Order and entropy in picture passwords

Previous efforts involving picture-based passwords have not focused on maintaining a measurably high level of entropy. Since password systems usually allow user selection of passwords, their true entropy remains unknown. A 23-participant study was performed in which picture and character-based passwords of equal strength were randomly assigned. Memorability was tested with up to one week between sessions. The study found that both character and picture passwords of very high entropy were easily forgotten. However, when password inputs were analyzed to determine the source of input errors, serial ordering was found to be the main cause of failure. This supports a hypothesis stating that picture-password systems which do not require ordered input may produce memorable, high-entropy passwords. Input analysis produced another interesting result, that incorrect inputs by users are often duplicated. This reduces the number of distinct guesses users can make when authentication systems lock out users after a number of failed logins. A protocol for ignoring duplicate inputs is presented here. A shoulder-surfing resistant input method was also evaluated, with six out of 15 users performing an insecure behavior.

[1]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[2]  J. G. Snodgrass,et al.  A standardized set of 260 pictures: norms for name agreement, image agreement, familiarity, and visual complexity. , 1980, Journal of experimental psychology. Human learning and memory.

[3]  Dawei Hong,et al.  A Shoulder-Surfing Resistant Graphical Password Scheme - WIW , 2003, Security and Management.

[4]  Susan Wiedenbeck,et al.  Authentication Using Graphical Passwords: Basic Results , 2005 .

[5]  J. Wixted The psychology and neuroscience of forgetting. , 2004, Annual review of psychology.

[6]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[7]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[8]  Desney S. Tan,et al.  Spy-resistant keyboard: more secure password entry on public touch screen displays , 2005, OZCHI.

[9]  R. Shepard Recognition memory for words, sentences, and pictures , 1967 .

[10]  John R. Anderson,et al.  A Production System Theory of Serial Memory , 1997 .

[11]  G. J. Johnson A distinctiveness model of serial learning , 1991 .

[12]  J. G. Snodgrass,et al.  The role of visual similarity in picture categorization. , 1986, Journal of experimental psychology. Learning, memory, and cognition.

[13]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[14]  L. Standing Learning 10000 pictures , 1973 .

[15]  Leif R. Hedman,et al.  The picture superiority effect in a cross-modality recognition task , 1995, Memory & cognition.

[16]  Jan B. Deregowski,et al.  Efficacy of objects, pictures and words in a simple learning task , 1975 .

[17]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[18]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[19]  Joan Gay Snodgrass,et al.  Is there a picture superiority effect in perceptual implicit tasks? , 2000 .

[20]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[21]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[22]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[23]  Technologie NIST Special Publication 800-53 , 2010 .

[24]  V. S. Reed,et al.  Learning to Order Pictures and Words: A Model of Sensory and Semantic Encoding. , 1977 .

[25]  Daphna Weinshall,et al.  Passwords you'll never forget, but can't recall , 2004, CHI EA '04.

[26]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[27]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[28]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[29]  B. Rossion,et al.  Revisiting Snodgrass and Vanderwart's Object Pictorial Set: The Role of Surface Detail in Basic-Level Object Recognition , 2004, Perception.

[30]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.