We study the impact of selected parameters on the size of the password space for "Draw-A-Secret" (DAS) graphical passwords. We examine the role of and relationships between the number of composite strokes, grid dimensions, and password length in the DAS password space. We show that a very significant proportion of the DAS password space depends on the assumption that users will choose long passwords with many composite strokes. If users choose passwords having 4 or fewer strokes, with passwords of length 12 or less on a 5 5 grid, instead of up to the maximum 12 possible strokes, the size of the DAS password space is reduced from 58 to 40 bits. Additionally, we found a similar reduction when users choose no strokes of length 1. To strengthen security, we propose a technique and describe a representative system that may gain up to 16 more bits of security with an expected negligible increase in input time. Our results can be directly applied to determine secure design choices, graphical password parameter guidelines, and in deciding which parameters deserve focus in graphical password user studies.

In commonplace text-based password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask whether other types of passwords (e.g., graphical) are also vulnerable to dictionary attack because of users tending to choose memorable passwords. We suggest a method to predict and model a number of such classes for systems where passwords are created solely from a user’s memory. We hypothesize that these classes define weak password subspaces suitable for an attack dictionary. For user-drawn graphical passwords, we apply this method with cognitive studies on visual recall. These cognitive studies motivate us to define a set of password complexity factors (e.g., reflective symmetry and stroke count), which define a set of classes. To better understand the size of these classes and, thus, how weak the password subspaces they define might be, we use the “Draw-A-Secret ” (DAS) graphical password scheme of Jermyn et al. [1999] as an example. We analyze the size of these classes for DAS under convenient parameter choices and show that they can be combined to define apparently popular subspaces that have bit sizes ranging from 31 to 41—a surprisingly small proportion of the full password space (58 bits). Our results quantitatively support suggestions that user-drawn graphical password systems employ measures, such as graphical password rules or guidelines and proactive password checking.

We present a novel idea for user authentication that we call pass-thoughts. Recent advances in Brain-Computer Interface (BCI) technology indicate that there is potential for a new type of human-computer interaction: a user transmitting thoughts directly to a computer. The goal of a pass-thought system would be to extract as much entropy as possible from a user’s brain signals upon “transmitting ” a thought. Provided that these brain signals can be recorded and processed in an accurate and repeatable way, a passthought system might provide a quasi two-factor, changeable, authentication method resistant to shoulder-surfing. The potential size of the space of a pass-thought system would seem to be unbounded in theory, although in practice it will be finite due to system constraints. In this paper, we discuss the motivation and potential of pass-thought authentication, the status quo of BCI technology, and outline the design of what we believe to be a currently feasible pass-thought system. We also briefly mention the need for general exploration and open debate regarding ethical considerations for such technologies.

Inspired by an old Chinese game, Go, we have designed a new graphical password scheme, Pass-Go, in which a user selects intersections on a grid as a way to input a password. While offering an extremely large full password space (256 bits for the most basic scheme), our scheme provides acceptable usability, as empirically demonstrated by, to the best of our knowledge, the largest user study (167 subjects involved) on graphical passwords, conducted in the fall semester of 2005 in two university classes. Our scheme supports most application environments and input devices, rather than being limited to small mobile devices (PDAs), and can be used to derive cryptographic keys. We study the memorable password space and show the potential power of this scheme by exploring further improvements and variation mechanisms.

Graphical password schemes are believed to be more secure and more resilient to dictionary attacks than textual passwords, but more vulnerable to shoulder surfing attacks. In this work, we design a new graphical password which is larger in the possible passwords’ space than in similar schemes and it is more resilient to shouldersurfing attacks. Personal entropies are integrated into the system in the user-aware behavior that reduces the False Acceptance and False Rejection Rates. The user-aware personal entropy we employ is the binary pressure when drawing a secret on the screen; unlike conventional authentication schemes that use personal entropies, the binary pressure in our scheme is varied arbitrarily by the users and is not intuitive. This method yields the authentication scheme that acquires all the advantages of graphical passwords and behavioral authentication schemes all together; our scheme is resilient to both dictionary attacks and shoulder surfing attacks. We also suggest the main criteria in which the graphical passwords should be evaluated, and we test our scheme within the given framework.

Automated Turing Tests (ATTs), also known as human-in-the-loop techniques, were recently employed in a login protocol by Pinkas and Sander (2002) to protect against online password-guessing attacks. We present modifications providing a new history-based login protocol with ATTs, which uses failed-login counts. Analysis indicates that the new protocol offers opportunities for improved security and user friendliness (fewer ATTs to legitimate users) and greater flexibility (e.g., allowing protocol parameter customization for particular situations and users). We also note that the Pinkas–Sander and other protocols involving ATTs are susceptible to minor variations of wellknown middle-person attacks. We discuss complementary techniques to address such attacks, and to augment the security of the original protocol.

Abstract—It is a well known fact that user-chosen passwords are somewhat predictable: by using tools such as dictionaries or probabilistic models, attackers and password recovery tools can drastically reduce the number of attempts needed to guess a password. Quite surprisingly, however, existing literature does not provide a satisfying answer to the following question: given a number of guesses, what is the probability that a state-of-the-art attacker will be able to break a password? To answer the former question, we compare and evaluate the effectiveness of currently known attacks using various datasets of known passwords. We find that a “diminishing returns ” principle applies: in the absence of an enforced password strength policy, weak passwords are common; on the other hand, as the attack goes on, the probability that a guess will succeed decreases by orders of magnitude. Even extremely powerful attackers won’t be able to guess a substantial percentage of the passwords. The result of this work will help in evaluating the security of authentication means based on user-chosen passwords, and our methodology for estimating password strength can be used as a basis for creating more effective proactive password checkers for users and security auditing tools for administrators. I.

Conventional wisdom seems to have concluded that traditional passwords are inherently insecure. The argument is usually that users choose bad passwords and cannot be expected to remember strong passwords. We feel that these conclusions are premature and that this argument is flawed. At present most password selection mechanisms are not designed according to basic HCI principles and we believe that this is highly responsible for the above conclusions. Our current research is reexamining the problem of password selection and memorability through the exploration of password selection mechanisms with novel interface designs. The goal of this research is develop both principles and designs that help users to choose passwords that are both memorable and secure. Keywords security, passwords, user-centered design, HCI, HCISEC, proactive password checking, interface design, usability Copyright is held by the author/owner(s).

Security proponents heavily emphasize the importance of choosing a strong password (one with high entropy). Unfortunately, by design, most humans are apparently incapable of generating such passwords, or memorizing a random-looking, machine-generated one for longterm use. Infrequently used passwords pose even bigger security and usability problems. We exploit the fact that many users now own or have access to a large quantity of digitized personal or personally meaningful content in designing an object-based password scheme called ObPwd. ObPwd enables users to select a password generating object from their local collection or from the web, and then converts the password object (e.g. an image, a particular piece of music, excerpt from a book) to a (potentially) high-entropy text password that can be used for regular or secondary web authentication, or in local applications (e.g. encryption). Instead of requiring users to memorize an exact password, ObPwd only requires one to remember a hint or pointer to the password object used. We believe that choosing digital objects as passwords is an interesting alternative to explore, and may enable users to create and maintain high quality passwords. We have implemented a prototype, and solicit feedback from the research community in regard to using digital objects as passwords. 1

To help users create stronger text-based passwords, many web sites have deployed password meters that provide visual feedback on password strength. Although these meters are in wide use, their effects on the security and usability of passwords have not been well studied. We present a 2,931-subject study of password creation in the presence of 14 password meters. We found that meters with a variety of visual appearances led users to create longer passwords. However, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently. These stringent meters also led participants to include more digits, symbols, and uppercase letters. Password meters also affected the act of password creation. Participants who saw stringent meters spent longer creating their password and were more likely to change their password while entering it, yet they were also more likely to find the password meter annoying. However, the most stringent meter and those without visual bars caused participants to place less importance on satisfying the meter. Participants who saw more lenient meters tried to fill the meter and were averse to choosing passwords a meter deemed “bad ” or “poor. ” Our findings can serve as guidelines for administrators seeking to nudge users towards stronger passwords. 1