencing users towards better passwords: persuasive cued click-points
BCS-HCI '08 Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 1
Multiple password interference in text passwords and click-based graphical passwords
Proceedings of the 16th ACM conference on Computer and communications security
The Impact of Image Choices on the Usability and Security of Click Based Graphical Passwords
ISVC '09 Proceedings of the 5th International Symposium on Advances in Visual Computing: Part II
The effect of baroque music on the PassPoints graphical password
Proceedings of the ACM International Conference on Image and Video Retrieval
A closer look at recognition-based graphical passwords on mobile devices
Proceedings of the Sixth Symposium on Usable Privacy and Security
Secure passwords through enhanced hashing
LISA'09 Proceedings of the 23rd conference on Large installation system administration
Purely automated attacks on passpoints-style graphical passwords
IEEE Transactions on Information Forensics and Security
Smudge attacks on smartphone touch screens
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
MARASIM: a novel jigsaw based authentication scheme using tagging
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
On designing usable and secure recognition-based graphical authentication mechanisms
Interacting with Computers
Facing the facts about image type in recognition-based graphical passwords
Proceedings of the 27th Annual Computer Security Applications Conference
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Can background baroque music help to improve the memorability of graphical passwords?
ICIAR'10 Proceedings of the 7th international conference on Image Analysis and Recognition - Volume Part II
Increasing the security of gaze-based cued-recall graphical passwords using saliency masks
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
Do you see your password?: applying recognition to textual passwords
Proceedings of the Eighth Symposium on Usable Privacy and Security
Exploration and field study of a password manager using icon-based passwords
FC'11 Proceedings of the 2011 international conference on Financial Cryptography and Data Security
Graphical password authentication using cued click points
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Evaluating the effect of user guidelines on creating click-draw based graphical passwords
Proceedings of the 2012 ACM Research in Applied Computation Symposium
Evaluating the effect of tolerance on click-draw based graphical password scheme
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Proceedings of the third ACM conference on Data and application security and privacy
A pilot study on the security of pattern screen-lock methods and soft side channel attacks
Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks
Picassopass: a password scheme using a dynamically layered combination of graphical elements
CHI '13 Extended Abstracts on Human Factors in Computing Systems
Age-related performance issues for PIN and face-based authentication systems
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Security implications of password discretization for click-based graphical passwords
Proceedings of the 22nd international conference on World Wide Web
Usability and security evaluation of GeoPass: a geographic location-password scheme
Proceedings of the Ninth Symposium on Usable Privacy and Security
Quantifying the security of graphical passwords: the case of android unlock patterns
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
On the security of picture gesture authentication
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Although motivated by both usability and security concerns, the existing literature on click-based graphical password schemes using a single background image (e.g., PassPoints) has focused largely on usability. We examine the security of such schemes, including the impact of different background images, and strategies for guessing user passwords. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, and the other a field test of 223 user accounts. We provide empirical evidence that popular points (hot-spots) do exist for many images, and explore two different types of attack to exploit this hot-spotting: (1) a "human-seeded" attack based on harvesting click-points from a small set of users, and (2) an entirely automated attack based on image processing techniques. Our most effective attacks are generated by harvesting password data from a small set of users to attack other targets. These attacks can guess 36% of user passwords within 231 guesses (or 12% within 216 guesses) in one instance, and 20% within 233 guesses (or 10% within 218 guesses) in a second instance. We perform an image-processing attack by implementing and adapting a bottom-up model of visual attention, resulting in a purely automated tool that can guess up to 30% of user passwords in 235 guesses for some instances, but under 3% on others. Our results suggest that these graphical password schemes appear to be at least as susceptible to offline attack as the traditional text passwords they were proposed to replace.