A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing.This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shoulder-surfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing.Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shoulder-surfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

[1]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[2]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[3]  E Smith,et al.  Jiminy: helping users to remember their passwords , 2001 .

[4]  Amela Karahasanovic,et al.  An Investigation into Keystroke Latency Metrics as an Indicator of Programming Performance , 2005, ACE.

[5]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[6]  Janet J. Turnage,et al.  The challenge of new workplace technology for psychology. , 1990 .

[7]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[8]  Antonella De Angeli,et al.  My password is here! An investigation into visuo-spatial authentication mechanisms , 2004, Interact. Comput..

[9]  Martina Angela Sasse,et al.  Why users compromise computer security mechanisms and how to take remedial measures. , 1999 .

[10]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[11]  Karen Renaud,et al.  Using a combination of sound and images to authenticate web users , 2003 .

[12]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[13]  Sarah Granger,et al.  Social Engineering Fundamentals, Part I: Hacker Tactics , 2003 .

[14]  Jason Nolan,et al.  Hacking human: data-archaeology and surveillance in social networks , 2005, SIGG.

[15]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[16]  Dawei Hong,et al.  A Shoulder-Surfing Resistant Graphical Password Scheme - WIW , 2003, Security and Management.

[17]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[18]  P. Dowland,et al.  A long-term trial of alternative user authentication technologies , 2004, Inf. Manag. Comput. Secur..

[19]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[20]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[21]  Rama Chellappa,et al.  Human and machine recognition of faces: a survey , 1995, Proc. IEEE.

[22]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[23]  Rudolf Schmid,et al.  Organization for the advancement of structured information standards , 2002 .

[24]  Matthew Turk,et al.  A Random Walk through Eigenspace , 2001 .

[25]  Michael G. Bailey,et al.  The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems , 2004, CITC5 '04.

[26]  Fort George G. Meade,et al.  Department of Defense Password Management Guidelines , 1985 .

[27]  W. Summers,et al.  Password policy: the good, the bad, and the ugly , 2004 .

[28]  Andrew S. Patrick,et al.  HCI and security systems , 2003, CHI Extended Abstracts.

[29]  Lorrie Faith Cranor,et al.  Guest Editors' Introduction: Secure or Usable? , 2004, IEEE Secur. Priv..

[30]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[31]  Daphna Weinshall,et al.  Passwords you'll never forget, but can't recall , 2004, CHI EA '04.

[32]  Lorrie Faith,et al.  Secure or Usable , 2004 .

[33]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[34]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[35]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[36]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[37]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[38]  Antonella De Angeli,et al.  VIP: a visual approach to user authentication , 2002, AVI '02.

[39]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[40]  Ioana Vasiu,et al.  Dissecting computer fraud: from definitional issues to a taxonomy , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[41]  Charles W. Beardsley Is your computer insecure? , 1972, IEEE Spectrum.