Exploring usability effects of increasing security in click-based graphical passwords
Proceedings of the 26th Annual Computer Security Applications Conference
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
Video-passwords: advertising while authenticating
Proceedings of the 2012 workshop on New security paradigms
Security implications of password discretization for click-based graphical passwords
Proceedings of the 22nd international conference on World Wide Web
Exploring the design space of graphical passwords on smartphones
Proceedings of the Ninth Symposium on Usable Privacy and Security
Memory retrieval and graphical passwords
Proceedings of the Ninth Symposium on Usable Privacy and Security
Quantifying the security of graphical passwords: the case of android unlock patterns
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
On the security of picture gesture authentication
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of “human-computation” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4% of passwords in one image's data set, and 10% of passwords in a second image's data set. Our independent model-based attack finds 20% within 2 33 guesses in one image's data set and 36% within 2 31 guesses in a second image's data set. These are all for a system whose full password space has cardinality 2 43. We evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7-10% of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.