skip to main content
research-article

On predictive models and user-drawn graphical passwords

Published: 22 January 2008 Publication History

Abstract

In commonplace text-based password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask whether other types of passwords (e.g., graphical) are also vulnerable to dictionary attack because of users tending to choose memorable passwords. We suggest a method to predict and model a number of such classes for systems where passwords are created solely from a user's memory. We hypothesize that these classes define weak password subspaces suitable for an attack dictionary. For user-drawn graphical passwords, we apply this method with cognitive studies on visual recall. These cognitive studies motivate us to define a set of password complexity factors (e.g., reflective symmetry and stroke count), which define a set of classes. To better understand the size of these classes and, thus, how weak the password subspaces they define might be, we use the “Draw-A-Secret” (DAS) graphical password scheme of Jermyn et al. [1999] as an example. We analyze the size of these classes for DAS under convenient parameter choices and show that they can be combined to define apparently popular subspaces that have bit sizes ranging from 31 to 41—a surprisingly small proportion of the full password space (58 bits). Our results quantitatively support suggestions that user-drawn graphical password systems employ measures, such as graphical password rules or guidelines and proactive password checking.

References

[1]
Attneave, F. 1955. Symmetry, information and memory for patterns. American Journal of Psychology 68, 209--222.
[2]
Attneave, F. 1957. Physical determinants of the judged complexity of shapes. Journal of Experimental Psychology 53, 4, 221--227.
[3]
Birget, J. C., Hong, D., and Memon, N. 2003. Graphical passwords based on robust discretization. IEEE Transactions on Information Forensics and Security 1, 3 (Sept.), 395--399. Cryptology ePrint Archive, Report 2003/168. http://eprint.iacr.org/, site accessed Jan. 12, 2004.
[4]
Blonder, G. 1996. Graphical passwords. United States Patent 5559961.
[5]
Bower, G. H., Karlin, M. B., and Dueck, A. 1975. Comprehension and memory for pictures. Memory and Cognition 3, 216--220.
[6]
Calkins, M. 1898. Short studies in memory and association from the wellesley college laboratory. Psychological Review 5, 451--462.
[7]
Daemen, J., Govaerts, R., and Vandewalle, J. 1993. Weak keys for IDEA. In Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology. Lecture Notes In Computer Science; Vol. 773, 224--231.
[8]
Davis, D., Monrose, F., and Reiter, M. 2004. On user choice in graphical password schemes. In 13th USENIX Security Symposium.
[9]
Dhamija, R. and Perrig, A. 2000. Déjà vu: A user study using images for authentication. In 9th USENIX Security Symposium.
[10]
French, R.-S. 1954. Identification of dot patterns from memory as a function of complexity. Journal of Experimental Psychology 47, 22--26.
[11]
Goldberg, J., Hagman, J., and Sazawal, V. 2002. Doodling our way to better authentication. In Conference on Human Factors and Computing Systems (April 20--25). ACM Press, New York. 868--869. CHI '02 extended abstracts on Human Factors in Computer Systems.
[12]
Halderman, J. A., Waters, B., and Felten, E. W. 2005. A convenient method for securely managing passwords. In Proceedings of the 14th International World Wide Web Conference. ACM Press, New York. 471--479.
[13]
Ichikawa, S.-I. 1982. Measurement of visual memory span by means of the recall of dot-in-matrix patterns. Behavior Research Methods and Instrumentation 14, 3, 309--313.
[14]
Jansen, W., Gavrilla, S., Korolev, V., Ayers, R., and R., S. 2003. Picture password: A visual login technique for mobile devices. NIST Report - NISTIR7030.
[15]
Jermyn, I., Mayer, A., Monrose, F., Reiter, M., and Rubin, A. 1999. The design and analysis of graphical passwords. In 8th USENIX Security Symposium.
[16]
Kirkpatrick, E. A. 1894. An experimental study of memory. Psychological Review 1, 602--609.
[17]
Klein, D. 1990. Foiling the cracker: A survey of, and improvements to, password security. In The 2nd USENIX Security Workshop. 5--14.
[18]
Kuo, C., Romanosky, S., and Cranor, L. 2006. Human selection of mnemonic phrase-based passwords. In 2nd Symp. Usable Privacy and Security (SOUPS). ACM Press, New York. 67--78.
[19]
Madigan, S. 1983. Picture Memory. In Imagery, Memory and Cognition, J. C. Yuille, Ed. Lawrence Erlbaum, Mahwah, NJ. 65--89.
[20]
Madigan, S. and Lawrence, V. 1980. Factors affecting item recovery and hypermnesia in free recall. American Journal of Psychology 93, 489--504.
[21]
Massey, J. 1994. Guessing and entropy. In ISIT: Proceedings IEEE International Symposium on Information Theory. 204.
[22]
Menezes, A. J., van Oorschot, P. C., and Vanstone, S. A. 1996. Handbook of Applied Cryptography. CRC Press, Boca Raton, FL. 290--291. Note 8.8.
[23]
Monrose, F. 1999. Towards Stronger User Authentication. Ph.D. thesis, NY University.
[24]
Monrose, F. and Reiter, M. K. 2005. Graphical passwords. In Security and Usability, L. Cranor and S. Garfinkel, Eds. O'Reilly Media Inc., Sebastopol, CA, Chapter 9, 147--164.
[25]
Muffett, A. 2004. Crack password cracker. http://ciac.llnl.gov/ciac/ToolsUnixAuth.html, site accessed Jan. 12, 2004.
[26]
Nakajima, J. and Matsui, M. 2002. Performance analysis and parallel implementation of dedicated hash functions. In Advances in Cryptology -- Proceedings of EUROCRYPT 2002. 165--180.
[27]
Nali, D. and Thorpe, J. 2004. Analyzing User Choice in Graphical Passwords. Tech. Report TR-04-01, School of Computer Science, Carleton University, Canada, http://www.scs.carleton.ca/research/tech_reports/2004/TR-04-01.pdf.
[28]
Openwall Project. 2004a. John the Ripper password cracker. http://www.openwall.com/john/, site accessed Jan.7, 2004.
[29]
Openwall Project. 2004b. Wordlists. http://www.openwall.com/passwords/wordlists/, site accessed Jan.7 2004.
[30]
Perkins, F. 1932. Symmetry in visual recall. American Journal of Psychology 44, 473--490.
[31]
Perrig, A. and Song, D. 1999. Hash visualization: A new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce. 131--138.
[32]
Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In 9th ACM Conference on Computer and Communications Security. ACM Press, New York. 161--170.
[33]
Provos, N. and Mazieres, D. 1999. A future-adaptable password scheme. In Proceedings of the USENIX Annual Technical Conference.
[34]
Real User Corporation. 2004. About passfaces. http://www.realuser.com/cgi-bin/ru.exe/_/ homepages/technology/passface.htm, site accessed May 25, 2004.
[35]
Shannon, C. 1948. A mathematical theory of communication. The Bell System Technical Journal 27, 379--423.
[36]
Spafford, E. 1989. Crisis and aftermath (The Internet worm). Comm. of the ACM 32(6), 678--687.
[37]
Spafford, E. H. 1992. OPUS: Preventing weak password choices. Comput. Secur. 11, 3, 273--278.
[38]
Suo, X., Zhu, Y., and Owen, G. S. 2005. Graphical passwords: A survey. In 21st Annual Computer Security Applications Conference (ACSAC) (Dec. 5--9).
[39]
Tao, H. 2006. Pass-Go, a New Graphical Password Scheme. M.S. thesis, School of Information Technology and Engineering, University of Ottawa, Canada.
[40]
Thorpe, J. and van Oorschot, P. 2004a. Graphical dictionaries and the memorable space of graphical passwords. In 13th USENIX Security Symposium (Aug. 9--13).
[41]
Thorpe, J. and van Oorschot, P. 2004b. Towards secure design choices for implementing graphical passwords. In 20th Annual Computer Security Applications Conference (ACSAC 2004) (Dec. 6--10). IEEE, Los Alamitos, CA.
[42]
Thorpe, J. and van Oorschot, P. 2005. On the Security of Graphical Password Schemes (Extended Version). Tech. Report TR-05-11, School of Computer Science, Carleton University, Canada, http://www.scs.carleton.ca/research/tech_reports/2005/download/TR-05-11.pdf.
[43]
Tyler, C. 1996. Human symmetry perception. In Human Symmetry Perception and Its Computational Analysis, C. Tyler, Ed. VSP, The Netherlands. 3--22.
[44]
van Oorschot, P. C. and Stubblebine, S. 2006. On countering online dictionary attacks with login histories and humans-in-the-loop. ACM TISSEC 9, 3 (Aug.), 235--258.
[45]
Vogel, E. K. and Machizawa, M. G. 2004. Neural activity predicts individual differences in visual working memory capacity. Nature (London) 428, 748--751.
[46]
Wagemans, J. 1996. Detection of Visual Symmetries. In Human Symmetry Perception and its Computational Analysis, C. Tyler, Ed. VSP, The Netherlands, 25--48.
[47]
Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005. PassPoints: Design and longitudinal evaluation of a graphical password system. International J. of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security) 63, 102--127.
[48]
Yan, J. 2001. A Note on Proactive Password Checking. ACM New Security Paradigms Workshop, New Mexico.

Cited By

View all
  • (2022)Enhancing the user authentication process with colour memory cuesBehaviour & Information Technology10.1080/0144929X.2022.209147442:10(1548-1567)Online publication date: 15-Jul-2022
  • (2021)User Authentication—Passwords, Biometrics and AlternativesComputer Security and the Internet10.1007/978-3-030-83411-1_3(55-90)Online publication date: 14-Oct-2021
  • (2020)The password is dead, long live the password – A laboratory study on user perceptions of authentication schemesInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2019.08.006133:C(26-44)Online publication date: 1-Jan-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 10, Issue 4
January 2008
192 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/1284680
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 January 2008
Accepted: 01 June 2007
Revised: 01 August 2006
Received: 01 December 2005
Published in TISSEC Volume 10, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Draw-a-Secret
  2. Graphical passwords
  3. dictionary attack
  4. graphical dictionary
  5. memorable passwords
  6. modeling user choice
  7. password complexity factors

Qualifiers

  • Research-article
  • Research
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)1
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Enhancing the user authentication process with colour memory cuesBehaviour & Information Technology10.1080/0144929X.2022.209147442:10(1548-1567)Online publication date: 15-Jul-2022
  • (2021)User Authentication—Passwords, Biometrics and AlternativesComputer Security and the Internet10.1007/978-3-030-83411-1_3(55-90)Online publication date: 14-Oct-2021
  • (2020)The password is dead, long live the password – A laboratory study on user perceptions of authentication schemesInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2019.08.006133:C(26-44)Online publication date: 1-Jan-2020
  • (2020)Password Management: How Secure Is Your Login Process?Model-driven Simulation and Training Environments for Cybersecurity10.1007/978-3-030-62433-0_10(157-177)Online publication date: 7-Nov-2020
  • (2019)Behaviour Based Authentication: A New Login Strategy for Smartphones2019 Second International Conference on Advanced Computational and Communication Paradigms (ICACCP)10.1109/ICACCP.2019.8882897(1-7)Online publication date: Feb-2019
  • (2018)Shoulder-Surfing Resistant Authentication Using Pass Pattern of Pattern LockIEICE Transactions on Information and Systems10.1587/transinf.2017MUP0012E101.D:1(45-52)Online publication date: 2018
  • (2018)BraillePassword: accessible web authentication technique on touchscreen devicesJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-018-0860-x10:6(2375-2391)Online publication date: 19-May-2018
  • (2017)Password-Hashing StatusCryptography10.3390/cryptography10200101:2(10)Online publication date: 27-Jun-2017
  • (2017)Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge AttacksProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052989(313-326)Online publication date: 2-Apr-2017
  • (2017)A Gaze Gesture-Based User Authentication System to Counter Shoulder-Surfing AttacksProceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems10.1145/3027063.3053070(1978-1986)Online publication date: 6-May-2017
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media