Conference Paper

On Purely Automated Attacks and Click-Based Graphical Passwords.

DOI: 10.1109/ACSAC.2008.18 Conference: Twenty-Fourth Annual Computer Security Applications Conference, ACSAC 2008, Anaheim, California, USA, 8-12 December 2008
Source: DBLP

ABSTRACT We present and evaluate various methods for purely au- tomated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuris- tics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method re- sults in a significantly better automated attack than pre- vious work, guessing 8-15% of passwords for two repre- sentative images using dictionaries of less than 224.6 en- tries, and about 16% of passwords on each of these im- ages using dictionaries of less than 231.4 entries (where the full password space is 243). Relaxing our click-order pat- tern substantially increased the efficacy of our attack al- beit with larger dictionaries of 234.7 entries, allowing at- tacks that guessed 48-54% of passwords (compared to pre- viousresults of 0.9%and 9.1%on the same two imageswith 235 guesses). These latter automated attacks are indepen- dent of focus-of-attention models, and are based on image- independent guessing patterns. Our results show that au- tomated attacks, which are easier to arrange than human- seeded attacks and are more scalable to systems that use multiple images, pose a significant threat.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points -- both have been extensively studied in the research communities.
    Proceedings of the 22nd international conference on World Wide Web; 05/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: We propose a Completely Automated Public Turing Test to Tell Computers and Humans Apart scheme based on a human's understanding of real world objects and their relative distances. Solving this CAPTCHA involves answering about the relative distances of objects present in an image. What is subtle to humans may not be so to computing machines. As an object moves farther away from the point of perception, its size decreases. But equipped with only the information on size, a decision cannot be made on its position from the point of perception. The real world knowledge on the object dimensions is essential since both a big and small object near the perception point will appear big and cannot be differentiated. This ability of humans, aided with experience, is a unique feature and would thus serve to distinguish them from computers. The queries on the CAPTCHA may include - "who stands behind whom", "which is nearer" or "which is larger in real life".
    Intelligent Human Computer Interaction (IHCI), 2012 4th International Conference on; 01/2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Consequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users' need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angeli et al. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts.
    Computer Science and Information Systems (FedCSIS), 2013 Federated Conference on; 01/2013


Available from