skip to main content
10.1145/1143120.1143128acmotherconferencesArticle/Chapter ViewAbstractPublication PagessoupsConference Proceedingsconference-collections
Article

A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

Published:12 July 2006Publication History

ABSTRACT

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing.This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shoulder-surfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing.Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shoulder-surfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

References

  1. A. Adams and M. A. Sasse, "Users are not the Enemy: Why Users Compromise Computer Security Mechanisms and how to Take Remedial Measures," Communications of the ACM, vol. 42, pp. 41--46, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. R. J. Anderson, "Why Cryptosystems Fail," Communications of the ACM, vol. 37, pp. 32--40, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. C. T. Beardsley, "Is Your Computer Insecure?," IEEE Spectrum, vol. 9, pp. 67--78, 1972.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. V. A. Brennen, "Cryptography Dictionary," vol. 2005. 1.0.0 ed. 2004.Google ScholarGoogle Scholar
  5. S. Brostoff and A. Sasse, "Are Passfaces More Usable Than Passwords? A Field Trial Investigation," presented at People and Computers XIV - Usability or Else! Proceedings of HCI 2000, Sunderland University, 2000.Google ScholarGoogle Scholar
  6. R. Chellappa. C. L. Wilson, and S. Sirohey, "Human and Machine Recognition of Faces: A Survey," Proceedings of the IEEE, vol. 83, pp. 705--741, 1995.Google ScholarGoogle ScholarCross RefCross Ref
  7. L. F. Cranor and S. Garfinkel, "Secure or Usable?," IEEE Privacy & Security, vol. 2, pp. 16--18, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. L. F. Cranor and S. Garfinkel, "Security and Usability: Designing Secure Systems that People Can Use." Sebastopol, CA: O'Reilly Media, Inc., 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. D. Davis, F. Monrose, and M. Reiter, "On User Choice in Graphical Password Schemes," presented at 13th Usenix Security Symposium, San Diego, CA, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. De Angeli, M. Coutts, L. Coventry, D. Cameron, G. I. Johnson, and M. Fischer, "VIP: A Visual Approach to User Authentication," presented at Working Conference on Advanced Visual Interfaces: AVI2002, Trento, Italy, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Department of Defense Computer Security Center, "Department of Defense Password Management Guideline," Department of Defense, Washington, DC CSC-STD-002-85, April 12 1985.Google ScholarGoogle Scholar
  12. R. Dhamija and A. Perrig, "Deja Vu: A User Study. Using Images for Authentication," presented at 9th USENIX Security Symposium, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. P. Doyle and S. Hanna, "Analysis of June 2003 Survey on Obstacles to PKI Deployment and Usage," Organization for the Advancement of Structured Information Standards, Billerica, MA August 8 2003.Google ScholarGoogle Scholar
  14. S. M. Furnell, I. Papadopoulos, and P. S. Dowland, "A long-term trial of alternative user authentication technologies," Information Management and Computer Security, vol. 12, pp. 178--190, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  15. S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," vol. 2006: SecurityFocus, 2001.Google ScholarGoogle Scholar
  16. B. Ives, K. R. Walsh, and H. Schneider, "The Domino Effect of Password Reuse," Communications of the ACM, vol. 47, pp. 75--78, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, "The Design and Analysis of Graphical Passwords," presented at 8th USENIX Security Symposium, Washington, DC, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. J. Liddell, K. Renaud, and A. De Angeli, "Using a Combination of Sound and Images to Authenticate Web Users," presented at 17th Annual Human Computer Interaction Conference: Designing for Society, Bath England, 2003.Google ScholarGoogle Scholar
  19. S. Man, D. Hong, B. Hayes, and M. Matthews, "A password scheme strongly resistant to spyware," presented at Int. Conf. on Security and Management, Las Vegas, NV, 2004.Google ScholarGoogle Scholar
  20. S. Man, D. Hong, M. Matthews, and J. C. Birget, "A shoulder-surfing resistant graphical password scheme," 2006.Google ScholarGoogle Scholar
  21. G. A. Miller, "The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information," The Psychological Review, vol. 63, pp. 81--97, 1956.Google ScholarGoogle ScholarCross RefCross Ref
  22. K. D. Mitnick and W. L. Simon, The Art of Deception: Controlling the Human Element of Security. New York: John Wiley & Sons, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. National Research Council, Who Goes There? Authentication Through the Lens of Privacy. Washington, DC: National Academy Press, 2003.Google ScholarGoogle Scholar
  24. J. Nolan and M. Levesque, "Hacking human: data-archaeology and surveillance in social networks," ACM SIGGROUP Bulliten, vol. 25, pp. 33--37, ?? Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. L. O'Gorman, "Comparing Passwords, Tokens, and Biometrics for User Authentication," Proceedings of the IEEE, vol. 91, pp. 2021--2039, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  26. G. Orgill, G. W. Romney, and P. M. Orgill, "The Urgency for Effective User Privacy Education to Counter Social Engineering Attacks on Secure Computer Systems," presented at 5th Coneference on Information Technology Education (SIGITE '04), Salt Lake City, Utah, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. A. A. Ozok and S. H. Holden. "Alphanumeric and Graphical Authentication Solutions: A Comparative Evaluation," presented at HCI International 2005, Las Vegas, NV, 2005.Google ScholarGoogle Scholar
  28. A. S. Patrick, A. C. Long, and S. Flinn, "HCI and Security Systems," presented at CHI 2003: New Horizons, Ft. Lauderdale, FL, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. R. W. Proctor, M.-C. Lien, K.-P. L. Vu, and G. Salvendy, "Improving Computer Security for Authentication of Users: Influence of Proactive Password Restrictions," Behavior Reearch Methods, Instruments & Computers, vol. 34, pp. 163--169, 2002.Google ScholarGoogle ScholarCross RefCross Ref
  30. Real User Corporation, "How the Passface#8482; System Works," vol. 2005, 2005.Google ScholarGoogle Scholar
  31. K. Renaud and E. Smith, "Helping Users to Remember Their Passwords," presented at Annual Conference of the South African Institute of Computer Scientists and Information Technologists, Pretoria, South Africa, 2001.Google ScholarGoogle Scholar
  32. K. Renaud and A. D. Angeli, "My Password is here! An investigation into visio-spatial authentication mechanisms," Interacting with Computers, vol. 16, pp. 1017--1041, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  33. V. Roth, K. Richter, and R. Freidinger, "A PIN-entry method resilient against shoulder surfing," presented at Proceedings of the 11th ACM conference on Computer and communications security, Washington DC, USA, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. M. A. Sasse, S. Brostoff, and D. Weirich, "Transforming the 'Weakest Link'--a Human/Computer Interaction Approach to Usable and Effective Security," BT Technology Journal, vol. 19, pp. 122--131, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. L. Sobrado and J. C. Birget, "Shoulder-surfing resistant graphical passwords," Draft.Google ScholarGoogle Scholar
  36. W. C. Summers and E. Bosworth, "Password policy: the good, the bad, and the ugly," presented at Proceedings of the winter international symnposium on Information and communication technologies, Cancun, Mexico, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. R. C. Thomas, A. Karahasanovic, and G. E. Kennedy, "An Investigation into Keystroke Latency Metrics as an Indicator of Programming Performance," presented at Australasian Computing Education Conference 2005, Newcastle, Australia 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. M. Turk, "A Random Walk Through Eigenspace," IEICE Transactions of Information and Systems, vol. E84-D, pp. 1586--1595, 2001.Google ScholarGoogle Scholar
  39. J. J. Turnage, "The Challenge of New Workplace Technology for Psychology," American Psychologist, vol. 45, pp. 171--178, 1990.Google ScholarGoogle ScholarCross RefCross Ref
  40. L. Vasiu and I. Vasiu, "Dissecting Computer Fraud: From Definitional Issues to a Taxonomy," presented at 37th Hawaii International Confernces on System Sciences, Hawaii, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. D. Weinshall and S. Kirkpatrick, "Passwords you'll never forget, but can't recall," presented at ACM Conference on Computer Human Interaction (CHI) 2004, Vienna, Austria, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. A. Whitten and J. D. Tygar, "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0," presented at 8th Usenix Security Symposium, Washington, DC, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, "PassPoints: design and longitudinal evaluation of a graphical password system," International Journal of Human Computer Studies. vol. 63, pp. 102--127, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. R. J. Witty and K. Brittain, "Automated Password Reset Can Cut IT Service Desk Costs," Gartner, Inc., Stamford, CT G00123531, December 13 2004.Google ScholarGoogle Scholar
  45. R. J. Witty, "Bank of America Implements Simplified Single Sign-On," Gartner, Inc., Stamford, CT G00123465, January 25 2005.Google ScholarGoogle Scholar
  46. J. Yan, A. Blackwell, R. Anderson, and A. Grant, "Password Memorability and Security: Empirical Results," IEEE Privacy & Security, vol. 2, pp. 25--31, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in
      • Published in

        cover image ACM Other conferences
        SOUPS '06: Proceedings of the second symposium on Usable privacy and security
        July 2006
        168 pages
        ISBN:1595934480
        DOI:10.1145/1143120

        Copyright © 2006 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 12 July 2006

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • Article

        Acceptance Rates

        Overall Acceptance Rate15of49submissions,31%

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader