Protection Aspects of Iconic Passwords on Mobile Devices

  • Alexandre Braga
  • Rafael Cividanes
  • Ismael Ávila
  • Claudia Tambascia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7672)


Graphical passwords can replace alphanumeric passwords when the data entry device is not a keyboard, but a touchscreen instead, as is the case for modern mobile devices (smartphones and tablets). However, misinterpretations on the security of graphical passwords compared to textual ones can lead to insecure systems. This paper outlines a set of security best practices concerning the design of icon-based authentication mechanisms. The best practices have been derived from a behavioral study on the usability of a prototype. The paper also proposes methods for quality control and protection against brute force attacks against icon-based passwords.


Mobile security Authentication mechanisms Graphical passwords 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Narayanan, A., Shmatikov, V.: Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In: CCS 2005, Alexandria, Virginia, USA, November 7-11 (2005)Google Scholar
  2. 2.
    Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical Passwords: Learning from the First Twelve Years. School of Computer Science, Carleton University (2011)Google Scholar
  3. 3.
    Cowan, N.: The magical number 4 in short-term memory: A reconsideration of mental storage capacity. The Behavioral and Brain Sciences 24(1), 87–114; Discussion 114–185Google Scholar
  4. 4.
    Gehringer, E.F.: Choosing Passwords: Security and Human Factors. In: International Symposium on Technology and Society (ISTAS), pp. 369–373 (2002)Google Scholar
  5. 5.
    FIPS PUB 112. Password Usage. Appendix E - Password Management Guideline (May 1985)Google Scholar
  6. 6.
    Miller, G.A.: The Magical Number Seven, Plus or Minus Two - Some Limits on Our Capacity for Processing Information. Psychological Review 101(2), 343–352 (1955)CrossRefGoogle Scholar
  7. 7.
    Helkala, K., Snekkenes, E.: Password Generation and Search Space Reduction. Journal of Computers 4(7), 663–669 (2009)CrossRefGoogle Scholar
  8. 8.
    Helkala, K.: Password Education Based on Guidelines Tailored to Different Password Categories. Journal of Computers 6(5), 969–975 (2011)CrossRefGoogle Scholar
  9. 9.
    Smith, R.E.: Authentication: From Passwords to Public Keys. Addison-Wesley Professional (October 11, 2001) ISBN 978-0201615999Google Scholar
  10. 10.
    Gaw, S., Felten, E.W.: Password Management Strategies for Online Accounts. In: Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, USA, July 12-14 (2006)Google Scholar
  11. 11.
    Tambascia, C.A., Menezes, E.M., Duarte, R.E.: Usability evaluation of iconographic authentication for mobile devices using eye tracking. In: First International Conference on Mobile Services, Resources, and Users, Barcelona, Spain, October 23-28 (2011)Google Scholar
  12. 12.
    Shay, R., et al.: Encountering Stronger Password Requirements: User Attitudes and Behaviors. In: Symposium on Usable Privacy and Security (SOUPS), Redmond, WA, USA, July 14-16 (2010)Google Scholar
  13. 13.
    Dunphy, P., Heiner, A.P., Asokan, N.: A Closer Look at Recognition-based Graphical Passwords on Mobile Devices. In: Symposium on Usable Privacy and Security (SOUPS), Redmond, WA, USA, July 14-16 (2010)Google Scholar
  14. 14.
    Sasse, M.A., et al.: Transforming the ‘weakest link’ - a human/computer interaction approach to usable and effective security. BT Tech. Journal 19(3), 122–131 (2001)CrossRefGoogle Scholar
  15. 15.
    Klein, D.: Foiling the cracker: A survey of, and improvements to, password security. In: 2nd USENIX Security Workshop (1990)Google Scholar
  16. 16.
    Morris, R., Thompson, K.: Password Security: A Case History. Communications of the ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  17. 17.
    Bentley, J., Mallows, C.: How Much Assurance Does a PIN Provide? In: Baird, H.S., Lopresti, D.P. (eds.) HIP 2005. LNCS, vol. 3517, pp. 111–126. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Ávila, I., Gudwin, R.: Icons as helpers in the interaction of illiterate users with computers. In: Proc. of the Interfaces and Human Computer Interaction 2009, IHCI 2009, Algarve, Portugal, June 20-22 (2009)Google Scholar
  19. 19.
    Kirkpatrick, B.: An experimental study of memory. Psychological Review 1, 602–609 (1894)CrossRefGoogle Scholar
  20. 20.
    Madigan, S.: Picture memory. In: Yuille, J. (ed.) Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio, ch. 3, pp. 65–89. Lawrence Erlbaum Associates (1983)Google Scholar
  21. 21.
    Paivio, A., et al.: Why are pictures easier to recall than words? Psychonomic Science 11(4), 137–138 (1968)Google Scholar
  22. 22.
    Shepard, R.: Recognition memory for words, sentences, and pictures. Journal of Verbal Learning and Verbal Behavior 6, 156–163 (1967)CrossRefGoogle Scholar
  23. 23.
    Renald, K., Angeli, A.: Visual Passwords: Cure-All or Snake-Oil. Communications of the ACM 52(11), 135–140 (2009)Google Scholar
  24. 24.
    Avila, I.A., Meneses, E.M., Braga, A.M.: Memorization Techniques in Iconic Passwords. In: Interfaces and Human Computer Interaction (IHCI), Lisbon, Portugal (July 2012)Google Scholar
  25. 25.
    Sedgewick, R.: Permutation Generation Methods. Computing Surveys 9(2) (1977)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Alexandre Braga
    • 1
  • Rafael Cividanes
    • 1
  • Ismael Ávila
    • 1
  • Claudia Tambascia
    • 1
  1. 1.CPqD – Centro de Pesquisa e desenvolvimento em TelecomunicaçõesCampinasBrasil

Personalised recommendations