Article

Exploiting Predictability in Click-based Graphical Passwords

Journal of Computer Security 02/2011; 19(4):669-702. DOI: 10.3233/JCS-2010-0411
Source: DBLP

ABSTRACT

We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of “human-computation” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4% of passwords in one image's data set, and 10% of passwords in a second image's data set. Our independent model-based attack finds 20% within 2 33 guesses in one image's data set and 36% within 2 31 guesses in a second image's data set. These are all for a system whose full password space has cardinality 2 43. We evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7-10% of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.

  • Source
    • "Images contain hotspots [7], [8], i.e., spots likely selected in creating passwords. Hotspots were exploited to mount successful guessing attacks on PassPoints [8]–[11]: a significant portion of passwords were broken with dictionaries of 2 26 to 2 35 entries, as compared to the full space of 2 43 passwords. "
    Dataset: published

    Full-text · Dataset · Jul 2014
  • Source
    • "Images contain hotspots [7], [8], i.e., spots likely selected in creating passwords. Hotspots were exploited to mount successful guessing attacks on PassPoints [8]–[11]: a significant portion of passwords were broken with dictionaries of 2 26 to 2 35 entries, as compared to the full space of 2 43 passwords. "
    Dataset: published

    Full-text · Dataset · Jul 2014
  • Source
    • "Images contain hotspots [7], [8], i.e., spots likely selected in creating passwords. Hotspots were exploited to mount successful guessing attacks on PassPoints [8]–[11]: a significant portion of passwords were broken with dictionaries of 2 26 to 2 35 entries, as compared to the full space of 2 43 passwords. "
    Dataset: published

    Full-text · Dataset · Jul 2014
Show more