, Volume 8, Issue 6, pp 387-398
Date: 08 May 2009

User interface design affects security: patterns in click-based graphical passwords

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.

The results of this paper first appeared in preliminary form as Technical Report TR-08-14 (16 June 2008), School of Computer Science, Carleton University, and in S. Chiasson’s PhD thesis [3].