User interface design affects security: patterns in click-based graphical passwords

Authors:
Sonia Chiasson;Alain Forget;Robert Biddle;P. C. van Oorschot
Affiliations:
Carleton University, School of Computer Science and Human Oriented Technology Lab, Ottawa, Canada;Carleton University, School of Computer Science and Human Oriented Technology Lab, Ottawa, Canada;Carleton University, School of Computer Science and Human Oriented Technology Lab, Ottawa, Canada;Carleton University, School of Computer Science, Ottawa, Canada
Venue:
International Journal of Information Security
Year:
2009

Citing 0
Cited 14

Multiple password interference in text passwords and click-based graphical passwords

Proceedings of the 16th ACM conference on Computer and communications security
Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Purely automated attacks on passpoints-style graphical passwords

IEEE Transactions on Information Forensics and Security
Exploring usability effects of increasing security in click-based graphical passwords

Proceedings of the 26th Annual Computer Security Applications Conference
On designing usable and secure recognition-based graphical authentication mechanisms

Interacting with Computers
Graphical passwords: Learning from the first twelve years

ACM Computing Surveys (CSUR)
You only live twice or "the years we wasted caring about shoulder-surfing"

BCS-HCI '12 Proceedings of the 26th Annual BCS Interaction Specialist Group Conference on People and Computers
Multiple password interference in graphical passwords

International Journal of Information and Computer Security
Time evolving graphical password for securing mobile devices

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Security implications of password discretization for click-based graphical passwords

Proceedings of the 22nd international conference on World Wide Web
A tap and gesture hybrid method for authenticating smartphone users

Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services
Memory retrieval and graphical passwords

Proceedings of the Ninth Symposium on Usable Privacy and Security
Quantifying the security of graphical passwords: the case of android unlock patterns

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
On the security of picture gesture authentication

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.