ABSTRACT
Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing.This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shoulder-surfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing.Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shoulder-surfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.
- A. Adams and M. A. Sasse, "Users are not the Enemy: Why Users Compromise Computer Security Mechanisms and how to Take Remedial Measures," Communications of the ACM, vol. 42, pp. 41--46, 1999. Google ScholarDigital Library
- R. J. Anderson, "Why Cryptosystems Fail," Communications of the ACM, vol. 37, pp. 32--40, 1994. Google ScholarDigital Library
- C. T. Beardsley, "Is Your Computer Insecure?," IEEE Spectrum, vol. 9, pp. 67--78, 1972.Google ScholarDigital Library
- V. A. Brennen, "Cryptography Dictionary," vol. 2005. 1.0.0 ed. 2004.Google Scholar
- S. Brostoff and A. Sasse, "Are Passfaces More Usable Than Passwords? A Field Trial Investigation," presented at People and Computers XIV - Usability or Else! Proceedings of HCI 2000, Sunderland University, 2000.Google Scholar
- R. Chellappa. C. L. Wilson, and S. Sirohey, "Human and Machine Recognition of Faces: A Survey," Proceedings of the IEEE, vol. 83, pp. 705--741, 1995.Google ScholarCross Ref
- L. F. Cranor and S. Garfinkel, "Secure or Usable?," IEEE Privacy & Security, vol. 2, pp. 16--18, 2004. Google ScholarDigital Library
- L. F. Cranor and S. Garfinkel, "Security and Usability: Designing Secure Systems that People Can Use." Sebastopol, CA: O'Reilly Media, Inc., 2005. Google ScholarDigital Library
- D. Davis, F. Monrose, and M. Reiter, "On User Choice in Graphical Password Schemes," presented at 13th Usenix Security Symposium, San Diego, CA, 2004. Google ScholarDigital Library
- A. De Angeli, M. Coutts, L. Coventry, D. Cameron, G. I. Johnson, and M. Fischer, "VIP: A Visual Approach to User Authentication," presented at Working Conference on Advanced Visual Interfaces: AVI2002, Trento, Italy, 2002. Google ScholarDigital Library
- Department of Defense Computer Security Center, "Department of Defense Password Management Guideline," Department of Defense, Washington, DC CSC-STD-002-85, April 12 1985.Google Scholar
- R. Dhamija and A. Perrig, "Deja Vu: A User Study. Using Images for Authentication," presented at 9th USENIX Security Symposium, 2000. Google ScholarDigital Library
- P. Doyle and S. Hanna, "Analysis of June 2003 Survey on Obstacles to PKI Deployment and Usage," Organization for the Advancement of Structured Information Standards, Billerica, MA August 8 2003.Google Scholar
- S. M. Furnell, I. Papadopoulos, and P. S. Dowland, "A long-term trial of alternative user authentication technologies," Information Management and Computer Security, vol. 12, pp. 178--190, 2004.Google ScholarCross Ref
- S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," vol. 2006: SecurityFocus, 2001.Google Scholar
- B. Ives, K. R. Walsh, and H. Schneider, "The Domino Effect of Password Reuse," Communications of the ACM, vol. 47, pp. 75--78, 2004. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, "The Design and Analysis of Graphical Passwords," presented at 8th USENIX Security Symposium, Washington, DC, 1999. Google ScholarDigital Library
- J. Liddell, K. Renaud, and A. De Angeli, "Using a Combination of Sound and Images to Authenticate Web Users," presented at 17th Annual Human Computer Interaction Conference: Designing for Society, Bath England, 2003.Google Scholar
- S. Man, D. Hong, B. Hayes, and M. Matthews, "A password scheme strongly resistant to spyware," presented at Int. Conf. on Security and Management, Las Vegas, NV, 2004.Google Scholar
- S. Man, D. Hong, M. Matthews, and J. C. Birget, "A shoulder-surfing resistant graphical password scheme," 2006.Google Scholar
- G. A. Miller, "The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information," The Psychological Review, vol. 63, pp. 81--97, 1956.Google ScholarCross Ref
- K. D. Mitnick and W. L. Simon, The Art of Deception: Controlling the Human Element of Security. New York: John Wiley & Sons, 2002. Google ScholarDigital Library
- National Research Council, Who Goes There? Authentication Through the Lens of Privacy. Washington, DC: National Academy Press, 2003.Google Scholar
- J. Nolan and M. Levesque, "Hacking human: data-archaeology and surveillance in social networks," ACM SIGGROUP Bulliten, vol. 25, pp. 33--37, ?? Google ScholarDigital Library
- L. O'Gorman, "Comparing Passwords, Tokens, and Biometrics for User Authentication," Proceedings of the IEEE, vol. 91, pp. 2021--2039, 2003.Google ScholarCross Ref
- G. Orgill, G. W. Romney, and P. M. Orgill, "The Urgency for Effective User Privacy Education to Counter Social Engineering Attacks on Secure Computer Systems," presented at 5th Coneference on Information Technology Education (SIGITE '04), Salt Lake City, Utah, 2004. Google ScholarDigital Library
- A. A. Ozok and S. H. Holden. "Alphanumeric and Graphical Authentication Solutions: A Comparative Evaluation," presented at HCI International 2005, Las Vegas, NV, 2005.Google Scholar
- A. S. Patrick, A. C. Long, and S. Flinn, "HCI and Security Systems," presented at CHI 2003: New Horizons, Ft. Lauderdale, FL, 2003. Google ScholarDigital Library
- R. W. Proctor, M.-C. Lien, K.-P. L. Vu, and G. Salvendy, "Improving Computer Security for Authentication of Users: Influence of Proactive Password Restrictions," Behavior Reearch Methods, Instruments & Computers, vol. 34, pp. 163--169, 2002.Google ScholarCross Ref
- Real User Corporation, "How the Passface#8482; System Works," vol. 2005, 2005.Google Scholar
- K. Renaud and E. Smith, "Helping Users to Remember Their Passwords," presented at Annual Conference of the South African Institute of Computer Scientists and Information Technologists, Pretoria, South Africa, 2001.Google Scholar
- K. Renaud and A. D. Angeli, "My Password is here! An investigation into visio-spatial authentication mechanisms," Interacting with Computers, vol. 16, pp. 1017--1041, 2004.Google ScholarCross Ref
- V. Roth, K. Richter, and R. Freidinger, "A PIN-entry method resilient against shoulder surfing," presented at Proceedings of the 11th ACM conference on Computer and communications security, Washington DC, USA, 2004. Google ScholarDigital Library
- M. A. Sasse, S. Brostoff, and D. Weirich, "Transforming the 'Weakest Link'--a Human/Computer Interaction Approach to Usable and Effective Security," BT Technology Journal, vol. 19, pp. 122--131, 2001. Google ScholarDigital Library
- L. Sobrado and J. C. Birget, "Shoulder-surfing resistant graphical passwords," Draft.Google Scholar
- W. C. Summers and E. Bosworth, "Password policy: the good, the bad, and the ugly," presented at Proceedings of the winter international symnposium on Information and communication technologies, Cancun, Mexico, 2004. Google ScholarDigital Library
- R. C. Thomas, A. Karahasanovic, and G. E. Kennedy, "An Investigation into Keystroke Latency Metrics as an Indicator of Programming Performance," presented at Australasian Computing Education Conference 2005, Newcastle, Australia 2005. Google ScholarDigital Library
- M. Turk, "A Random Walk Through Eigenspace," IEICE Transactions of Information and Systems, vol. E84-D, pp. 1586--1595, 2001.Google Scholar
- J. J. Turnage, "The Challenge of New Workplace Technology for Psychology," American Psychologist, vol. 45, pp. 171--178, 1990.Google ScholarCross Ref
- L. Vasiu and I. Vasiu, "Dissecting Computer Fraud: From Definitional Issues to a Taxonomy," presented at 37th Hawaii International Confernces on System Sciences, Hawaii, 2004. Google ScholarDigital Library
- D. Weinshall and S. Kirkpatrick, "Passwords you'll never forget, but can't recall," presented at ACM Conference on Computer Human Interaction (CHI) 2004, Vienna, Austria, 2004. Google ScholarDigital Library
- A. Whitten and J. D. Tygar, "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0," presented at 8th Usenix Security Symposium, Washington, DC, 1999. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, "PassPoints: design and longitudinal evaluation of a graphical password system," International Journal of Human Computer Studies. vol. 63, pp. 102--127, 2005. Google ScholarDigital Library
- R. J. Witty and K. Brittain, "Automated Password Reset Can Cut IT Service Desk Costs," Gartner, Inc., Stamford, CT G00123531, December 13 2004.Google Scholar
- R. J. Witty, "Bank of America Implements Simplified Single Sign-On," Gartner, Inc., Stamford, CT G00123465, January 25 2005.Google Scholar
- J. Yan, A. Blackwell, R. Anderson, and A. Grant, "Password Memorability and Security: Empirical Results," IEEE Privacy & Security, vol. 2, pp. 25--31, 2004. Google ScholarDigital Library
Index Terms
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
Recommendations
Shoulder surfing defence for recall-based graphical passwords
SOUPS '11: Proceedings of the Seventh Symposium on Usable Privacy and SecurityGraphical passwords are often considered prone to shoulder-surfing attacks, where attackers can steal a user's password by peeking over his or her shoulder in the authentication process. In this paper, we explore shoulder surfing defence for recall-...
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfacesWhen users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and securityGraphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
Comments