Security Analyses of Click-based Graphical Passwords via Image Point Memorability

We propose a novel concept and a model of image point memorability (IPM) for analyzing click-based graphical passwords that have been studied extensively in both the security and HCI communities. In our model, each point in an image is associated with a numeric index that indicates the point's memorability level. This index can be approximated either by automatic computer vision algorithms or via human assistance. Using our model, we can rank-order image points by their relative memorability with a decent accuracy. We show that the IPM model has both defensive and offensive applications. On the one hand, we apply the model to generate high-quality graphical honeywords. This is the first work on honeywords for graphical passwords, whereas all previous methods are only for generating text honeywords and thus inapplicable. On the other hand, we use the IPM model to develop the first successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is the state-of-the-art click-based graphical password scheme and robust to all prior dictionary attacks. We show that the probability distribution of PCCP passwords is seriously biased when it is examined with the lens of the IPM model. Although PCCP was designed to generate random passwords, its effective password space as we measured can be as small as 30.58 bits, which is substantially weaker than its theoretical and commonly believed strength (43 bits). The IPM model is applicable to all click-based graphical password schemes, and our analyses can be extended to other graphical passwords as well.

[1]  Nasir D. Memon,et al.  Graphical passwords based on robust discretization , 2006, IEEE Transactions on Information Forensics and Security.

[2]  Ziming Zhao,et al.  On the Security of Picture Gesture Authentication , 2013, USENIX Security Symposium.

[3]  Julie Thorpe,et al.  On Purely Automated Attacks and Click-Based Graphical Passwords , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[4]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[5]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008, BCS HCI.

[6]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[7]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[8]  Alain Forget,et al.  Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism , 2012, IEEE Transactions on Dependable and Secure Computing.

[9]  Jianxiong Xiao,et al.  Memorability of Image Regions , 2012, NIPS.

[10]  Krzysztof Golofit Click Passwords Under Investigation , 2007, ESORICS.

[11]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Robert Biddle,et al.  Centered discretization with application to graphical passwords (full paper) , 2008 .

[13]  A. Paivio,et al.  Why are pictures easier to recall than words? , 1968 .

[14]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[15]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[16]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[17]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[18]  Riccardo Russo,et al.  The Picture Superiority Effect in Recognition Memory: a developmental study , 2009 .

[19]  Bin B. Zhu,et al.  Security implications of password discretization for click-based graphical passwords , 2013, WWW '13.

[20]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[21]  Robert Biddle,et al.  Graphical Password Authentication Using Cued Click Points , 2007, ESORICS.

[22]  A. Goldberg,et al.  A heuristic improvement of the Bellman-Ford algorithm , 1993 .

[23]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[24]  Julie Thorpe,et al.  Exploiting predictability in click-based graphical passwords , 2011, J. Comput. Secur..

[25]  Frédo Durand,et al.  Learning to predict where humans look , 2009, 2009 IEEE 12th International Conference on Computer Vision.

[26]  Julie Thorpe,et al.  Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords , 2007, USENIX Security Symposium.

[27]  J. Kase Graphical Passwords , 2008 .

[28]  Julie Thorpe,et al.  Purely Automated Attacks on PassPoints-Style Graphical Passwords , 2010, IEEE Transactions on Information Forensics and Security.

[29]  Robert Biddle,et al.  Centered Discretization with Application to Graphical Passwords , 2008, UPSEC.

[30]  Haibin Ling,et al.  Diffusion Distance for Histogram Comparison , 2006, 2006 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'06).

[31]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[32]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[33]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.