Memory retrieval and graphical passwords

Graphical passwords are an alternative form of authentication that use images for login, and leverage the picture superiority effect for good usability and memorability. Categories of graphical passwords have been distinguished on the basis of different kinds of memory retrieval (recall, cued-recall, and recognition). Psychological research suggests that leveraging recognition memory should be best, but this remains an open question in the password literature. This paper examines how different kinds of memory retrieval affect the memorability and usability of random assigned graphical passwords. A series of five studies of graphical and text passwords showed that participants were able to better remember recognition-based graphical passwords, but their usability was limited by slow login times. A graphical password scheme that leveraged recognition and recall memory was most successful at combining memorability and usability.

[1]  Harry Levi Hollingworth,et al.  Characteristic differences between recall and recognition. , 1913 .

[2]  Aniket Kittur,et al.  Crowdsourcing user studies with Mechanical Turk , 2008, CHI.

[3]  Bennett L. Schwartz,et al.  The Inferential and Experiential Bases of Metamemory , 1997 .

[4]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[5]  V. S. Reed,et al.  Learning to Order Pictures and Words: A Model of Sensory and Semantic Encoding. , 1977 .

[6]  Julie Thorpe,et al.  Exploiting predictability in click-based graphical passwords , 2011, J. Comput. Secur..

[7]  Patrick Gage Kelley Conducting Usable Privacy & Security Studies with Amazon ’ s Mechanical Turk , 2010 .

[8]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[9]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[10]  Endel Tulving,et al.  Encoding specificity and retrieval processes in episodic memory. , 1973 .

[11]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[12]  J. G. Snodgrass,et al.  The picture superiority effect: support for the distinctiveness model. , 1999, The American journal of psychology.

[13]  Douglas L. Nelson,et al.  On the nature of pictorial encoding: A levels-of-processing analysis. , 1976 .

[14]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[15]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[16]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[17]  John M. Gardiner,et al.  An appreciation of generate-recognize theory of recall , 1979 .

[18]  Antonella De Angeli,et al.  Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems , 2005, Int. J. Hum. Comput. Stud..

[19]  L R Squire,et al.  On the relationship between recall and recognition memory. , 1992, Journal of experimental psychology. Learning, memory, and cognition.

[20]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[21]  F. Craik,et al.  Levels of Pro-cessing: A Framework for Memory Research , 1975 .

[22]  Alain Forget,et al.  The MVP Web-Based Authentication Framework - (Short Paper) , 2012, Financial Cryptography.

[23]  V. S. Reed,et al.  Pictorial superiority effect. , 1976, Journal of experimental psychology. Human learning and memory.

[24]  A. Paivio,et al.  Why are pictures easier to recall than words? , 1968 .

[25]  Henry C. Ellis,et al.  Fundamentals of human memory and cognition , 1983 .