ABSTRACT
Graphical password systems have received significant attention as one potential solution to the need for more usable authentication, but nearly all prior work makes the unrealistic assumption of studying a single password. This paper presents the first study of multiple graphical passwords to systematically examine frequency of access to a graphical password, interference resulting from interleaving access to multiple graphical passwords, and patterns of access while training multiple graphical passwords. We find that all of these factors significantly impact the ease of authenticating using multiple facial graphical passwords. For example, participants who accessed four different graphical passwords per week were ten times more likely to completely fail to authenticate than participants who accessed a single password once per week. Our results underscore the need for more realistic evaluations of the use of multiple graphical passwords, have a number of implications for the adoption of graphical password systems, and provide a new basis for comparing proposed graphical password systems.
Supplemental Material
Available for Download
Slides from the presentation
- Adams, A. and Sasse, M.A. Users are not the enemy. Communications of the ACM, (CACM Dec 1999), 40--46. Google ScholarDigital Library
- Adams, A., Sasse, M.A., and Lunt, P. Making passwords secure and usable. Proceedings of HCI on People and Computers XII, (HCI 1997), 1--19. Google ScholarDigital Library
- BBC News. UN warns on password 'explosion'. http://news.bbc.co.uk/2/hi/technology/6199372.stm.Google Scholar
- Brostoff, S. and Sasse, M.A. Are PassfacesTM more usable than passwords? A field trial investigation. Proceedings of HCI on People and Computers XIV, (HCI 2000), 405--424.Google ScholarCross Ref
- Chiasson, S., Biddle, R., and van Oorschot, P.C. A second look at the usability of click-based graphical passwords. Proceedings of the Symposium on Usable Privacy and Security, (SOUPS 2007), 1--12. Google ScholarDigital Library
- Davis, D., Monrose, F., and Reiter, M. On user choice in graphical password schemes. Proceedings of the Conference on USENIX Security Symposium, (2005), 11--11. Google ScholarDigital Library
- DeAngeli, A., Coventry, L., Johnson, G., and Renaud, K. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, v. 63, n. 1-2 (2005), 128--152. Google ScholarDigital Library
- Dhamija, R. and Perrig, A. Déjà vu: A user study using Images for Authentication. Proceedings of the Conference on USENIX Security Symposium, (2000), 4--4. Google ScholarDigital Library
- Dunphy, P., Nicholson, J., Olivier, P. Securing Passfaces for Description. Proceedings of the Symposium on Usable Privacy and Security, (SOUPS 2007), 24--35. Google ScholarDigital Library
- Ensor, B. How Consumers Remember Passwords. Forrester Research Report, June 2, 2004.Google Scholar
- The Face of Tomorrow Face Dataset. http://www.flickr.com/photos/istanbulmike/sets/72157594201837268/.Google Scholar
- Florencio, D. and Herley, C. A large-scale study of web password habits. Proceedings of the International Conference on World Wide Web, (WWW 2007), 657--666. Google ScholarDigital Library
- Gaw, S. and Felten, E. Password management strategies for online accounts. Proceedings of the Symposium on Usable Privacy and Security, (SOUPS 2006), 44--55. Google ScholarDigital Library
- Ives, B., Walsh K.R., and Schneider, H. The domino effect of password reuse. In Communications of the ACM, (CACM Apr 2004), 75--78. Google ScholarDigital Library
- Moncur, W. and Leplâtre, G. Pictures at the ATM: exploring the usability of multiple graphical passwords. Proceedings of SIGCHI Conference on Human Factors in Computing Systems, (CHI 2007), 887--894. Google ScholarDigital Library
- Morris, R. and Thompson, K. Password security: A case history. Communications of the ACM (CACM Nov 1979), 594--497. Google ScholarDigital Library
- PassfacesTM. http://www.realuser.com/Google Scholar
- Rock, I.,&Engelstein, P. (1959). A study of memory for visual form. American Journal of Psychology (1959), 72, 221--229.Google Scholar
- Standing, L. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology 25 (1973), 207--222.Google Scholar
- Tari, F., Ozok A.A., and Holden, S.H. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. Proceedings of the Symposium on Usable Privacy and Security, (SOUPS 2006), 56--66. Google ScholarDigital Library
- Valentine, T. An evaluation of the PassfacesTM personal authentication system. Goldsmiths College Technical Report, 1998.Google Scholar
- Valentine, T. Memory for PassfacesTM after a long delay. Goldsmiths College Technical Report, 1999.Google Scholar
- Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., and Memon, N. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, v. 63, n. 1--2, (2005), 102--127. Google ScholarDigital Library
Index Terms
- A comprehensive study of frequency, interference, and training of multiple graphical passwords
Recommendations
Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityThe underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and securityGraphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
Evaluating the effect of user guidelines on creating click-draw based graphical passwords
RACS '12: Proceedings of the 2012 ACM Research in Applied Computation SymposiumGraphical passwords have become one of the possible alternatives for traditional text-based passwords in the aspect of user authentication on computers and networks. In general, this image-based authentication can be classified into three categories ...
Comments