User interface design affects security: patterns in click-based graphical passwords

  • Sonia Chiasson
  • Alain Forget
  • Robert Biddle
  • P. C. van Oorschot
Regular Contribution


Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.


Usable security Graphical passwords Authentication 


  1. 1.
    Blonder, G.E.: Graphical Passwords. United States Patent 5,559, 961 (1996)Google Scholar
  2. 2.
    Britton, I.: (2007). Last accessed April 2009
  3. 3.
    Chiasson, S.: Usable authentication and click-based graphical passwords. Ph.D. Thesis, School of Computer Science, Carleton University, Ottawa, Canada (2008)Google Scholar
  4. 4.
    Chiasson, S., Forget, A., Biddle, R., van Oorschot, P.C.: Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. HCI 2008. British Computer Society, September (2008)Google Scholar
  5. 5.
    Chiasson, S., Biddle, R., van Oorschot, P.C.: A second look at the usability of click-based graphical passwords. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2007)Google Scholar
  6. 6.
    Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical password authentication using Cued Click Points. In: European Symposium on Research in Computer Security (ESORICS). LNCS, vol. 4734, pp. 359–374 (2007)Google Scholar
  7. 7.
    Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: 13th USENIX Security Symposium (2004)Google Scholar
  8. 8.
    Dirik, A.E., Menon, N., Birget, J.C.: Modeling user choice in the PassPoints graphical password scheme. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2007)Google Scholar
  9. 9.
    Dunphy, P., Yan, J.: Do Background Images Improve “Draw a Secret” Graphical Passwords? ACM Computer and Communications Security (CCS) (2007)Google Scholar
  10. 10.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: ACM International World Wide Web Conference (WWW), pp. 657–666 (2007)Google Scholar
  11. 11. (2008). Last accessed April 2009
  12. 12.
    Goldstein, E.B.: Cognitive Psychology. Wadsworth Publishing, Belmont, pp. 150–161 (2006)Google Scholar
  13. 13.
    Golofit, K.: Click passwords under investigation. In: European Symposium on Research in Computer Security (ESORICS). LNCS, vol. 4734, pp. 343–358 (2007)Google Scholar
  14. 14.
    Ihaka R., Gentleman R.: R: A language for data analysis and graphics. J. Comput. Graph. Stat. 5(3), 299–314 (1996)CrossRefGoogle Scholar
  15. 15.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: 8th USENIX Security Symposium (1999)Google Scholar
  16. 16.
    Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2006)Google Scholar
  17. 17.
    Passfaces. (2006). Last accessed April 2009
  18. 18.
    Peters, M.: Revised Vandenberg and Kuse mental rotations tests: forms MRT-A to MRT-D. Technical Report, Department of Psychology, University of Guelph (1995)Google Scholar
  19. 19.
    PD Photo. (2007). Last accessed April 2009
  20. 20.
    Salehi-Abari, A., Thorpe, J., van Oorschot, P.C.: On purely automated attacks and click-based graphical passwords. In: 24th Annual Computer Security Applications Conference (ACSAC) (2008)Google Scholar
  21. 21.
    St. Clair, L., Johansen, L., Enck, W., Pirretti, M., Traynor, P., McDaniel, P., Jaeger, T.: Password exhaustion: predicting the end of password usefulness. In: International Conference on Information Systems Security (ICISS). Springer, Heidelberg, pp. 37–55 (2006)Google Scholar
  22. 22.
    Tao, H.: Pass-Go, a new graphical password scheme. M.S. Thesis, School of Information Technology and Engineering, University of Ottawa, Canada (2006)Google Scholar
  23. 23.
    Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: 16th USENIX Security Symposium (2007)Google Scholar
  24. 24.
    van Oorschot, P.C., Thorpe, J.: On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. (TISSEC) 10(4), Article 17, 1–33 (2008)Google Scholar
  25. 25.
    van Oorschot, P.C., Thorpe, J.: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords. School of Computer Science, Carleton University Technical Report TR-08-21, November (2008)Google Scholar
  26. 26.
    Wiedenbeck, S., Birget, J.C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2005)Google Scholar
  27. 27.
    Wiedenbeck S., Waters J., Birget J.C., Brodskiy A., Memon N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 63, 102–127 (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  • Sonia Chiasson
    • 1
  • Alain Forget
    • 1
  • Robert Biddle
    • 1
  • P. C. van Oorschot
    • 2
  1. 1.School of Computer Science and Human Oriented Technology LabCarleton UniversityOttawaCanada
  2. 2.School of Computer ScienceCarleton UniversityOttawaCanada

Personalised recommendations