On quantifying the effective password space of grid-based unlock gestures

We present a similarity metric for Android unlock patterns to quantify the effective password space of user-defined gestures. Our metric is the first of its kind to reflect that users choose patterns based on human intuition and interest in geometric properties of the resulting shapes. Applying our metric to a dataset of 506 user-defined patterns reveals very similar shapes that only differ by simple geometric transformations such as rotation. This shrinks the effective password space by 66% and allows informed guessing attacks. Consequently, we present an approach to subtly nudge users to create more diverse patterns by showing background images and animations during pattern creation. Results from a user study (n = 496) show that applying such countermeasures can significantly increase pattern diversity. We conclude with implications for pattern choices and the design of enrollment processes.

[1]  Alireza Sahami Shirazi,et al.  Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes , 2015, MobileHCI.

[2]  Ming Li,et al.  An Introduction to Kolmogorov Complexity and Its Applications , 2019, Texts in Computer Science.

[3]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[4]  Wanli Ma,et al.  Password Entropy and Password Quality , 2010, 2010 Fourth International Conference on Network and System Security.

[5]  J. N. Cederberg A Course in Modern Geometries , 1989 .

[6]  Theodore Tryfonas,et al.  Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method , 2014, HCI.

[7]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[8]  Julie Thorpe,et al.  Analyzing User Choice in Graphical Passwords , 2004 .

[9]  Alexander De Luca,et al.  Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices , 2013, MobileHCI '13.

[10]  Serge Egelman,et al.  The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens , 2016, CHI.

[11]  Vasek Chvátal,et al.  A Greedy Heuristic for the Set-Covering Problem , 1979, Math. Oper. Res..

[12]  Haichang Gao,et al.  A survey on the use of graphical passwords in security , 2013, J. Softw..

[13]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[14]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[15]  Antonella De Angeli,et al.  Visual passwords , 2009, Commun. ACM.

[16]  Nasir Memon,et al.  Fortifying Android Patterns using Persuasive Security Framework , 2015 .

[17]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[18]  Jun Ho Huh,et al.  On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks , 2015, CHI.

[19]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[20]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[21]  Theodore Tryfonas,et al.  A pilot study on the security of pattern screen-lock methods and soft side channel attacks , 2013, WiSec '13.

[22]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[23]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[24]  Ming Li,et al.  An Introduction to Kolmogorov Complexity and Its Applications , 1997, Texts in Computer Science.

[25]  Yang Wang,et al.  Dissecting pattern unlock: The effect of pattern strength meter on pattern selection , 2014, J. Inf. Secur. Appl..

[26]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[27]  Julie Thorpe,et al.  The presentation effect on graphical passwords , 2014, CHI.

[28]  Larry Rudolph,et al.  Passdoodles; a Lightweight Authentication Method , 2004 .

[29]  Lip Yee Por,et al.  The design and implementation of background Pass-Go scheme towards security threats , 2008 .

[30]  Patrick Olivier,et al.  Graphical passwords & qualitative spatial relations , 2007, SOUPS '07.

[31]  Heinrich Hußmann,et al.  Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)lock Patterns , 2015, CHI.

[32]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.