Abstract
Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.
Similar content being viewed by others
References
Blonder, G.E.: Graphical Passwords. United States Patent 5,559, 961 (1996)
Britton, I.: http://freefoto.com (2007). Last accessed April 2009
Chiasson, S.: Usable authentication and click-based graphical passwords. Ph.D. Thesis, School of Computer Science, Carleton University, Ottawa, Canada (2008)
Chiasson, S., Forget, A., Biddle, R., van Oorschot, P.C.: Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. HCI 2008. British Computer Society, September (2008)
Chiasson, S., Biddle, R., van Oorschot, P.C.: A second look at the usability of click-based graphical passwords. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2007)
Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical password authentication using Cued Click Points. In: European Symposium on Research in Computer Security (ESORICS). LNCS, vol. 4734, pp. 359–374 (2007)
Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: 13th USENIX Security Symposium (2004)
Dirik, A.E., Menon, N., Birget, J.C.: Modeling user choice in the PassPoints graphical password scheme. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2007)
Dunphy, P., Yan, J.: Do Background Images Improve “Draw a Secret” Graphical Passwords? ACM Computer and Communications Security (CCS) (2007)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: ACM International World Wide Web Conference (WWW), pp. 657–666 (2007)
FreeImages.com. http://www.freeimages.com (2008). Last accessed April 2009
Goldstein, E.B.: Cognitive Psychology. Wadsworth Publishing, Belmont, pp. 150–161 (2006)
Golofit, K.: Click passwords under investigation. In: European Symposium on Research in Computer Security (ESORICS). LNCS, vol. 4734, pp. 343–358 (2007)
Ihaka R., Gentleman R.: R: A language for data analysis and graphics. J. Comput. Graph. Stat. 5(3), 299–314 (1996)
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: 8th USENIX Security Symposium (1999)
Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2006)
Passfaces. http://www.realuser.com (2006). Last accessed April 2009
Peters, M.: Revised Vandenberg and Kuse mental rotations tests: forms MRT-A to MRT-D. Technical Report, Department of Psychology, University of Guelph (1995)
PD Photo. http://pdphoto.org/ (2007). Last accessed April 2009
Salehi-Abari, A., Thorpe, J., van Oorschot, P.C.: On purely automated attacks and click-based graphical passwords. In: 24th Annual Computer Security Applications Conference (ACSAC) (2008)
St. Clair, L., Johansen, L., Enck, W., Pirretti, M., Traynor, P., McDaniel, P., Jaeger, T.: Password exhaustion: predicting the end of password usefulness. In: International Conference on Information Systems Security (ICISS). Springer, Heidelberg, pp. 37–55 (2006)
Tao, H.: Pass-Go, a new graphical password scheme. M.S. Thesis, School of Information Technology and Engineering, University of Ottawa, Canada (2006)
Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: 16th USENIX Security Symposium (2007)
van Oorschot, P.C., Thorpe, J.: On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. (TISSEC) 10(4), Article 17, 1–33 (2008)
van Oorschot, P.C., Thorpe, J.: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords. School of Computer Science, Carleton University Technical Report TR-08-21, November (2008)
Wiedenbeck, S., Birget, J.C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2005)
Wiedenbeck S., Waters J., Birget J.C., Brodskiy A., Memon N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 63, 102–127 (2005)
Author information
Authors and Affiliations
Corresponding author
Additional information
The results of this paper first appeared in preliminary form as Technical Report TR-08-14 (16 June 2008), School of Computer Science, Carleton University, and in S. Chiasson’s PhD thesis [3].
Rights and permissions
About this article
Cite this article
Chiasson, S., Forget, A., Biddle, R. et al. User interface design affects security: patterns in click-based graphical passwords. Int. J. Inf. Secur. 8, 387–398 (2009). https://doi.org/10.1007/s10207-009-0080-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-009-0080-7