skip to main content
10.1145/1133265.1133303acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaviConference Proceedingsconference-collections
Article

Design and evaluation of a shoulder-surfing resistant graphical password scheme

Published: 23 May 2006 Publication History

Abstract

When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as shoulder-surfing and is a known risk, of special concern when authenticating in public places. Until recently, the only defense against shoulder-surfing has been vigilance on the part of the user. This paper reports on the design and evaluation of a game-like graphical method of authentication that is resistant to shoulder-surfing. The Convex Hull Click (CHC) scheme allows a user to prove knowledge of the graphical password safely in an insecure location because users never have to click directly on their password images. Usability testing of the CHC scheme showed that novice users were able to enter their graphical password accurately and to remember it over time. However, the protection against shoulder-surfing comes at the price of longer time to carry out the authentication.

References

[1]
Adams, A. and Sasse, M. A. Users are not the enemy. CACM 42, 12 (1999), 41--46.
[2]
Brostoff, S. and Sasse, M. A. Are Passfaces more usable than passwords: A field trial investigation. In McDonald S., et al. (Eds.), People and Computers XIV - Usability or Else, Proc. of HCI 2000, Springer, 2000, 405--424.
[3]
Brown, A. S., Bracken, E., Zoccoli, S. and Douglas, K. Generating and remembering passwords. Applied Cognitive Psychology, 18, (2004), 641--651.
[4]
Davis, D., Monrose, F., and Reiter, M. K. On user choice in graphical password schemes. In Proc. of the 13th USENIX Security Symposium, San Diego, 2004.
[5]
De Angeli, A., Coutts, M., Coventry, L., Cameron, D., Johnson, G. I., and Fischer, M. VIP: A visual approach to user authentication. In Proc. of AVI 2002, ACM Press, NY, 2002, 316--323.
[6]
De Angeli, A., Coventry, L., Johnson, G., and Renaud, K. Is a picture worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63, 1-2(2005), 128--152.
[7]
Deci, E. L. Intrinsic Motivation, Plenum, New York, 1975.
[8]
Dhamija, R. Hash visualization in user authentication. In Proc. of CHI 2000, ACM Press, NY, 2002, 279--280.
[9]
Dhamija, R. and Perrig, A. Déjà Vu: User study using images for authentication. In Ninth Usenix Security Symposium, 2000.
[10]
Feldmeier, D. C. and Karn, P. R. UNIX password security -- ten years later. In Advances in Cryptography--CRYPTO'89, Lecture Notes in Computer Science 435, Springer-Verlag 1990, 44--63.
[11]
Ives, B., Walsh, K. R., and Schneider, H. 2004. The domino effect of password reuse. CACM, 47, 4 (2004), 76--78.
[12]
Lepper, M. R. and Malone, T. W. Intrinsic motivation and instructional effectiveness in computer-based education. In R. E. Snow and M. J. Farr (Eds.), Aptitude, Learning, and Instruction, Lawrence Erlbaum, Hillsdale, NJ, 1987, 255--286.
[13]
Morris, R. and Thompson, K. Password security: A case study. CACM, 22, (1979), 594--597.
[14]
Norman, D. A. The Design of Everyday Things. Basic Books, New York, 1988.
[15]
Roth, V., Richter, K., and Freidinger, R. A PIN-entry method resilient against shoulder-surfing. Proc. of the 11th ACM Conference on Computer and Communications Security, 2004, 236--245.
[16]
Giblin, P. Identities snatched in blink of eye. http://www.sachitechcops.org/news012604.htm. Accessed December 9, 2005.
[17]
Sasse, M. A., Brostoff, S. and Weirich, D. Transforming the 'weakest link' -- a human/computer interaction approach to usable and effective security. BT Technical Journal, 19, (2001), 122--131.
[18]
Shoulder-surfing gets secret numbers on tape. http://www.wftv.com/money/3964515/detail.html. Accessed December 9, 2005.
[19]
Sobrado, L. and Birget, J. C. Graphical passwords. The Rutgers Scholar, 4, (Sept. 2002). http://RutgersScholar.rutgers.edu/volume04/sobrbirg/sobrbirg.htm.
[20]
Wagstaff, J. Shoulder-surfing: the old new phishing. http://loosewire.typepad.com/blog/2005/04/shoulder_surfin.ht ml. Accessed December 9, 2005.
[21]
Wiedenbeck, S., Waters, J., Birget, J. C., Brodskiy, A., and Memon, N. PassPoints: design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, 63, (2005), 102--127

Cited By

View all
  • (2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025
  • (2025)Deep Reinforcement Learning-Based Feature Extraction and Encoding for Finger-Vein VerificationIEEE Transactions on Emerging Topics in Computational Intelligence10.1109/TETCI.2024.33980229:1(522-536)Online publication date: Feb-2025
  • (2024)Unsupervised Sensor-Based Continuous Authentication With Low-Rank Transformer Using Learning-to-Rank AlgorithmsIEEE Transactions on Mobile Computing10.1109/TMC.2024.335320923:9(8839-8854)Online publication date: Sep-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
AVI '06: Proceedings of the working conference on Advanced visual interfaces
May 2006
512 pages
ISBN:1595933530
DOI:10.1145/1133265
  • General Chair:
  • Augusto Celentano
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 May 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. authentication
  2. convex hull click scheme
  3. graphical passwords
  4. password security
  5. shoulder-surfing
  6. usable security

Qualifiers

  • Article

Conference

AVI06

Acceptance Rates

Overall Acceptance Rate 128 of 490 submissions, 26%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)63
  • Downloads (Last 6 weeks)4
Reflects downloads up to 10 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025
  • (2025)Deep Reinforcement Learning-Based Feature Extraction and Encoding for Finger-Vein VerificationIEEE Transactions on Emerging Topics in Computational Intelligence10.1109/TETCI.2024.33980229:1(522-536)Online publication date: Feb-2025
  • (2024)Unsupervised Sensor-Based Continuous Authentication With Low-Rank Transformer Using Learning-to-Rank AlgorithmsIEEE Transactions on Mobile Computing10.1109/TMC.2024.335320923:9(8839-8854)Online publication date: Sep-2024
  • (2024)Memory-Augmented Autoencoder based Continuous Authentication on Smartphones with Conditional Transformer GANsIEEE Transactions on Mobile Computing10.1109/TMC.2023.3290834(1-16)Online publication date: 2024
  • (2024)CT-Auth: Capacitive Touchscreen-Based Continuous Authentication on SmartphonesIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2023.327787936:1(90-106)Online publication date: Jan-2024
  • (2024)AG-NAS: An Attention GRU-Based Neural Architecture Search for Finger-Vein RecognitionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334091519(1699-1713)Online publication date: 2024
  • (2024)DAPSys Software2024 Parul International Conference on Engineering and Technology (PICET)10.1109/PICET60765.2024.10716093(1-5)Online publication date: 3-May-2024
  • (2024)Touch Authentication for Sharing Context Using Within-Group Similarity StructureIEEE Internet of Things Journal10.1109/JIOT.2024.340232311:17(28281-28296)Online publication date: 1-Sep-2024
  • (2024)GUA:A Multi Point Cursor Approach2024 International Conference on Computing, Sciences and Communications (ICCSC)10.1109/ICCSC62048.2024.10830443(1-6)Online publication date: 24-Oct-2024
  • (2024)Multi-Motion Sensor Behavior based Continuous Authentication on Smartphones using Gated Two-Tower Transformer Fusion NetworksComputers & Security10.1016/j.cose.2023.103698(103698)Online publication date: Jan-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media