The pattern-richness of Graphical passwords

Conventional (text-based) passwords have shown patterns such as variations on the username, or known passwords such as “password”, “admin” or “12345”. Patterns may similarly be detected in the use of Graphical passwords (GPs). The most significant such pattern - reported by many researchers - is hotspot clustering. This paper qualitatively analyses more than 200 graphical passwords for patterns other than the classically reported hotspots. The qualitative analysis finds that a significant percentage of passwords fall into a small set of patterns; patterns that can be used to form attack models against GPs. In counter action, these patterns can also be used to educate users so that future password selection is more secure. It is the hope that the outcome from this research will lead to improved behaviour and an enhancement in graphical password security.

[1]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[2]  Ying Zhu,et al.  Graphical passwords: a survey , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Haichang Gao,et al.  A new graphical password scheme against spyware by using CAPTCHA , 2009, SOUPS.

[4]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[5]  Bin B. Zhu,et al.  Security Analyses of Click-based Graphical Passwords via Image Point Memorability , 2014, CCS.

[6]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[7]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[8]  Julie Thorpe,et al.  Exploiting predictability in click-based graphical passwords , 2011, J. Comput. Secur..

[9]  Shumin Zhai,et al.  Smart phone use by non-mobile business users , 2011, Mobile HCI.

[10]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[11]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[12]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[13]  Eiji Okamoto,et al.  A User Identification System Using Signature Written with Mouse , 1998, ACISP.

[14]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[15]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[16]  Wei-Chi Ku,et al.  A simple text-based shoulder surfing resistant graphical password scheme , 2013, 2013 International Symposium on Next-Generation Electronics.

[17]  Sadiq Almuairfi,et al.  A novel image-based implicit password authentication system (IPAS) for mobile and non-mobile devices , 2013, Math. Comput. Model..

[18]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[19]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[20]  Richard P. Ayers,et al.  Picture Password: A Visual Login Technique for Mobile Devices , 2003 .

[21]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[22]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[23]  Dawei Hong,et al.  A Shoulder-Surfing Resistant Graphical Password Scheme - WIW , 2003, Security and Management.

[24]  J Vorster,et al.  A study of perceptions of graphical passwords , 2015 .

[25]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[26]  Ning Xu,et al.  Captcha as Graphical Passwords—A New Security Primitive Based on Hard AI Problems , 2014, IEEE Transactions on Information Forensics and Security.

[27]  J Vorster,et al.  Graphical passwords: a qualitative study of password patterns , 2015 .

[28]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[29]  Aakansha Gokhale,et al.  The Shoulder Surfing Resistant Graphical Password Authentication Technique , 2016 .

[30]  Alireza Sahami Shirazi,et al.  Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes , 2015, MobileHCI.

[31]  Julie Thorpe,et al.  On predictive models and user-drawn graphical passwords , 2008, TSEC.

[33]  Rp Van Heerden,et al.  Heuristic Attacks Against Graphical Password Generators , 2010 .

[34]  Uwe Aickelin,et al.  A New Graphical Password Scheme Resistant to Shoulder-Surfing , 2010, 2010 International Conference on Cyberworlds.

[35]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.