We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method results in a significantly better automated attack than previous work, guessing 8-15 % of passwords for two representative images using dictionaries of less than 2 24.6 entries, and about 16 % of passwords on each of these images using dictionaries of less than 2 31.4 entries (where the full password space is 2 43). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries of 2 34.7 entries, allowing attacks that guessed 48-54 % of passwords (compared to previous results of 0.9 % and 9.1 % on the same two images with 2 35 guesses). These latter automated attacks are independent of focus-of-attention models, and are based on imageindependent guessing patterns. Our results show that automated attacks, which are easier to arrange than humanseeded attacks and are more scalable to systems that use multiple images, pose a significant threat. 1

Abstract not found

We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., 5 points all along a line). Some of our methods combine click-order heuristics with focusof-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7-16% of passwords for two representative images using dictionaries of approximately 2 26 entries (where the full password space is 2 43). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 2 35 entries, allowing attacks that guessed 48-54 % of passwords (compared to previous results of 1 % and 9 % on the same dataset for two images with 2 35 guesses). These latter attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat to basic PassPoints-style graphical passwords.

Panic passwords allow a user to signal duress during authentication. We show that the well-known model of giving a user two passwords, a ‘regular ’ and a ‘panic ’ password, is susceptible to iteration and forced-randomization attacks, and is secure only within a very narrow threat model. We expand this threat model significantly, making explicit assumptions and tracking four parameters. We also introduce several new panic password systems to address new categories of scenarios. 1. INTRODUCTORY REMARKS As important services and sensitive data congregate online, attackers have an increasing incentive to obtain the passwords that protect these services and data. Panic passwords are a mechanism to allow a user to use a special type

Discretization is used in click-based graphical passwords so that approximately correct entries can be accepted by the system. We show that the existing discretization scheme of Birget et al.(2006) allows for false accepts and false rejects because the tolerance region is not guaranteed to be centered on the original click-point, causing usability and security concerns. Using empirical data from a large user study, we show that this is a significant issue in practice. We then introduce Centered Discretization, a simpler discretization method that eliminates false accepts and false rejects. It also allows for smaller tolerance regions without impacting the usability of the system. 1

We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one labcontrolled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. explore the use of “human-computation ” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded ” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4 % of passwords in one image’s data set, and 10 % of passwords in a second image’s data set. Our independent model-based attack finds 20 % within 2 33 guesses in one image’s data set and 36 % within 2 31 guesses in a second image’s data set. These are all for a system whose full password space has cardinality 2 43. We also evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7-10 % of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.

Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects, as well as system evaluation. The paper first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.

Abstract: Today, most Internet applications still establish user authentication with traditional text based passwords. Designing a secure as well as a user-friendly password-based method has been on the agenda of security researchers for a long time. On one hand, there are password manager programs which facilitate generating site-specific strong passwords from a single user password to eliminate the memory burden due to multiple passwords. On the other hand, there are studies exploring the viability of graphical passwords as a more secure and user-friendly alternative. In this paper, we present GPEX, a password manager program implemented as a web browser plug-in to enable using graphical passwords to secure Internet applications without any need to change their authentication interface. Experimental results show that GPEX has security and usability advantages over other password manager plug-ins. specifically; we find that with the visual interface of GPEX, users have a more complete and accurate mental model of the system and incorrect login attempts causing security exposures can easily be avoided.

This paper presents an integrated evaluation of the Persuasive Cued Click-Points graphical password scheme, including usability and security evaluations, and implementation considerations. An important usability goal for knowledge-based authentication systems is to support users in selecting passwords of higher security, in the sense of being from an expanded effective security space. We use persuasion to influence user choice in click-based graphical passwords, encouraging users to select more random, and hence more difficult to guess, click-points.

With the increase of automated teller machine (ATM) frauds, new authentication mechanisms are developed to overcome security problems of personal identification numbers (PIN). Those mechanisms are usually judged on speed, security, and memorability in comparison with traditional PIN entry systems. It remains unclear, however, what appropriate values for PIN-based ATM authentication actually are. We conducted a field study and two smaller follow-up studies on real-world ATM use, in order to provide both a better understanding of PIN-based ATM authentication, and on how alternative authentication methods can be compared and evaluated. Our results show that there is a big influence of contextual factors on security and performance in PINbased ATM use. Such factors include distractions, physical hindrance, trust relationships, and memorability. From these findings, we draw several implications for the design of alternative ATM authentication systems, such as resilience to distraction and social compatibility.