Mean Shift: A Robust Approach Toward Feature Space Analysis
IEEE Transactions on Pattern Analysis and Machine Intelligence
Mean Shift, Mode Seeking, and Clustering
IEEE Transactions on Pattern Analysis and Machine Intelligence
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
PassPoints: design and longitudinal evaluation of a graphical password system
International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
A second look at the usability of click-based graphical passwords
Proceedings of the 3rd symposium on Usable privacy and security
Modeling user choice in the PassPoints graphical password scheme
Proceedings of the 3rd symposium on Usable privacy and security
Human-seeded attacks and exploiting hot-spots in graphical passwords
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Centered discretization with application to graphical passwords (full paper)
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Click Passwords Under Investigation
ESORICS '07 Proceedings of the 12th European symposium on Research In Computer Security
On Purely Automated Attacks and Click-Based Graphical Passwords
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Influencing users towards better passwords: persuasive cued click-points
BCS-HCI '08 Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 1
User interface design affects security: patterns in click-based graphical passwords
International Journal of Information Security
Purely automated attacks on passpoints-style graphical passwords
IEEE Transactions on Information Forensics and Security
Exploiting predictability in click-based graphical passwords
Journal of Computer Security
IEEE Transactions on Dependable and Secure Computing
Graphical passwords based on robust discretization
IEEE Transactions on Information Forensics and Security
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
Graphical password authentication using cued click points
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Hi-index | 0.00 |
Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points -- both have been extensively studied in the research communities.