Quantifying the Effect of Graphical Password Guidelines for Better Security

  • Mohd Jali
  • Steven Furnell
  • Paul Dowland
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 354)


Authentication using images or graphical passwords is one of the possible alternatives for traditional authentication based upon passwords. This study aims to investigate the practicality of giving guidelines or advice to users before they start choosing their image passwords, the effectiveness of using a smaller tolerance (clickable areas) and the optimum combination of click and image passwords. An alternative graphical prototype known as the Enhanced Graphical Authentication Scheme (EGAS) was developed in order to achieve these aims which implemented two different types of data collection (internal and external). From the findings, both internal and external groups indicated that the implementation of guidelines alone cannot guarantee the security of image passwords created by participants; but, in combination with other usability measurements this study has shown positive outcomes.


Graphical passwords Authentication Usability Security HCI 


  1. 1.
    De Angeli, A., Coventry, L., Johnson, G., Renaud, K.: Is a picture really worth a thousand words? Reflecting on the usability of graphical authentication systems. International Journal of Human Computer Studies 63(2), 128–152 (2005)CrossRefGoogle Scholar
  2. 2.
    Chiasson, S., Oorschot, P.C.V., Biddle, R.: Graphical password authentication using cued click points. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 359–374. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Hinds, C., Ekwueme, C.: Increasing security and usability of computer systems with graphical password. In: ACM Southeast Regional Conference, Winston-Salem, North Carolina, USA, pp. 529–530. ACM, New York (2007)Google Scholar
  4. 4.
    Chiasson, S., Forget, A., Biddle, R., Oorschot, P.C.V.: User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security 8(6), 387–398 (2009)CrossRefGoogle Scholar
  5. 5.
    Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. International Journal of Human Computer Studies 63, 102–127 (2005)CrossRefGoogle Scholar
  6. 6.
    Oorschot, P.C.V., Salehi-Abari, A., Thorpe, J.: Purely automated attacks on Passpoints-style graphical passwords. Transactions on Information Forensics and Security 5(3), 393–405 (2010)CrossRefGoogle Scholar
  7. 7.
    Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: Proceedings of the 13th USENIX Security Symposium, California, USA, August 9-13, pp. 1–11. USENIX Association (2004)Google Scholar
  8. 8.
    Tullis, T.S., Tedesco, D.P.: Using personal photos as pictorial passwords. In: CHI 2005 Extended Abstracts on Human Factors in Computing Systems, Portland, Oregon, USA, pp. 1841–1844. ACM, New York (2005)CrossRefGoogle Scholar
  9. 9.
    Everitt, K.M., Bragin, T., Fogarty, J., Kohno, T.: A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, Boston, MA, USA, pp. 889–898. ACM, New York (2009)CrossRefGoogle Scholar
  10. 10.
    Dirik, A.E., Memon, N., Birget, J.-C.: Modelling user choice in the Passpoints graphical password scheme. Paper presented at the Symposium on Usable Privacy and Security, Pittsburgh, PA, USA, July 18-20 (2007)Google Scholar
  11. 11.
    Gołofit, K.: Click passwords under investigation. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 343–358. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Golofit, K.: Picture passwords superiority and picture passwords dictionary attacks. Journal of Information Assurance and Security 2, 179–183 (2007)Google Scholar
  13. 13.
    Peach, S., Voster, J., Heerden, R.V.: Heuristic Attacks against graphical password generators. In: Clarke, N., Furnell, S., Solms, R.V. (eds.) Proceedings of the South African Information Security Multi-Conference (SAISMC 2010), Port Elizabeth, South Africa, pp. 272–284. University of Plymouth (2010)Google Scholar
  14. 14.
    Lin, P.L., Weng, L.T., Huang, P.W.: Graphical password using images with random tracks of geometric shapes. In: Proceedings of the 2008 Congress on Image and Signal Processing, pp. 27–31. IEEE Computer Society, Los Alamitos (2008)CrossRefGoogle Scholar
  15. 15.
    Harada, A., Isarida, T., Mizuno, T., Nishigaki, M.: A User Authentication System Using Schema of Visual Memory. In: Ijspeert, A.J., Masuzawa, T., Kusumoto, S. (eds.) BioADIT 2006. LNCS, vol. 3853, pp. 338–345. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Hayashi, E., Dhamija, R., Christin, N., Perrig, A.: Use Your Illusion: secure authentication usable anywhere. In: Proceedings of the 4th Symposium on Usable Privacy and Security, Pittsburgh, Pennsylvania, pp. 35–45. ACM, New York (2008)CrossRefGoogle Scholar
  17. 17.
    Chiasson, S., Forget, A., Biddle, R., Oorschot, P.C.V.: Influencing users towards better passwords: persuasive cued click-points. In: Proceedings of the 22nd British HCI Group Annual Conference on HCI 2008: People and Computers XXII: Culture, Creativity, Interaction, Liverpool, United Kingdom, vol. 1, pp. 121–130. British Computer Society (2008)Google Scholar
  18. 18.
    Jali, M.Z., Furnell, S.M., Dowland, P.S.: Assessing image-based authentication techniques in a web-based environment. Information Management & Computer Security 18(1), 43–53 (2010)CrossRefGoogle Scholar
  19. 19.
    Chiasson, S., Biddle, R., Oorschot, P.C.V.: A second look at the usability of click-based graphical passwords. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, Pittsburgh, Pennsylvania, pp. 1–12. ACM, New York (2007)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Mohd Jali
    • 1
    • 3
  • Steven Furnell
    • 1
    • 2
  • Paul Dowland
    • 1
  1. 1.Centre for Security, Communications and Network Research (CSCAN)University of PlymouthPlymouthUK
  2. 2.School of Computer & Security ScienceEdith Cowan UniversityPerthWestern Australia
  3. 3.Faculty of Science & TechnologyUniversiti Sains Islam MalaysiaNilaiMalaysia

Personalised recommendations