ABSTRACT
We develop a model to identify the most likely regions for users to click in order to create graphical passwords in the PassPoints system. A PassPoints password is a sequence of points, chosen by a user in an image that is displayed on the screen. Our model predicts probabilities of likely click points; this enables us to predict the entropy of a click point in a graphical password for a given image. The model allows us to evaluate automatically whether a given image is well suited for the PassPoints system, and to analyze possible dictionary attacks against the system. We compare the predictions provided by our model to results of experiments involving human users. At this stage, our model and the experiments are small and limited; but they show that user choice can be modeled and that expansions of the model and the experiments are a promising direction of research.
- A. Adams, M. A. Sasse, "Users are not the enemy: why users comprise computer security mechanisms and how to take remedial measures," Communications of the ACM 4 (1999) 41--46. Google ScholarDigital Library
- S. Akula, V. Devisetty, "Image based registration and authentication system," Midwest Instruction and Computing Symposium (2004).Google Scholar
- J. C. Birget, D. Hong, N. Memon, "Graphical passwords based on robust discretization", IEEE Transactions on Information Forensics and Security 1(3) (Sept. 2006) 395--399. (Earlier version: Cryptology ePrint Archive, http://eprint.iacr.org/2003/168, Aug. 2003.) Google ScholarDigital Library
- G. E. Blonder, "Graphical Passwords", United States Patent 5559961 (1996).Google Scholar
- M. Boroditsky, "Passlogix Password Schemes" (2002). http://www.passlogix.comGoogle Scholar
- D. Comaniciu, P. Meer, "Mean shift analysis and applications", 7th International Conference on Computer Vision (1999) 1197--1203. Google ScholarDigital Library
- D. Comaniciu, P. Meer, "Mean shift: A robust approach toward feature space analysis", IEEE Transactions on pattern analysis and machine intelligence 24(5) (2002) 603--619. Google ScholarDigital Library
- L. Coventry, A. De Angeli, G. Johnson, "Usability and biometric verification at the ATM interface", SIGCHI Conference on Human Factors in Computing Systems (CHI'03) (2003) 153--160. Google ScholarDigital Library
- D. Davis, F. Monrose, M. Reiter, "On user choice in graphical password schemes", 13th Usenix Security Symposium (2004) 1--14. Google ScholarDigital Library
- R. Dhamija, A. Perrig, "Déjà Vu: User study using images for authentication", Ninth Usenix Security Symposium (2000) 14--17. Google ScholarDigital Library
- G. Elias, G. Sherwin, J. Wise, "Eye movements while viewing NTSC format television", SMPTE Psychophysics Subcommittee, white paper (1984).Google Scholar
- J. Findlay, "The visual stimulus for saccadic eye movement in human observers", Perception (1980) 7--21.Google Scholar
- D. Hong, S. Man, B. Hawes, M. Mathews, "A password scheme strongly resistant to spyware", Proc. International Conference on Security and Management, Las Vegas NV (2004) 94--100.Google Scholar
- I. Jeremyn, A. Mayer, F. Monrose, M. K. Reiter, A. D. Rubin, "The design and analysis of graphical passwords", Proc. 8th Usenix Security Symposium (1999) Google ScholarDigital Library
- W. Ku, M. Tsaur, "A remote user authentication scheme using strong graphical passwords", IEEE Conference on Local Computer Networks (2005) 351--357. Google ScholarDigital Library
- Jiebo Luo, Amit Singhal, "On measuring low-level saliency in photographic images", Proc. IEEE Conference on Computer Vision and Pattern Recognition (2000) 84--89.Google ScholarCross Ref
- R. Morris, K. Thompson, "Password security. A case study", Comm. ACM 22 (1979) 594--597. Google ScholarDigital Library
- W. Osberger, A. J. Maeder, "Automatic identification of perceptually important regions in an image", Proc. 14th International Conference on Pattern Recognition (1998). Google ScholarDigital Library
- "The Passfaces System", Real User Technology and Products, (2004); http://www.realuser.com/published/RealUserTechnologyAndProducts.pdfGoogle Scholar
- A. S. Patrick, A. C. Long, S. Flinn, "HCI and security systems", Proc. SIGCHI Conference on Human Factors in Computing Systems (2004) 24--29. Google ScholarDigital Library
- J. Senders, "Distribution of attention in static and dynamic scenes", Proc. of SPIE, 3016 (1997) 186--194.Google Scholar
- L. Sobrado, J. C. Birget, "Graphical passwords", The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4 (2002).Google Scholar
- X. Suo, Y. Zhu, G. S. Owen, "Graphical passwords: A survey", 21st Annual Computer Security Applications Conference (ACSAC'05) (2005) 463--472. Google ScholarDigital Library
- J. Thorpe, P. C. van Oorschot, "Towards secure design choices for implementing graphical passwords", Computer Security Applications Conference (2004). Google ScholarDigital Library
- M. Tkalcic, J. F. Tasic, "Colour spaces: perceptual, historical and applicational background", EUROCON 2003, Computer as a Tool (2003) 304--308.Google ScholarCross Ref
- D. Weinshall, S. Kirkpatrick, "Passwords you'll never forget, but can't recall", Conference on Human Factors in Computing Systems (CHI) (2004) 1399--1402. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, N. Memon, "Design and longitudinal evaluation of a graphical password system", International J. of Human-Computer Studies 63 (2005) 102--127. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, N. Memon, "PassPoints: Design and longitudinal evaluation of a graphical password system", International Journal of Human Computer Studies (2005) 102--127. Google ScholarDigital Library
- A. Yarbus, Eye Movements and Vision, Plenum Press, New York, NY (1967).Google Scholar
- J. Zhao, Y. Shimazu, K. Ohta, R. Hayasaka, Y. Matsushita, "An outstandingness oriented image segmentation and its application", ISSPA (1996) 45--48.Google Scholar
- J. Thorpe, P. C. van Oorschot, "Human-seeded attacks and exploiting hot-spots in graphical passwords", TR-07-05, School of Computer Science, Carleton University, (Feb. 2007), (Added in proofs).Google Scholar
Index Terms
Modeling user choice in the PassPoints graphical password scheme
Recommendations
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfacesWhen users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
Security implications of password discretization for click-based graphical passwords
WWW '13: Proceedings of the 22nd international conference on World Wide WebDiscretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative ...
On predictive models and user-drawn graphical passwords
In commonplace text-based password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask whether other types of passwords (e.g., graphical) ...
Comments