Exploring usability effects of increasing security in click-based graphical passwords

Graphical passwords have been proposed to address known problems with traditional text passwords. For example, memorable user-chosen text passwords are predictable, but random system-assigned passwords are difficult to remember. We explore the usability effects of modifying system parameters to increase the security of a click-based graphical password system. Generally, usability tests for graphical passwords have used configurations resulting in password spaces smaller than that of common text passwords. Our two-part lab study compares the effects of varying the number of click-points and the image size, including when different configurations provide comparable password spaces. For comparable spaces, no usability advantage was evident between more click-points, or a larger image. This is contrary to our expectation that larger image size (with fewer click-points) might offer usability advantages over more click-points (with correspondingly smaller images). The results suggest promising opportunities for better matching graphical password system configurations to device constraints, or capabilities of individual users, without degrading usability. For example, more click-points could be used on smart-phone displays where larger image sizes are not possible.

[1]  Julie Thorpe,et al.  Purely Automated Attacks on PassPoints-Style Graphical Passwords , 2010, IEEE Transactions on Information Forensics and Security.

[2]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[3]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008, BCS HCI.

[4]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[5]  Andrew T. Duchowski,et al.  Eye Tracking Methodology: Theory and Practice , 2003, Springer London.

[6]  Michael C. Anderson,et al.  Interference and inhibition in memory retrieval. , 1996 .

[7]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[8]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[9]  Robert G. Crowder,et al.  Serial learning: Cognition and behavior , 2000 .

[10]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[11]  Krzysztof Golofit Click Passwords Under Investigation , 2007, ESORICS.

[12]  Annie I. Antón,et al.  Towards understanding user perceptions of authentication technologies , 2007, WPES '07.

[13]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[14]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[15]  Julie Thorpe,et al.  Exploiting predictability in click-based graphical passwords , 2011, J. Comput. Secur..

[16]  V. S. Reed,et al.  Pictorial superiority effect. , 1976, Journal of experimental psychology. Human learning and memory.

[17]  Kemal Bicakci,et al.  Graphical Passwords as Browser Extension: Implementation and Usability Study , 2009, IFIPTM.

[18]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[19]  Adrian Baddeley,et al.  spatstat: An R Package for Analyzing Spatial Point Patterns , 2005 .

[20]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[21]  I.,et al.  Fitts' Law as a Research and Design Tool in Human-Computer Interaction , 1992, Hum. Comput. Interact..

[22]  Jürgen Symanzik,et al.  Statistical Analysis of Spatial Point Patterns , 2005, Technometrics.

[23]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[24]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[25]  Karen Renaud,et al.  Guidelines for designing graphical authentication mechanism interfaces , 2009, Int. J. Inf. Comput. Secur..

[26]  A. Baddeley,et al.  A non-parametric measure of spatial interaction in point patterns , 1996, Advances in Applied Probability.

[27]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[28]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[29]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[30]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .