Influencing users towards better passwords: persuasive cued click-points

Usable security has unique usability challenges because the need for security often means that standard human-computer-interaction approaches cannot be directly applied. An important usability goal for authentication systems is to support users in selecting better passwords, thus increasing security by expanding the effective password space. In click-based graphical passwords, poorly chosen passwords lead to the emergence of hotspots -- portions of the image where users are more likely to select click-points, allowing attackers to mount more successful dictionary attacks. We use persuasion to influence user choice in click-based graphical passwords, encouraging users to select more random, and hence more secure, click-points. Our approach is to introduce persuasion to the Cued Click-Points graphical password scheme (Chiasson, van Oorschot, Biddle, 2007). Our resulting scheme significantly reduces hotspots while still maintaining its usability.

[1]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[2]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[4]  Krzysztof Golofit Click Passwords Under Investigation , 2007, ESORICS.

[5]  R. Biddle,et al.  Persuasion as Education for Computer Security , 2007 .

[6]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[7]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[8]  Alain Forget,et al.  Persuasion for Stronger Passwords: Motivation and Pilot Study , 2008, PERSUASIVE.

[9]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[10]  Peter J. Diggle,et al.  Statistical analysis of spatial point patterns , 1983 .

[11]  V. S. Reed,et al.  Pictorial superiority effect. , 1976, Journal of experimental psychology. Human learning and memory.

[12]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[13]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[14]  A. Baddeley,et al.  A non-parametric measure of spatial interaction in point patterns , 1996, Advances in Applied Probability.

[15]  Adrian Baddeley,et al.  spatstat: An R Package for Analyzing Spatial Point Patterns , 2005 .

[16]  Antonella De Angeli,et al.  My password is here! An investigation into visuo-spatial authentication mechanisms , 2004, Interact. Comput..

[17]  Alain Forget,et al.  Memorability of persuasive passwords , 2008, CHI Extended Abstracts.

[18]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[19]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[20]  Annie I. Antón,et al.  Towards understanding user perceptions of authentication technologies , 2007, WPES '07.

[21]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[22]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[23]  van Marie-Colette Lieshout,et al.  Indices of Dependence Between Types in Multivariate Point Patterns , 1999 .

[24]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.