Although biometrics have garnered significant interest as a source of entropy for cryptographic key generation, recent studies indicate that many biometric modalities may not actually offer enough uncertainty for this purpose. In this paper, we exploit a novel source of entropy that can be used with any biometric modality but that has yet to be utilized for key generation, namely associating uncertainty with the way in which the biometric input is measured. Our construction poses only a modest requirement on a user: the ability to remember a low-entropy password. We identify the technical challenges of this approach, and develop novel techniques to overcome these difficulties. Our analysis of this approach indicates that it may offer the potential to generate stronger keys: In our experiments, 40 % of the users are able to generate keys that are at least 2 30 times stronger than passwords alone. Categories and Subject Descriptors E.3 [Data Encryption]; H.1 [Models and Principles]: User/Machine

We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method results in a significantly better automated attack than previous work, guessing 8-15 % of passwords for two representative images using dictionaries of less than 2 24.6 entries, and about 16 % of passwords on each of these images using dictionaries of less than 2 31.4 entries (where the full password space is 2 43). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries of 2 34.7 entries, allowing attacks that guessed 48-54 % of passwords (compared to previous results of 0.9 % and 9.1 % on the same two images with 2 35 guesses). These latter automated attacks are independent of focus-of-attention models, and are based on imageindependent guessing patterns. Our results show that automated attacks, which are easier to arrange than humanseeded attacks and are more scalable to systems that use multiple images, pose a significant threat. 1

Abstract not found

We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., 5 points all along a line). Some of our methods combine click-order heuristics with focusof-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7-16% of passwords for two representative images using dictionaries of approximately 2 26 entries (where the full password space is 2 43). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 2 35 entries, allowing attacks that guessed 48-54 % of passwords (compared to previous results of 1 % and 9 % on the same dataset for two images with 2 35 guesses). These latter attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat to basic PassPoints-style graphical passwords.

Authentication today mostly relies on passwords or personal identification numbers (PINs). Therefore the average user has to remember an increasing amount of PINs and passwords. Unfortunately, humans have limited capabilities for remembering abstract alphanumeric sequences. Thus, many people either forget them or use very simple ones, which implies several security risks. In this work, a novel authentication method called PassShapes is presented. In this system users authenticate themselves to a computing system by drawing simple geometric shapes constructed of an arbitrary combination of eight different strokes. We argue that using such shapes will allow more complex and thus more secure authentication tokens with a lower cognitive load and higher memorability. To prove these assumptions, two user studies have been conducted. The memorability evaluation showed that the PassShapes concept is able to increase the memorability when users can practice the PassShapes several times. This effect is even increasing over time. Additionally, a prototype was implemented to conduct a usability study. The results of both studies indicate that the PassShapes approach is able to provide a usable and memorable authentication method.

We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one labcontrolled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. explore the use of “human-computation ” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded ” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4 % of passwords in one image’s data set, and 10 % of passwords in a second image’s data set. Our independent model-based attack finds 20 % within 2 33 guesses in one image’s data set and 36 % within 2 31 guesses in a second image’s data set. These are all for a system whose full password space has cardinality 2 43. We also evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7-10 % of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.

Abstract. We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims ’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11– 18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term. 1

Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects, as well as system evaluation. The paper first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.

Abstract. We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers ’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses. 1

We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one labcontrolled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. explore the use of “human-computation ” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded ” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack guesses 4 % of passwords in one instance, and 10% of passwords in a second instance. Our independent model-based attack guesses 20 % within 2 33 guesses in one instance and 36 % within 2 31 guesses in a second instance. These are all for a system whose full password space has cardinality 2 43. We also evaluate our first-order Markov model-based attack with cross-validation of the field study data, finding that it guesses an average of 7-10 % of user passwords within 3 guesses. Our results suggest that these graphical password schemes (as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies. We 1