On Predicting and Exploiting HotSpots in Click-Based Graphical Passwords

We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both shortand long-term user studies: one labcontrolled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of “human-computation” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack guesses 4% of passwords in one instance, and 10% of passwords in a second instance. Our independent model-based attack guesses 20% within 2 guesses in one instance and 36% within 2 guesses in a second instance. These are all for a system whose full password space has cardinality 2. We also evaluate our first-order Markov model-based attack with cross-validation of the field study data, finding that it guesses an average of 7-10% of user passwords within 3 guesses. Our results suggest that these graphical password schemes (as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.

[1]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[2]  Christof Koch,et al.  A Model of Saliency-Based Visual Attention for Rapid Scene Analysis , 2009 .

[3]  Manuel Blum,et al.  Peekaboom: a game for locating objects in images , 2006, CHI.

[4]  Julie Thorpe,et al.  On Purely Automated Attacks and Click-Based Graphical Passwords , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[5]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[6]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[7]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[8]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[9]  J. Kase Graphical Passwords , 2008 .

[10]  Julie Thorpe On the predictability and security of user choice in passwords , 2008 .

[11]  Nasir D. Memon,et al.  Robust discretization, with an application to graphical passwords , 2003, IACR Cryptol. ePrint Arch..

[12]  Christopher G. Harris,et al.  A Combined Corner and Edge Detector , 1988, Alvey Vision Conference.

[13]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[14]  Richard P. Ayers,et al.  Picture Password: A Visual Login Technique for Mobile Devices , 2003 .

[15]  Robert Biddle,et al.  Centered Discretization with Application to Graphical Passwords , 2008, UPSEC.

[16]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[17]  T. Wright,et al.  A Picture Memory. , 2003 .

[18]  Eric R. Ziegel,et al.  Probability and Statistics for Engineering and the Sciences , 2004, Technometrics.

[19]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[20]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[21]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[22]  Edward K. Vogel,et al.  The capacity of visual working memory for features and conjunctions , 1997, Nature.

[23]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[24]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[25]  Robert Biddle,et al.  Graphical Password Authentication Using Cued Click Points , 2007, ESORICS.

[26]  N. Cowan The magical number 4 in short-term memory: A reconsideration of mental storage capacity , 2001, Behavioral and Brain Sciences.

[27]  Susan Wiedenbeck,et al.  Authentication Using Graphical Passwords: Basic Results , 2005 .

[28]  M. Peters,et al.  A Redrawn Vandenberg and Kuse Mental Rotations Test - Different Versions and Factors That Affect Performance , 1995, Brain and Cognition.

[29]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[30]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008, BCS HCI.