Skip to main content
SpringerLink
Log in

User interface design affects security: patterns in click-based graphical passwords

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Blonder, G.E.: Graphical Passwords. United States Patent 5,559, 961 (1996)

  2. Britton, I.: http://freefoto.com (2007). Last accessed April 2009

  3. Chiasson, S.: Usable authentication and click-based graphical passwords. Ph.D. Thesis, School of Computer Science, Carleton University, Ottawa, Canada (2008)

  4. Chiasson, S., Forget, A., Biddle, R., van Oorschot, P.C.: Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. HCI 2008. British Computer Society, September (2008)

  5. Chiasson, S., Biddle, R., van Oorschot, P.C.: A second look at the usability of click-based graphical passwords. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2007)

  6. Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical password authentication using Cued Click Points. In: European Symposium on Research in Computer Security (ESORICS). LNCS, vol. 4734, pp. 359–374 (2007)

  7. Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: 13th USENIX Security Symposium (2004)

  8. Dirik, A.E., Menon, N., Birget, J.C.: Modeling user choice in the PassPoints graphical password scheme. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2007)

  9. Dunphy, P., Yan, J.: Do Background Images Improve “Draw a Secret” Graphical Passwords? ACM Computer and Communications Security (CCS) (2007)

  10. Florencio, D., Herley, C.: A large-scale study of web password habits. In: ACM International World Wide Web Conference (WWW), pp. 657–666 (2007)

  11. FreeImages.com. http://www.freeimages.com (2008). Last accessed April 2009

  12. Goldstein, E.B.: Cognitive Psychology. Wadsworth Publishing, Belmont, pp. 150–161 (2006)

  13. Golofit, K.: Click passwords under investigation. In: European Symposium on Research in Computer Security (ESORICS). LNCS, vol. 4734, pp. 343–358 (2007)

  14. Ihaka R., Gentleman R.: R: A language for data analysis and graphics. J. Comput. Graph. Stat. 5(3), 299–314 (1996)

    Article  Google Scholar 

  15. Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: 8th USENIX Security Symposium (1999)

  16. Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2006)

  17. Passfaces. http://www.realuser.com (2006). Last accessed April 2009

  18. Peters, M.: Revised Vandenberg and Kuse mental rotations tests: forms MRT-A to MRT-D. Technical Report, Department of Psychology, University of Guelph (1995)

  19. PD Photo. http://pdphoto.org/ (2007). Last accessed April 2009

  20. Salehi-Abari, A., Thorpe, J., van Oorschot, P.C.: On purely automated attacks and click-based graphical passwords. In: 24th Annual Computer Security Applications Conference (ACSAC) (2008)

  21. St. Clair, L., Johansen, L., Enck, W., Pirretti, M., Traynor, P., McDaniel, P., Jaeger, T.: Password exhaustion: predicting the end of password usefulness. In: International Conference on Information Systems Security (ICISS). Springer, Heidelberg, pp. 37–55 (2006)

  22. Tao, H.: Pass-Go, a new graphical password scheme. M.S. Thesis, School of Information Technology and Engineering, University of Ottawa, Canada (2006)

  23. Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: 16th USENIX Security Symposium (2007)

  24. van Oorschot, P.C., Thorpe, J.: On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. (TISSEC) 10(4), Article 17, 1–33 (2008)

    Google Scholar 

  25. van Oorschot, P.C., Thorpe, J.: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords. School of Computer Science, Carleton University Technical Report TR-08-21, November (2008)

  26. Wiedenbeck, S., Birget, J.C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2005)

  27. Wiedenbeck S., Waters J., Birget J.C., Brodskiy A., Memon N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 63, 102–127 (2005)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Human Oriented Technology Lab, Carleton University, Ottawa, Canada

    Sonia Chiasson, Alain Forget & Robert Biddle

  2. School of Computer Science, Carleton University, Ottawa, Canada

    P. C. van Oorschot

Authors
  1. Sonia Chiasson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alain Forget
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Biddle
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. P. C. van Oorschot
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sonia Chiasson.

Additional information

The results of this paper first appeared in preliminary form as Technical Report TR-08-14 (16 June 2008), School of Computer Science, Carleton University, and in S. Chiasson’s PhD thesis [3].

Rights and permissions

Reprints and permissions

About this article

Cite this article

Chiasson, S., Forget, A., Biddle, R. et al. User interface design affects security: patterns in click-based graphical passwords. Int. J. Inf. Secur. 8, 387–398 (2009). https://doi.org/10.1007/s10207-009-0080-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-009-0080-7

Keywords

Search

Navigation