skip to main content
10.1145/1280680.1280684acmotherconferencesArticle/Chapter ViewAbstractPublication PagessoupsConference Proceedingsconference-collections
Article

Modeling user choice in the PassPoints graphical password scheme

Published:18 July 2007Publication History

ABSTRACT

We develop a model to identify the most likely regions for users to click in order to create graphical passwords in the PassPoints system. A PassPoints password is a sequence of points, chosen by a user in an image that is displayed on the screen. Our model predicts probabilities of likely click points; this enables us to predict the entropy of a click point in a graphical password for a given image. The model allows us to evaluate automatically whether a given image is well suited for the PassPoints system, and to analyze possible dictionary attacks against the system. We compare the predictions provided by our model to results of experiments involving human users. At this stage, our model and the experiments are small and limited; but they show that user choice can be modeled and that expansions of the model and the experiments are a promising direction of research.

References

  1. A. Adams, M. A. Sasse, "Users are not the enemy: why users comprise computer security mechanisms and how to take remedial measures," Communications of the ACM 4 (1999) 41--46. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. S. Akula, V. Devisetty, "Image based registration and authentication system," Midwest Instruction and Computing Symposium (2004).Google ScholarGoogle Scholar
  3. J. C. Birget, D. Hong, N. Memon, "Graphical passwords based on robust discretization", IEEE Transactions on Information Forensics and Security 1(3) (Sept. 2006) 395--399. (Earlier version: Cryptology ePrint Archive, http://eprint.iacr.org/2003/168, Aug. 2003.) Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. G. E. Blonder, "Graphical Passwords", United States Patent 5559961 (1996).Google ScholarGoogle Scholar
  5. M. Boroditsky, "Passlogix Password Schemes" (2002). http://www.passlogix.comGoogle ScholarGoogle Scholar
  6. D. Comaniciu, P. Meer, "Mean shift analysis and applications", 7th International Conference on Computer Vision (1999) 1197--1203. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. D. Comaniciu, P. Meer, "Mean shift: A robust approach toward feature space analysis", IEEE Transactions on pattern analysis and machine intelligence 24(5) (2002) 603--619. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. L. Coventry, A. De Angeli, G. Johnson, "Usability and biometric verification at the ATM interface", SIGCHI Conference on Human Factors in Computing Systems (CHI'03) (2003) 153--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. D. Davis, F. Monrose, M. Reiter, "On user choice in graphical password schemes", 13th Usenix Security Symposium (2004) 1--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. R. Dhamija, A. Perrig, "Déjà Vu: User study using images for authentication", Ninth Usenix Security Symposium (2000) 14--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. G. Elias, G. Sherwin, J. Wise, "Eye movements while viewing NTSC format television", SMPTE Psychophysics Subcommittee, white paper (1984).Google ScholarGoogle Scholar
  12. J. Findlay, "The visual stimulus for saccadic eye movement in human observers", Perception (1980) 7--21.Google ScholarGoogle Scholar
  13. D. Hong, S. Man, B. Hawes, M. Mathews, "A password scheme strongly resistant to spyware", Proc. International Conference on Security and Management, Las Vegas NV (2004) 94--100.Google ScholarGoogle Scholar
  14. I. Jeremyn, A. Mayer, F. Monrose, M. K. Reiter, A. D. Rubin, "The design and analysis of graphical passwords", Proc. 8th Usenix Security Symposium (1999) Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. W. Ku, M. Tsaur, "A remote user authentication scheme using strong graphical passwords", IEEE Conference on Local Computer Networks (2005) 351--357. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Jiebo Luo, Amit Singhal, "On measuring low-level saliency in photographic images", Proc. IEEE Conference on Computer Vision and Pattern Recognition (2000) 84--89.Google ScholarGoogle ScholarCross RefCross Ref
  17. R. Morris, K. Thompson, "Password security. A case study", Comm. ACM 22 (1979) 594--597. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. W. Osberger, A. J. Maeder, "Automatic identification of perceptually important regions in an image", Proc. 14th International Conference on Pattern Recognition (1998). Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. "The Passfaces System", Real User Technology and Products, (2004); http://www.realuser.com/published/RealUserTechnologyAndProducts.pdfGoogle ScholarGoogle Scholar
  20. A. S. Patrick, A. C. Long, S. Flinn, "HCI and security systems", Proc. SIGCHI Conference on Human Factors in Computing Systems (2004) 24--29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. J. Senders, "Distribution of attention in static and dynamic scenes", Proc. of SPIE, 3016 (1997) 186--194.Google ScholarGoogle Scholar
  22. L. Sobrado, J. C. Birget, "Graphical passwords", The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4 (2002).Google ScholarGoogle Scholar
  23. X. Suo, Y. Zhu, G. S. Owen, "Graphical passwords: A survey", 21st Annual Computer Security Applications Conference (ACSAC'05) (2005) 463--472. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. J. Thorpe, P. C. van Oorschot, "Towards secure design choices for implementing graphical passwords", Computer Security Applications Conference (2004). Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. M. Tkalcic, J. F. Tasic, "Colour spaces: perceptual, historical and applicational background", EUROCON 2003, Computer as a Tool (2003) 304--308.Google ScholarGoogle ScholarCross RefCross Ref
  26. D. Weinshall, S. Kirkpatrick, "Passwords you'll never forget, but can't recall", Conference on Human Factors in Computing Systems (CHI) (2004) 1399--1402. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, N. Memon, "Design and longitudinal evaluation of a graphical password system", International J. of Human-Computer Studies 63 (2005) 102--127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, N. Memon, "PassPoints: Design and longitudinal evaluation of a graphical password system", International Journal of Human Computer Studies (2005) 102--127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. A. Yarbus, Eye Movements and Vision, Plenum Press, New York, NY (1967).Google ScholarGoogle Scholar
  30. J. Zhao, Y. Shimazu, K. Ohta, R. Hayasaka, Y. Matsushita, "An outstandingness oriented image segmentation and its application", ISSPA (1996) 45--48.Google ScholarGoogle Scholar
  31. J. Thorpe, P. C. van Oorschot, "Human-seeded attacks and exploiting hot-spots in graphical passwords", TR-07-05, School of Computer Science, Carleton University, (Feb. 2007), (Added in proofs).Google ScholarGoogle Scholar

Index Terms

  1. Modeling user choice in the PassPoints graphical password scheme

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in
      • Published in

        cover image ACM Other conferences
        SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security
        July 2007
        188 pages
        ISBN:9781595938015
        DOI:10.1145/1280680

        Copyright © 2007 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 18 July 2007

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • Article

        Acceptance Rates

        Overall Acceptance Rate15of49submissions,31%

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader