Conference Paper

On Purely Automated Attacks and Click-Based Graphical Passwords

DOI: 10.1109/ACSAC.2008.18 Conference: Twenty-Fourth Annual Computer Security Applications Conference, ACSAC 2008, Anaheim, California, USA, 8-12 December 2008
Source: DBLP


We present and evaluate various methods for purely au- tomated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuris- tics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method re- sults in a significantly better automated attack than pre- vious work, guessing 8-15% of passwords for two repre- sentative images using dictionaries of less than 224.6 en- tries, and about 16% of passwords on each of these im- ages using dictionaries of less than 231.4 entries (where the full password space is 243). Relaxing our click-order pat- tern substantially increased the efficacy of our attack al- beit with larger dictionaries of 234.7 entries, allowing at- tacks that guessed 48-54% of passwords (compared to pre- viousresults of 0.9%and 9.1%on the same two imageswith 235 guesses). These latter automated attacks are indepen- dent of focus-of-attention models, and are based on image- independent guessing patterns. Our results show that au- tomated attacks, which are easier to arrange than human- seeded attacks and are more scalable to systems that use multiple images, pose a significant threat.

Full-text preview

Available from:
  • Source
    • "When explored further, memory interference was shown to be less problematic for PassPoints passwords than text passwords [Chiasson et al. 2009]. Later security analyses found it to be vulnerable to hotspots and simple geometric patterns within images [Golofit 2007; Dirik et al. 2007; Thorpe and van Oorschot 2007; Salehi-Abari et al. 2008; van Oorschot and Thorpe 2010; Chiasson et al. 2009], as elaborated in Section 9. Bicakci et al. [2009] conducted a lab study where PassPoints was used as the master password for a web-based password manager and concluded that it was more usable than an alphanumeric master password. Their implementation used a visible grid dividing the image into discrete sections rather than any of the aforementioned discretization methods. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Starting around 1999, a great many graphical password schemes have been proposed as alterna-tives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects, as well as system evaluation. The paper first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.
    Preview · Article · Jan 2012 · ACM Computing Surveys
  • Source
    • "In Iterative normalization, the neural network will find the next most salient area that has not been inhibited. We use LocalMax herein (Iterative was found to have inferior performance [28]). "
    [Show abstract] [Hide abstract]
    ABSTRACT: We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a line). Some of our methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7%-16% of passwords for two representative images using dictionaries of approximately 2<sup>26</sup> entries (where the full password space is 2<sup>43</sup>). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 2<sup>35</sup> entries, allowing attacks that guessed 48%-54% of passwords (compared to previous results of 1% and 9% on the same dataset for two images with 2<sup>35</sup> guesses). These latter attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, require serious consideration when deploying basic PassPoints-style graphical passwords.
    Preview · Article · Oct 2010 · IEEE Transactions on Information Forensics and Security
  • Source
    • "For instance in [3], it is conjectured that " the drawback of all such passwords based on image recognition is that only a small number of images can be displayed, e.g., nine images, one of which is a chosen image " . Since then, several successful attacks on cued recall based schemes exploiting popular click locations called hotspots have been shown [22] [19] [7] that call into question the security of these schemes. Therefore we think it is time to question the above conjecture and revisit recognition based schemes and explore the possibility to increase their password spaces. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Click based graphical passwords that use background images suffer from hot-spot problem. Previous graphical password schemes based on recognition of images do not have a sufficiently large password space suited for most Internet applications. In this paper, we propose two novel graphical password methods based on recognition of icons to solve the hotspot problem without decreasing the password space. The experiment we have conducted that compares the security and usability of proposed methods with earlier work (i.e. Passpoints) shows that hotspot problem can be eliminated if a small increase in password entrance and confirmation times is tolerable.
    Full-text · Conference Paper · Jan 2009
Show more