Password security: a case history
Communications of the ACM
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
PassPoints: design and longitudinal evaluation of a graphical password system
International Journal of Human-Computer Studies - Special isssue: HCI research in privacy and security is critical now
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
Cognitive Authentication Schemes Safe Against Spyware (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
On user choice in graphical password schemes
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract)
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A second look at the usability of click-based graphical passwords
Proceedings of the 3rd symposium on Usable privacy and security
Modeling user choice in the PassPoints graphical password scheme
Proceedings of the 3rd symposium on Usable privacy and security
Do background images improve "draw a secret" graphical passwords?
Proceedings of the 14th ACM conference on Computer and communications security
Human-seeded attacks and exploiting hot-spots in graphical passwords
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
PassShapes: utilizing stroke based authentication to increase password memorability
Proceedings of the 5th Nordic conference on Human-computer interaction: building bridges
On Purely Automated Attacks and Click-Based Graphical Passwords
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
YAGP: Yet Another Graphical Password Strategy
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Influencing users towards better passwords: persuasive cued click-points
BCS-HCI '08 Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 1
Password Cracking Using Probabilistic Context-Free Grammars
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
User interface design affects security: patterns in click-based graphical passwords
International Journal of Information Security
Smudge attacks on smartphone touch screens
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Exploiting predictability in click-based graphical passwords
Journal of Computer Security
Evaluating the usability and security of a graphical one-time PIN system
BCS '10 Proceedings of the 24th BCS Interaction Specialist Group Conference
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
Graphical password authentication using cued click points
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
| Hi-index | 0.00 |
Graphical passwords were proposed as an alternative to overcome the inherent limitations of text-based passwords, inspired by research that shows that the graphical memory of humans is particularly well developed. A graphical password scheme that has been widely adopted is the Android Unlock Pattern, a special case of the Pass-Go scheme with grid size restricted to 3x3 points and restricted stroke count. In this paper, we study the security of Android unlock patterns. By performing a large-scale user study, we measure actual user choices of patterns instead of theoretical considerations on password spaces. From this data we construct a model based on Markov chains that enables us to quantify the strength of Android unlock patterns. We found empirically that there is a high bias in the pattern selection process, e.g., the upper left corner and three-point long straight lines are very typical selection strategies. Consequently, the entropy of patterns is rather low, and our results indicate that the security offered by the scheme is less than the security of only three digit randomly-assigned PINs for guessing 20% of all passwords (i.e., we estimate a partial guessing entropy G_0.2 of 9.10 bit). Based on these insights, we systematically improve the scheme by finding a small, but still effective change in the pattern layout that makes graphical user logins substantially more secure. By means of another user study, we show that some changes improve the security by more than doubling the space of actually used passwords (i.e., increasing the partial guessing entropy G_0.2 to 10.81 bit).