Conference Paper

On Purely Automated Attacks and Click-Based Graphical Passwords.

DOI: 10.1109/ACSAC.2008.18 Conference: Twenty-Fourth Annual Computer Security Applications Conference, ACSAC 2008, Anaheim, California, USA, 8-12 December 2008
Source: DBLP

ABSTRACT We present and evaluate various methods for purely au- tomated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuris- tics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method re- sults in a significantly better automated attack than pre- vious work, guessing 8-15% of passwords for two repre- sentative images using dictionaries of less than 224.6 en- tries, and about 16% of passwords on each of these im- ages using dictionaries of less than 231.4 entries (where the full password space is 243). Relaxing our click-order pat- tern substantially increased the efficacy of our attack al- beit with larger dictionaries of 234.7 entries, allowing at- tacks that guessed 48-54% of passwords (compared to pre- viousresults of 0.9%and 9.1%on the same two imageswith 235 guesses). These latter automated attacks are indepen- dent of focus-of-attention models, and are based on image- independent guessing patterns. Our results show that au- tomated attacks, which are easier to arrange than human- seeded attacks and are more scalable to systems that use multiple images, pose a significant threat.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Shoulder-surfing is a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Due to the visual interface, this problem has become exacerbated in graphical passwords. There have been some graphical schemes resistant or immune to shoulder-surfing, but they have significant usability drawbacks, usually in the time and effort to log in. In this paper, we propose and evaluate a new shoulder-surfing resistant scheme which has a desirable usability for PDAs. Our inspiration comes from the drawing input method in DAS and the association mnemonics in Story for sequence retrieval. The new scheme requires users to draw a curve across their password images orderly rather than click directly on them. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shouldersurfing. A preliminary user study showed that users were able to enter their passwords accurately and to remember them over time.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8 operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.
    22nd USENIX Security Symposium; 08/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points -- both have been extensively studied in the research communities.
    Proceedings of the 22nd international conference on World Wide Web; 05/2013


Available from