Citation Context

...gh attackers must perform proportionally more work to exploit hotspots, results showed that hotspots remained a problem [2]. Persuasive Technology: Persuasive Technology was first articulated by Fogg =-=[22]-=- as using technology to motivate and influence people to behave in a desired manner. An authentication system which applies Persuasive Technology should guide and encourage users to select stronger pa...

Citation Context

...est recall success rates. 6 ANALYSIS OF PASSWORD DISTRIBUTIONS 6.1 Click-point clustering To analyze the randomness and clustering of 2D spatial data across users, we turned to point pattern analysis =-=[30]-=- commonly used in biology and earth sciences. The analysis used spatstat [31], a spatial statistics package for the R programming language. The J-statistic [32] from spatial analysis was used to measu...

Citation Context

...e human eye can observe only a small part of an image at a time. Selecting a click-point requires high acuity vision using the fovea, the area of the retina with a high density of photoreceptor cells =-=[38]-=-. The size of the fovea limits foveal vision to an angle of approximately 1◦ within the direct line to the target of interest. At a normal viewing distance for a computer screen, say 60cm, this result...

Citation Context

...t clustering To analyze the randomness and clustering of 2D spatial data across users, we turned to point pattern analysis [30] commonly used in biology and earth sciences. The analysis used spatstat =-=[31]-=-, a spatial statistics package for the R programming language. The J-statistic [32] from spatial analysis was used to measure clustering of click-points within datasets (the formation of hotspots). Th...

Citation Context

.... 2 BACKGROUND Text passwords are the most popular user authentication method, but have security and usability problems. Alternatives such as biometric systems and tokens have their own drawbacks [8]–=-=[10]-=-. Graphical passwords offer another alternative, and are the focus of this paper. Click-based graphical passwords: Graphical password systems are a type of knowledge-based authentication that attempt ...

Citation Context

...call click-based graphical passwords (also known as locimetric [13]). In such systems, users identify and target previously selected locations within one or more images. The images act as memory cues =-=[14]-=- to aid recall. Example systems include PassPoints [15] and Cued Click-Points [7]. In PassPoints, passwords consist of a sequence of five click-points on a given image. Users may select any pixels in ...

Citation Context

...imetric [13]). In such systems, users identify and target previously selected locations within one or more images. The images act as memory cues [14] to aid recall. Example systems include PassPoints =-=[15]-=- and Cued Click-Points [7]. In PassPoints, passwords consist of a sequence of five click-points on a given image. Users may select any pixels in the image as click-points for their password. To log in...

Citation Context

...ple are attracted to the same predictable areas on an image. This suggests that if users select their own click-based graphical passwords without guidance, hotspots will remain an issue. Davis et al. =-=[24]-=- suggest that user choice in all types of graphical passwords is inadvisable due to predictability. We investigated whether the system could influence users to select more random click-points while ma...

Citation Context

...er t failed login attempts, defences must throttle such online guessing attacks sufficiently to guard against system-wide attacks across W accounts since an attacker gets t ∗W guesses per time window =-=[37]-=-. All client-server communication should be made securely (e.g., through SSL) to maintain the secrecy of user click-points and images. 7.3 Summary of Security Analysis Given that hotspots and click-po...

Citation Context

... are the focus of this paper. Click-based graphical passwords: Graphical password systems are a type of knowledge-based authentication that attempt to leverage the human memory for visual information =-=[11]-=-. A comprehensive review AUTHORS’ COPY: TO APPEAR IN IEEE TDSC 2 Fig. 1. A user navigates through images to form a CCP password. Each click determines the next image. of graphical passwords is availab...

Citation Context

...ated evaluation of PCCP covering both usability and security issues, to advance understanding as is prudent before practical deployment of new security mechanisms. Through eight user studies [1]–[4], =-=[7]-=-, we compared PCCP to text passwords and two related graphical password systems. Results show that PCCP is effective at reducing hotspots (areas of the image where users are more likely to select clic...

Citation Context

... space for authentication schemes, Florencio and Herley [26] suggest that theoretical password spaces of 220 suffice to withstand online attacks. Whereas text passwords have very skewed distributions =-=[27]-=-, resulting in an effective password space much smaller than the theoretical space, PCCP is specifically designed to significantly reduce such skews. Further design and implementation details of PCCP ...

Citation Context

...users as password click-points. Attackers who gain knowledge of these hotspots through harvesting sample passwords can build attack dictionaries and more successfully guess PassPoints passwords [18], =-=[19]-=-. Users also tend to select their click-points in predictable patterns [5], [20] (e.g., straight lines), which can also be exploited by attackers even without knowledge of the background image; indeed...

Citation Context

...sive review AUTHORS’ COPY: TO APPEAR IN IEEE TDSC 2 Fig. 1. A user navigates through images to form a CCP password. Each click determines the next image. of graphical passwords is available elsewhere =-=[12]-=-. Of interest herein are cued-recall click-based graphical passwords (also known as locimetric [13]). In such systems, users identify and target previously selected locations within one or more images...

Citation Context

...ed graphical password system, Persuasive Cued Click-Points (PCCP) [2], [3], and conducted user studies evaluating usability and security. This paper presents a consistent assimilation of earlier work =-=[1]-=-–[4] and two unpublished web studies, reinterprets and updates statistical analysis incorporating larger datasets, provides new evaluation of password distributions, extends security analysis includin...

Citation Context

...ed by users as password click-points. Attackers who gain knowledge of these hotspots through harvesting sample passwords can build attack dictionaries and more successfully guess PassPoints passwords =-=[18]-=-, [19]. Users also tend to select their click-points in predictable patterns [5], [20] (e.g., straight lines), which can also be exploited by attackers even without knowledge of the background image; ...

Citation Context

... in success rates between high and low shufflers was not statistically significant for the two-week or web studies. Furthermore, users reported favourable opinions of PCCP in post-task questionnaires =-=[2]-=-. Secondly, we compared conditions in the PCCP 2wk study. A general trend indicates that larger images or more click-points negatively impacts the password entry time. No clear pattern emerges between...

Citation Context

...rs, we turned to point pattern analysis [30] commonly used in biology and earth sciences. The analysis used spatstat [31], a spatial statistics package for the R programming language. The J-statistic =-=[32]-=- from spatial analysis was used to measure clustering of click-points within datasets (the formation of hotspots). The J-statistic combines nearest-neighbour calculations and empty-space measures for ...

Citation Context

...4 rather than vague instructions such as “pick a password that is hard for others to guess”. This persuasive strategy has also been used with some success to increase the randomness of text passwords =-=[40]-=-. Better user interface design can influence users to select stronger passwords. A key feature in PCCP is that creating a harder to guess password is the path-of-least-resistance, likely making it mor...

Citation Context

... a CCP password. Each click determines the next image. of graphical passwords is available elsewhere [12]. Of interest herein are cued-recall click-based graphical passwords (also known as locimetric =-=[13]-=-). In such systems, users identify and target previously selected locations within one or more images. The images act as memory cues [14] to aid recall. Example systems include PassPoints [15] and Cue...

Citation Context

...ge may offer some protection, but have not been tested. A considerably more complicated alternative is to make user input invisible to cameras, for example by using eye-tracking as an input mechanism =-=[35]-=-. Malware: Malware is a major concern for text and graphical passwords, since keylogger, mouse-logger, and screen scraper malware could send captured data remotely or otherwise make it available to an...

Citation Context

...ributions, extends security analysis including rel• All authors are from Carleton University, Ottawa, Canada. E-mail: chiasson@scs.carleton.ca Parts of this paper appeared earlier in publications [1]–=-=[5]-=-. Version: Tuesday 25th October, 2011. Copyright held by the IEEE. Authors’ version for personal use. Not to be offered for sale or otherwise re-printed, re-published or re-used without permission. A ...

Citation Context

...nts in a password (c, usually set to 5 in our experiments). While it is beyond our present scope to establish an acceptable theoretical password space for authentication schemes, Florencio and Herley =-=[26]-=- suggest that theoretical password spaces of 220 suffice to withstand online attacks. Whereas text passwords have very skewed distributions [27], resulting in an effective password space much smaller ...

Citation Context

...so be exploited by attackers even without knowledge of the background image; indeed, purely automated attacks against PassPoints based on image processing techniques and spatial patterns are a threat =-=[21]-=-. A precursor to PCCP, Cued Click-Points (CCP) [7] was designed to reduce patterns and to reduce the usefulness of hotspots for attackers. Rather than five click-points on one image, CCP uses one clic...

Citation Context

...al report [33]), such pattern-based attacks would be ineffective against PCCP passwords. Hotspot attack with all server-side information: PassPoints passwords from a small number of users can be used =-=[34]-=- to determine likely hotspots on an image, which can then be used to form an attack dictionary. Up to 36% of passwords on the Pool image were correctly guessed with a dictionary of 231 entries. The at...

Citation Context

...stem-defined tolerance square of the original click-points. Although PassPoints is relatively usable [1], [15], [16], security weaknesses make passwords easier for attackers to predict. Hotspots [17]–=-=[20]-=- are areas of the image that have higher likelihood of being selected by users as password click-points. Attackers who gain knowledge of these hotspots through harvesting sample passwords can build at...

Citation Context

...ng: For social engineering attacks against cued-recall graphical passwords, a frame of reference must be established between parties to convey the password in sufficient detail. One preliminary study =-=[36]-=- suggests that password sharing through verbal description may be possible for PassPoints. For PCCP, more effort may be required to describe each image and the exact location of each click-point. Grap...

Citation Context

... a system-defined tolerance square of the original click-points. Although PassPoints is relatively usable [1], [15], [16], security weaknesses make passwords easier for attackers to predict. Hotspots =-=[17]-=-–[20] are areas of the image that have higher likelihood of being selected by users as password click-points. Attackers who gain knowledge of these hotspots through harvesting sample passwords can bui...

Citation Context

...ions for a secure password — a feature lacking in most schemes. We applied this approach to create the first persuasive click-based graphical password system, Persuasive Cued Click-Points (PCCP) [2], =-=[3]-=-, and conducted user studies evaluating usability and security. This paper presents a consistent assimilation of earlier work [1]–[4] and two unpublished web studies, reinterprets and updates statisti...

Citation Context

...s were set to 451×331 pixel images, 5 click-points per password, a tolerance region of 19× 19 pixels, and a persuasive viewport of 100×100 pixels. Passwords were encoded using Centered Discretization =-=[29]-=-. Text Web: This study included 21 participants who completed 204 at-home recall trials. The system required text passwords of minimum length 6, including at least one digit and one letter, which give...

Citation Context

...ds that are difficult to remember. Providing instructions on creating secure passwords, using password managers, or providing tools such as strength-meters for passwords have had only limited success =-=[39]-=-. The problem with such tools is that they require additional effort on the part of users creating passwords and often provide little useful feedback to guide users’ actions. In PCCP, creating a less ...

Citation Context

...3 Varying system parameters: PCCP 2wk study We summarize the effects of modifying the number of click-points and the image size on user performance. Detailed results are available in an earlier paper =-=[4]-=-. Success rates: Success rates were very high for login; participants could successfully log in after a short time regardless of number of click-points or image size. Success rates after two weeks wer...

Citation Context

...ck-based graphical passwords, as attackers can use skewed password distributions to predict and prioritize higher probability passwords for more successful guessing attacks. Visual attention research =-=[23]-=- shows that different people are attracted to the same predictable areas on an image. This suggests that if users select their own click-based graphical passwords without guidance, hotspots will remai...

Citation Context

...lding a theoretical space of 243 passwords, unless otherwise specified. No images were repeated between or within passwords for a given user. The web studies (Section 4.3) were conducted with the MVP =-=[28]-=- web-based authentication framework. PCCP was again configured to use 451 × 331 pixel images, 19× 19 tolerance squares, and 5 click-points. Since participants could log in from anywhere, screen size a...