Predicting Graphical Passwords

  • Matthieu Devlin
  • Jason R. C. NurseEmail author
  • Duncan Hodges
  • Michael Goldsmith
  • Sadie Creese
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Over the last decade, the popularity of graphical passwords has increased tremendously. They can now be found on various devices and systems, including platforms such as the Windows 8 and Android operating systems. In this paper, we focus on the PassPoints graphical-password scheme and investigate the extent to which these passwords might be predicted based on knowledge of the individual (e.g., their age, gender, education, learning style). We are particularly interested in understanding whether graphical passwords may suffer the same weaknesses as textual passwords, which are often strongly correlated with an individual using memorable information (such as the individuals spouses, pets, preferred sports teams, children, and so on). This paper also introduces a novel metric for graphical-password strength to provide feedback to an individual without the requirement of knowing the image or having password statistics a priori.


Graphical passwords Passpoints scheme User characteristics Usable security Password-strength metric 


  1. 1.
    Nurse, J.R.C., Creese, S., Goldsmith, M., Lamberts, K.: Guidelines for usable cybersecurity: past and present. In: Proceedings of the 3rd Cyberspace Safety and Security Workshop at the Network and System Security Conference. IEEE (2011)Google Scholar
  2. 2.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Proceedings of the Network and Distributed System Security Symposium (2014)Google Scholar
  3. 3.
    Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Appl. Cogn. Psychol. 18(6), 641–651 (2004)CrossRefGoogle Scholar
  4. 4.
    Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: basic results. In: Proceedings of HCII (2005)Google Scholar
  5. 5.
    Gołofit, Krzysztof: Click Passwords Under Investigation. In: Biskup, Joachim, López, Javier (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 343–358. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  6. 6.
    van Oorschot, P.C., Thorpe, J.: Exploiting predictability in click-based graphical passwords. J. Comput. Secur. 19(4), 669–702 (2011)Google Scholar
  7. 7.
    Dirik, A.E., Memon, N., Birget, J.C.: Modeling user choice in the passpoints graphical password scheme. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, ACM, pp. 20–28 (2007)Google Scholar
  8. 8.
    Bixler, B.: Learning styles inventory. (n.d.). Accessed 5 Jan 2015
  9. 9.
    Weber, E.U., Blais, A.R., Betz, N.E.: A domain-specific risk-attitude scale: measuring risk perceptions and risk behaviors. J. Behav. Decis. Making 15(4), 263–290 (2002)CrossRefGoogle Scholar
  10. 10.
    Field, A.: Discovering Statistics Using SPSS, 3rd edn. Sage Publications, Los Angeles (2009)Google Scholar
  11. 11.
    Itti, L., Koch, C., Niebur, E.: A model of saliency-based visual attention for rapid scene analysis. IEEE TPAMI 20(11), 1254–1259 (1998)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Matthieu Devlin
    • 1
  • Jason R. C. Nurse
    • 1
    Email author
  • Duncan Hodges
    • 2
  • Michael Goldsmith
    • 1
  • Sadie Creese
    • 1
  1. 1.Cyber Security Centre, Department of Computer ScienceUniversity of OxfordOxfordUK
  2. 2.Centre for Cyber Security and Information SystemsCranfield UniversityCranfieldUK

Personalised recommendations