Tell Me Who You Are and I Will Tell You Your Unlock Pattern

Graphical passwords, like the Android Pattern Lock, are a popular security mechanism for mobile devices. The mechanism was proposed as an alternative to text-based passwords, since psychology studies have recognized that the human brain have a superior memory for remembering and recalling visual information. This thesis aims to explore the hypothesis that human characteristics influence users’ choice of graphical passwords. A collection of 3393 user-created patterns were analysed in order to examine the correlation between people’s choice of pattern and their characteristics, like hand size, age, gender and handedness. This thesis first gives a detailed summary of related research on graphical passwords. Then it shows how an online survey was used for collecting user-selected passwords and information about the respondents. Lastly, the thesis explains how the data was analysed in terms of length and visual complexity in order to gain further insight in users’ choice of passwords. Although the data could not provide significant evidence to accept the hypothesis, the results show that password strength significantly varies between gender, age and IT experience. Additionally, analysis of all the collected patterns shows a significant bias towards the selection of pattern starting position.

[1]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[2]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[3]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[4]  B. J. Oates,et al.  Researching Information Systems and Computing , 2005 .

[5]  Vibha Sazawal,et al.  Doodling our way to better authentication , 2002, CHI Extended Abstracts.

[6]  F. Attneave Symmetry, information, and memory for patterns. , 1955, The American journal of psychology.

[7]  Benjamin K. Bergen,et al.  Writing Direction Influences Spatial Cognition , 2005 .

[8]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[9]  Susan Wiedenbeck,et al.  Authentication Using Graphical Passwords: Basic Results , 2005 .

[10]  Steven Hoober,et al.  Designing Mobile Interfaces , 2011 .

[11]  R. S. French Identification of dot patterns from memory as a function of complexity. , 1954, Journal of experimental psychology.

[12]  Aaron Striegel,et al.  Modifying smartphone user locking behavior , 2013, SOUPS.

[13]  Vassilis-Javed Khan,et al.  Picassopass: a password scheme using a dynamically layered combination of graphical elements , 2013, CHI Extended Abstracts.

[14]  David A. Wagner,et al.  Are You Ready to Lock? , 2014, CCS.

[15]  Julie Thorpe,et al.  Usability and security evaluation of GeoPass: a geographic location-password scheme , 2013, SOUPS.

[16]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[17]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[18]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[19]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[20]  John B. Dillon Left Handedness , 1914, Science.

[21]  Alexander De Luca,et al.  PassShapes: utilizing stroke based authentication to increase password memorability , 2008, NordiCHI.

[22]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[23]  S. Palmer,et al.  A century of Gestalt psychology in visual perception: I. Perceptual grouping and figure-ground organization. , 2012, Psychological bulletin.

[24]  Sadiq Almuairfi,et al.  IPAS: Implicit Password Authentication System , 2011, 2011 IEEE Workshops of International Conference on Advanced Information Networking and Applications.

[25]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[26]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[27]  Dawn Song,et al.  Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[28]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[29]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[30]  J. Wagemans,et al.  Detection of visual symmetries. , 1995, Spatial vision.

[31]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[32]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[33]  William D. Schafer,et al.  Gender differences in risk taking: A meta-analysis. , 1999 .

[34]  Yang Wang,et al.  Dissecting pattern unlock: The effect of pattern strength meter on pattern selection , 2014, J. Inf. Secur. Appl..

[35]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[36]  Larry Rudolph,et al.  Passdoodles; a Lightweight Authentication Method , 2004 .

[37]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[38]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..