ABSTRACT
Draw a secret (DAS) is a representative graphical password scheme. Rigorous theoretical analysis suggests that DAS supports an overall password space larger than that of the ubiquitous textual password scheme. However, recent research suggests that DAS users tend to choose weak passwords, and their choices would render this theoretically sound scheme less secure in real life.
In this paper we investigate the novel idea of introducing background images to the DAS scheme, where users were initially supposed to draw passwords on a blank canvas overlaid with a grid. Encouraging results from our two user studies have shown that people aided with background images tended to set significantly more complicated passwords than their counterparts using the original scheme. The background images also reduced other predictable characteristics in DAS passwords such as symmetry and centering within the drawing grid, further improving the strength of the passwords. We estimate that the average strength of successfully recalled passwords in the enhanced scheme was increased over those created using the original scheme by more than 10 bits. Moreover, a positive effect was observed with respect to the memorability of the more complex passwords encouraged by the background images.
- G. Blonder. Graphical passwords. US Patent 5559961, 1996.Google Scholar
- S. Brostoff and M. A. Sasse. Are Passfaces™ more usable than passwords? A field trial investigation. Proc. of HCI, 2000, pp 405--424Google ScholarCross Ref
- S. Chiasson, R. Biddle and P. C. van Oorschot. A Second Look at the Usability of Click-Based Graphical Passwords. Symposium on Usable Privacy and Security, July 2007, CMU, USA. ACM Press. Google ScholarDigital Library
- D. Davis, F. Monrose, and M. K. Reiter. On user choice in graphical password schemes. Usenix Security, 2004. Google ScholarDigital Library
- A. E. Dirik, N. Memon and J.-C. Birget. Modeling User Choice in the PassPoints Graphical Password Scheme. SOUPS'07. Google ScholarDigital Library
- J. Goldberg, J. Hagman, and V. Sazawal. Doodling Our Way to Better Authentication, Extended Abstracts CHI'02, 2002. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The Design and Analysis of Graphical Passwords, Proc. USENIX Security Symposium, 1999. Google ScholarDigital Library
- D. Nali and J. Thorpe. Analyzing User Choice in Graphical Passwords, Technical Report TR-04-01, School of Computer Science, Carleton University, 2004.Google Scholar
- D. Norman. Things That Make Us Smart: Defending Human Attributes in the Age of the Machine. Addison Wesley, 1994. Google ScholarDigital Library
- Real User Corporation. The Science Behind Passfaces. Revision 2, Sept. 2001. Available at http://www.realuser.com/published/ScienceBehindPassfaces.pdf.Google Scholar
- X. Suo, Y. Zhu and G. S. Owen. Graphical Passwords: A Survey. ACSAC, 2005. Google ScholarDigital Library
- J. Thorpe and P. C. van Oorschot. Graphical Dictionaries and the Memorable Space of Graphical Passwords. Proc. USENIX Security Symposium, 2004. Google ScholarDigital Library
- J. Thorpe and P. C. van Oorschot. Towards secure design choices for implementing graphical passwords. ACSAC, 2004. An extended version available at http://www.scs.carleton.ca/~jthorpe/extendedStrokes.pdf. Google ScholarDigital Library
- J. Thorpe and P. C. van Oorschot. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. Usenix Security, Aug 2007. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy and N. Memon. PassPoints: design and longitudinal evaluation of a graphical password system. Int'l J. of Human Computer Studies. vol. 63, pp.102--127, 2005. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy and N. Memon. Authentication using graphical passwords: effects of tolerance and image choice. SOUPS'05, CMU, USA. ACM Press. Google ScholarDigital Library
- J. Yan, A. Blackwell, R. Anderson and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security & Privacy, Vol. 2 No. 5, 2004. Google ScholarDigital Library
- J. Yan. A Note on Proactive Password Checking. ACM New Security Paradigms Workshop, New Mexico, USA, 2001. Google ScholarDigital Library
- VisKey, http://www.sfr-software.de/cms/EN/pocketpc/viskey/index.html, last accessed in Feb, 2007.Google Scholar
- V-GO, http://www.passlogix.com/, last accessed in Feb, 2007Google Scholar
Index Terms
- Do background images improve "draw a secret" graphical passwords?
Recommendations
Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityThe underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and securityGraphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Comments