Towards Usable Solutions to Graphical Password Hotspot Problem
20 Jul 2009-Vol. 2, pp 318-323
TL;DR: This paper proposes two novel graphical password methods based on recognition of icons to solve the hotspot problem without decreasing the password space.
Abstract: Click based graphical passwords that use background images suffer from hot-spot problem. Previous graphical password schemes based on recognition of images do not have a sufficiently large password space suited for most Internet applications. In this paper, we propose two novel graphical password methods based on recognition of icons to solve the hotspot problem without decreasing the password space. The experiment we have conducted that compares the security and usability of proposed methods with earlier work (i.e. Passpoints) shows that hotspot problem can be eliminated if a small increase in password entrance and confirmation times is tolerable.
Citations
More filters
20 May 2012
TL;DR: It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints.
Abstract: We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.
914 citations
Cites background from "Towards Usable Solutions to Graphic..."
..., GPI/GPIS [48] (Graphical Password with Icons/with Icons suggested by System) has users select 6 ordered icons from a panel of 150 (for 2 possible passwords), while Déjà Vu [49] has users recognize 5 random art images from a panel of 25 (for 2 possible...
[...]
TL;DR: This article first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages, and reviews usability requirements for knowledge-based authentication as they apply to graphical passwords.
Abstract: Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects as well as system evaluation. The article first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.
635 citations
Cites background from "Towards Usable Solutions to Graphic..."
...…issues, include password rules or policies [Morris and Thompson 1979] disallowing weak passwords at creation, systems that encourage stronger password choices [Chiasson et al. 2008a; Bicakci et al. 2009a], and both reactive and proactive password checkers [Klein 1990; Bergadano et al. 1998]....
[...]
...Other defenses, especially important for graphical password schemes subject userchoice issues, include password rules or policies [Morris and Thompson 1979] disallowing weak passwords at creation, systems that encourage stronger password choices [Chiasson et al. 2008a; Bicakci et al. 2009a], and both reactive and proactive password checkers [Klein 1990; Bergadano et al....
[...]
TL;DR: TinyLock is a simple tweak of the user interface under the existing pattern lock paradigm but it can effectively resist the smudge attacks and can be more resilient to shoulder-surfing attacks than the contemporary pattern lock systems.
72 citations
Cites background from "Towards Usable Solutions to Graphic..."
...User-chosen graphical passwords were predictable (van Oorschot and Thorpe, 2008) and/or tended to concentrate on several hotspots on the images (Dirik et al., 2007; Thorpe and van Oorschot, 2007; Bicakci et al., 2009)....
[...]
TL;DR: This paper categorizes existing graphical password schemes into four kinds according to the authentication style and provides a comprehensive introduction and analysis for each scheme, highlighting security aspects.
Abstract: Beginning around 1996, numerous graphical password schemes have been proposed, motivated by improving password usability and security, two key factors in password scheme evaluation. In this paper, we focus on the security aspects of existing graphical password schemes, which not only gives a simple introduction of attack methods but also intends to provide an in-depth analysis with specific schemes. The paper first categorizes existing graphical password schemes into four kinds according to the authentication style and provides a comprehensive introduction and analysis for each scheme, highlighting security aspects. Then we review the known attack methods, categorize them into two kinds, and summarize the security reported in some user studies of those schemes. Finally, some suggestions are given for future research.
66 citations
Proceedings Article•
14 Aug 2013TL;DR: This paper presents an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies and proposes a novel attack framework that could crack a considerable portion of collected picture passwords under different settings.
Abstract: Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8™ operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.
63 citations
Cites result from "Towards Usable Solutions to Graphic..."
...Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings....
[...]
References
More filters
Book•
07 May 1999TL;DR: In this paper, the authors present a comprehensive overview of visual science, from early neural processing of image structure in the retina to high-level visual attention, memory, imagery, and awareness.
Abstract: This book revolutionizes how vision can be taught to undergraduate and graduate students in cognitive science, psychology, and optometry. It is the first comprehensive textbook on vision to reflect the integrated computational approach of modern research scientists. This new interdisciplinary approach, called "vision science," integrates psychological, computational, and neuroscientific perspectives. The book covers all major topics related to vision, from early neural processing of image structure in the retina to high-level visual attention, memory, imagery, and awareness. The presentation throughout is theoretically sophisticated yet requires minimal knowledge of mathematics. There is also an extensive glossary, as well as appendices on psychophysical methods, connectionist modeling, and color technology. The book will serve not only as a comprehensive textbook on vision, but also as a valuable reference for researchers in cognitive science, psychology, neuroscience, computer science, optometry, and philosophy.
1,774 citations
Proceedings Article•
14 Aug 2000TL;DR: Deja Vu is a recognition-based authentication system, which authenticates a user through her ability to recognize previously seen images, which is more reliable and easier to use than traditional recall-based schemes, which require the user to precisely recall passwords or PINs.
Abstract: Current secure systems suffer because they neglect the importance of human factors in security. We address a fundamental weakness of knowledge-based authentication schemes, which is the human limitation to remember secure passwords. Our approach to improve the security of these systems relies on recognition-based, rather than recall-based authentication. We examine the requirements of a recognition-based authentication system and propose Deja Vu, which authenticates a user through her ability to recognize previously seen images. Deja Vu is more reliable and easier to use than traditional recall-based schemes, which require the user to precisely recall passwords or PINs. Furthermore, it has the advantage that it prevents users from choosing weak passwords and makes it difficult to write down or share passwords with others.
We develop a prototype of Deja Vu and conduct a user study that compares it to traditional password and PIN authentication. Our user study shows that 90% of all participants succeeded in the authentication tests using Deja Vu while only about 70% succeeded using passwords and PINS. Our findings indicate that Deja Vu has potential applications, especially where text input is hard (e.g., PDAs or ATMs), or in situations where passwords are infrequently used (e.g., web site passwords).
870 citations
"Towards Usable Solutions to Graphic..." refers background in this paper
...RELATED WORK AND PROBLEM DEFINITION Previous work on click-based graphical password schemes can be studied in two groups....
[...]
01 Jul 2005-International Journal of Human-computer Studies \/ International Journal of Man-machine Studies
TL;DR: PassPoints is described, a new and more secure graphical password system, and an empirical study comparing the use of PassPoints to alphanumeric passwords is reported, which shows that the graphical password users created a valid password with fewer difficulties than the alphan numeric users.
Abstract: Computer security depends largely on passwords to authenticate human users. However, users have difficulty remembering passwords over time if they choose a secure password, i.e. a password that is long and random. Therefore, they tend to choose short and insecure passwords. Graphical passwords, which consist of clicking on images rather than typing alphanumeric strings, may help to overcome the problem of creating secure and memorable passwords. In this paper we describe PassPoints, a new and more secure graphical password system. We report an empirical study comparing the use of PassPoints to alphanumeric passwords. Participants created and practiced either an alphanumeric or graphical password. The participants subsequently carried out three longitudinal trials to input their password over the course of 6 weeks. The results show that the graphical password users created a valid password with fewer difficulties than the alphanumeric users. However, the graphical users took longer and made more invalid password inputs than the alphanumeric users while practicing their passwords. In the longitudinal trials the two groups performed similarly on memory of their password, but the graphical group took more time to input a password.
713 citations
"Towards Usable Solutions to Graphic..." refers background or methods in this paper
...Figure 6....
[...]
...Number of attempts to remember the correct password is presented in Figure 4....
[...]
...Figure 6 presents the number of regions with respect to number of times clicked by users for the PassPoints interface....
[...]
...In Passpoints interface (Figure 2), the background image is 451x331 pixels in size and users are asked to select and mouse-click a sequence of five points as their passwords, and confirm it by clicking inside a tolerance circle of 19 pixels centered on the original click-points....
[...]
...Each participant either used GPI, GPIS (Figure 1) or PassPoints (Figure 2) interface....
[...]
TL;DR: An expanded version of the Battig and Montague (1969) category norms are reported, based on responses from three different sites varying in geographical locations within the United States, to meet the need for updated norms.
542 citations
"Towards Usable Solutions to Graphic..." refers background in this paper
...We also thank anonymous reviewers for their suggestions for improving the paper....
[...]
Proceedings Article•
13 Aug 2004TL;DR: It is shown that permitting user selection of passwords in two graphical password schemes can yield passwords with entropy far below the theoretical optimum and, in some cases, that are highly correlated with the race or gender of the user.
Abstract: Graphical password schemes have been proposed as an alternative to text passwords in applications that support graphics and mouse or stylus entry. In this paper we detail what is, to our knowledge, the largest published empirical evaluation of the effects of user choice on the security of graphical password schemes. We show that permitting user selection of passwords in two graphical password schemes, one based directly on an existing commercial product, can yield passwords with entropy far below the theoretical optimum and, in some cases, that are highly correlated with the race or gender of the user. For one scheme, this effect is so dramatic so as to render the scheme insecure. A conclusion of our work is that graphical password schemes of the type we study may generally require a different posture toward password selection than text passwords, where selection by the user remains the norm today.
509 citations
"Towards Usable Solutions to Graphic..." refers background in this paper
...RELATED WORK AND PROBLEM DEFINITION Previous work on click-based graphical password schemes can be studied in two groups....
[...]