Authentication Schemes - Comparison and Effective Password Spaces

  • Peter Mayer
  • Melanie Volkamer
  • Michaela Kauer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8880)


Text passwords are ubiquitous in authentication. Despite this ubiquity, they have been the target of much criticism. One alternative to the pure recall text passwords are graphical authentication schemes. The different proposed schemes harness the vast visual memory of the human brain and exploit cued-recall as well as recognition in addition to pure recall. While graphical authentication in general is promising, basic research is required to better understand which schemes are most appropriate for which scenario (incl. security model and frequency of usage). This paper presents a comparative study in which all schemes are configured to the same effective password space (as used by large Internet companies). The experiment includes both, cued-recall-based and recognition-based schemes. The results demonstrate that recognition-based schemes have the upper hand in terms of effectiveness and cued-recall-based schemes in terms of efficiency. Thus, depending on the scenario one or the other approach is more appropriate. Both types of schemes have lower reset rates than text passwords which might be of interest in scenarios with limited support capacities.


Usable Security Authentication Graphical Passwords 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biddle, R., Chiasson, S., van Oorschot, P.C.: Graphical passwords: Learning from the first twelve years. CSUR 44(4) (August 2012)Google Scholar
  2. 2.
    Bonneau, J.: The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In: Proc. IEEE S&P, pp. 538–552 (2012)Google Scholar
  3. 3.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: Proc. WEIS 2010 (June 2010)Google Scholar
  4. 4.
    Chiasson, S., Stobert, E., Forget, A., Biddle, R., van Oorschot, P.C.: Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Trans. on Dep. and Sec. Comp. 9(2), 222–235 (2012)CrossRefGoogle Scholar
  5. 5.
    Chiasson, S., Forget, A., Biddle, R., van Oorschot, P.C.: Influencing users towards better passwords: persuasive cued click-points. In: Proc. BCS-HCI 2008 (September 2008)Google Scholar
  6. 6.
    Chiasson, S., Forget, A., Stobert, E., van Oorschot, P.C., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proc. CCS 2009, pp. 500–511. ACM (November 2009)Google Scholar
  7. 7.
    Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: Proc. USENIX 2004, pp. 151–164 (2004)Google Scholar
  8. 8.
    Dhamija, R., Perrig, A.: Deja Vu: A user study using images for authentication. In: Proc. SSYM 2000, pp. 45–58 (2000)Google Scholar
  9. 9.
    Dirik, A.E., Memon, N., Birget, J.C.: Modeling user choice in the PassPoints graphical password scheme. In: Proc. SOUPS 2007, pp. 20–28 (2007)Google Scholar
  10. 10.
    Dunphy, P., Yan, J.: Is FacePIN secure and usable? In: Proc. SOUPS 2007 (July 2007)Google Scholar
  11. 11.
    Ellis, H.D.: Recognizing Faces. Brit. J. of Psychology 66(4), 409–426 (2011)CrossRefGoogle Scholar
  12. 12.
    Erceg-Hurn, D.M., Mirosevich, V.M.: Modern robust statistical methods: An easy way to maximize the accuracy and power of your research. American Psychologist 63(7), 591–601 (2008)CrossRefGoogle Scholar
  13. 13.
    Everitt, K.M., Bragin, T., Fogarty, J., Kohno, T.: A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: Proc. CHI 2009, pp. 889–898 (2009)Google Scholar
  14. 14.
    Fahl, S., Harbach, M., Acar, Y., Smith, M.: On the ecological validity of a password study. In: Proc. SOUPS 2013, pp. 13:1–13:13 (2013)Google Scholar
  15. 15.
    Field, A., Miles, J., Field, Z.: Discovering Statistics Using R. SAGE Publications Limited (March 2012)Google Scholar
  16. 16.
    Florêncio, D., Herley, C.: A large-scale study of web password habits. In: Proc. WWW 2007, pp. 657–666 (2007)Google Scholar
  17. 17.
    Florêncio, D., Herley, C.: Where do security policies come from? In: Proc. SOUPS 2010 (2010)Google Scholar
  18. 18.
    Hlywa, M., Biddle, R., Patrick, A.S.: Facing the facts about image type in recognition-based graphical passwords. In: Proc. ACSAC 2011, pp. 149–158 (2011)Google Scholar
  19. 19.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Comm. of the ACM 47(4), 75–78 (2004)CrossRefGoogle Scholar
  20. 20.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proc. SSYM 1999 (1999)Google Scholar
  21. 21.
    Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In: Proc. IEEE S&P, pp. 523–537 (2012)Google Scholar
  22. 22.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of Passwords and People: Measuring the Effect of Password-Composition Policies. In: Proc. CHI 2011, pp. 2595–2604 (2011)Google Scholar
  23. 23.
    Mulhall, E.F.: Experimental Studies in Recall and Recognition. Am. J. of Psych. 26(2), 217–228 (1915)CrossRefGoogle Scholar
  24. 24.
    Nali, D., Thorpe, J.: Analyzing user choice in graphical passwords. School of Comp. Sci. (2004)Google Scholar
  25. 25.
    Noguchi, K., Gel, Y.R., Brunner, E.: nparLD: An R Software Package for the Nonparametric Analysis of Longitudinal Data in Factorial Experiments. J. of Statistical Software 50(12) (September 2012)Google Scholar
  26. 26.
    Real User Corporation: The Science Behind Passfaces (July 2004)Google Scholar
  27. 27.
    Schaub, F., Walch, M., Könings, B., Weber, M.: Exploring The Design Space of Graphical Passwords on Smartphones. In: Proc. SOUPS 2013. ACM (July 2013)Google Scholar
  28. 28.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering Stronger Password Requirements: User Attitudes and Behaviors. In: Proc. SOUPS 2010 (July 2010)Google Scholar
  29. 29.
    Stobert, E., Biddle, R.: Memory retrieval and graphical passwords. In: Proc. SOUPS 2013. ACM Press, New York (2013)Google Scholar
  30. 30.
    Stobert, E., Forget, A., Chiasson, S., van Oorschot, P.C., Biddle, R.: Exploring Usability Effects of Increasing Security in Click-based Graphical Passwords. In: Proc. ACSAC 2010, pp. 79–88 (2010)Google Scholar
  31. 31.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical Passwords: A Survey. In: Proc. ACSAC 2005 (2005)Google Scholar
  32. 32.
    Weinshall, D., Kirkpatrick, S.: Passwords you’ll never forget, but can’t recall. In: CHI EA 2004, pp. 1399–1402 (2004)Google Scholar
  33. 33.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In: Proc. CCS 2010, pp. 162–175 (2010)Google Scholar
  34. 34.
    Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In: Proc. SOUPS 2005, pp. 1–12. ACM (2005)Google Scholar
  35. 35.
    Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: PassPoints: Design and longitudinal evaluation of a graphical password system. Int. J. of Hum.-Comp. Studies 63(1-2), 102–127 (2005)CrossRefGoogle Scholar
  36. 36.
    Wilcox, R.R.: Introduction to Robust Estimation & Hypothesis Testing, 3rd edn. Elsevier Academic Press (February 2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Peter Mayer
    • 1
  • Melanie Volkamer
    • 1
  • Michaela Kauer
    • 2
  1. 1.Center for Advanced Security Research DarmstadtTechnische Universität DarmstadtGermany
  2. 2.Institute of ErgonomicsTechnische Universität DarmstadtGermany

Personalised recommendations