Exploiting predictability in click-based graphical passwords.

Journal of Computer Security 01/2011; 19:669-702.
Source: DBLP

ABSTRACT We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of “human-computation” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4% of passwords in one image's data set, and 10% of passwords in a second image's data set. Our independent model-based attack finds 20% within 2 33 guesses in one image's data set and 36% within 2 31 guesses in a second image's data set. These are all for a system whose full password space has cardinality 2 43. We evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7-10% of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.

1 Bookmark
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8 operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.
    22nd USENIX Security Symposium; 08/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Graphical passwords were proposed as an alternative to overcome the inherent limitations of text-based passwords, inspired by research that shows that the graphical memory of humans is particularly well developed. A graphical password scheme that has been widely adopted is the Android Unlock Pattern, a special case of the Pass-Go scheme with grid size restricted to 3x3 points and restricted stroke count. In this paper, we study the security of Android unlock patterns. By performing a large-scale user study, we measure actual user choices of patterns instead of theoretical considerations on password spaces. From this data we construct a model based on Markov chains that enables us to quantify the strength of Android unlock patterns. We found empirically that there is a high bias in the pattern selection process, e.g., the upper left corner and three-point long straight lines are very typical selection strategies. Consequently, the entropy of patterns is rather low, and our results indicate that the security offered by the scheme is less than the security of only three digit randomly-assigned PINs for guessing 20% of all passwords (i.e., we estimate a partial guessing entropy G_0.2 of 9.10 bit). Based on these insights, we systematically improve the scheme by finding a small, but still effective change in the pattern layout that makes graphical user logins substantially more secure. By means of another user study, we show that some changes improve the security by more than doubling the space of actually used passwords (i.e., increasing the partial guessing entropy G_0.2 to 10.81 bit).
    Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security; 11/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Graphical passwords are an alternative form of authentication that use images for login, and leverage the picture superiority effect for good usability and memorability. Categories of graphical passwords have been distinguished on the basis of different kinds of memory retrieval (recall, cued-recall, and recognition). Psychological research suggests that leveraging recognition memory should be best, but this remains an open question in the password literature. This paper examines how different kinds of memory retrieval affect the memorability and usability of random assigned graphical passwords. A series of five studies of graphical and text passwords showed that participants were able to better remember recognition-based graphical passwords, but their usability was limited by slow login times. A graphical password scheme that leveraged recognition and recall memory was most successful at combining memorability and usability.
    Proceedings of the Ninth Symposium on Usable Privacy and Security; 07/2013