Bin B. Zhu
ABSTRACT
We propose a novel concept and a model of image point memorability (IPM) for analyzing click-based graphical passwords that have been studied extensively in both the security and HCI communities. In our model, each point in an image is associated with a numeric index that indicates the point's memorability level. This index can be approximated either by automatic computer vision algorithms or via human assistance. Using our model, we can rank-order image points by their relative memorability with a decent accuracy. We show that the IPM model has both defensive and offensive applications. On the one hand, we apply the model to generate high-quality graphical honeywords. This is the first work on honeywords for graphical passwords, whereas all previous methods are only for generating text honeywords and thus inapplicable. On the other hand, we use the IPM model to develop the first successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is the state-of-the-art click-based graphical password scheme and robust to all prior dictionary attacks. We show that the probability distribution of PCCP passwords is seriously biased when it is examined with the lens of the IPM model. Although PCCP was designed to generate random passwords, its effective password space as we measured can be as small as 30.58 bits, which is substantially weaker than its theoretical and commonly believed strength (43 bits). The IPM model is applicable to all click-based graphical password schemes, and our analyses can be extended to other graphical passwords as well.
References
- Dunphy, P., and Yan, J. 2007. Do background images improve "Draw a Secret? graphical passwords" In ACM CCS'07. Google Scholar
Digital Library
- Paivio, A., Rogers, T.B., and Smythe, P.C. 1968. Why are pictures easier to recall than words? Psychonomic Science. 11, 4, 137--138.Google ScholarCross Ref
- Defeyter, M.A., Russo, R., and McPartlin, P.L. 2009. The picture superiority effect in recognition memory: A developmental study using the response signal procedure. Cognitive Development. 24, 3, 265--273.Google ScholarCross Ref
- Tao, H. and Adams, C. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. Int. Journal of Network Security. 7, 2, 273--292.Google Scholar
- Zhao, Z., Ahn, G.-J., Seo, J.-J., and Hu, H. 2013. On the security of Picture Gesture Authentication. In USENIX Security 2013. Google ScholarDigital Library
- Uellenbeck, S., Dürmuth, M., Wolf, C., and Holz, T. 2013. Quantifying the security of graphical passwords: the case of android unlock patterns. In ACM CCS'13. 161--172. Google ScholarDigital Library
- Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2008. Influencing users towards better passwords: Persuasive cued click-points. In Proc. of HCI. British Computer Society. Google ScholarDigital Library
- Chiasson, S., Stobert, E., Forget, A., Biddle, R., and van Oorschot, P. C. 2012. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Trans. on Dependable and Secure Computing. 9, 2 (March/April 2012), 222--235. Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Birget, J. C., Brodskiy, A., and Memon, N. 2005. Authentication using graphical passwords: Effects of tolerance and image choice. In Proc. Symp. on Usable Privacy and Security (SOUPS'05). Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Birget, J. C., Brodskiy, A., and Memon, N. 2005. PassPoints: Design and longitudinal evaluation of a graphical password system. Int. Journal of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security). 63, 102--127. Google ScholarDigital Library
- Chiasson, S., van Oorschot, P. C., and Biddle, R. 2007. A second look at the usability of click-based graphical passwords. In Proc. Symp. on Usable Privacy and Security (SOUPS'07). Google ScholarDigital Library
- Golofit, K. 2007. Click passwords under investigation. In 12th European Symposium on Research in Computer Security (ESORICS'07). LNCS vol. 4734 (Sept. 2007). Google ScholarDigital Library
- Dirik, A., Memon, N., and Birget, J. 2007. Modeling user choice in the PassPoints graphical password scheme. In Proc. Symp. on Usable Privacy and Security (SOUPS'07). Google ScholarDigital Library
- Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2009. User interface design affects security: Patterns in click-based graphical passwords. Int. Journal of Information Security. Springer, 8, 6 (2009), 387--398. Google ScholarDigital Library
- van Oorschot, P. C., and Thorpe, J. 2011. Exploiting predictability in click-based graphical passwords. Journal of Computer Security. 19, 4 (2011), 669--702. Google ScholarDigital Library
- Thorpe, J., and van Oorschot, P. C. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In USENIX Security'07. Google ScholarDigital Library
- Salehi-Abari, A., Thorpe, J., and van Oorschot, P. C. 2008. On purely automated attacks and click-based graphical passwords. In Proc. 24th Annual Computer Security Applications Conference (ACSAC'08). Google ScholarDigital Library
- van Oorschot, P. C., Salehi-Abari, A., and Thorpe, J. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Trans. Information Forensics and Security. 5, 3 (2010), 393--405. Google ScholarDigital Library
- Chiasson, S., van Oorschot, P. C., and Biddle, R. 2007. Graphical password authentication using cued click points. In ESORICS'2007. LNCS, vol. 4734/2007, 359--374. Google ScholarDigital Library
- Juels, A. and Rivest, R. L. 2013. Honeywords: Making password-cracking detectable. In ACS CCS 2013. Google ScholarDigital Library
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M., and Rubin. A. 1999. The design and analysis of graphical passwords. In 8th USENIX Security 1999. Google ScholarDigital Library
- Blonder, G. 1996. Graphical Passwords. United States Patent 5559961.Google Scholar
- Monrose, F. and Reiter, M. K. 2005. Graphical passwords. Security and Usability. L. Cranor and S. Garfinkel, editors. O'Reilly, Chapter 9, 147--164.Google Scholar
- Biddle, R., Chiasson, S., and van Oorschot, P. C. 2012. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys. 44, 4, Article 19, 1--41. Google ScholarDigital Library
- B. B. Zhu, D. Wei, M. Yang, and J. Yan. 2013. Security implications of password discretization for click-based graphical passwords. In WWW 2013. Google ScholarDigital Library
- Khosla, A., Xiao, J., Torralba, A., and Oliva, A. 2012. Memorability of image regions. In Advances in Neural Information Processing Systems, 305--313.Google Scholar
- Judd, T., Ehinger, K. A., Durand, F., Torralba, A. 2009. Learning to predict where humans look. In Int. Conf. on Computer Vision (ICCV'09). 2106--2113.Google ScholarCross Ref
- Ling, H., and Okada, K. 2006. Diffusion distance for histogram comparison. In IEEE. Computer Vision and Pattern Recognition (CVPR'06). 1, 246--253. Google ScholarDigital Library
- Goldberg, A. V., and Radzik T. 1993. A heuristic improvement of the Bellman-Form algorithm. Applied Mathematics Letters. 6, 3, 3--6.Google ScholarCross Ref
- Birget, J. C., Hong, D., and Memon, N. 2006. Graphical passwords based on robust discretization. IEEE Trans. Information Forensics and Security. 1, 3 (2006), 395--399. Google ScholarDigital Library
- Chiasson, S., Srinivasan, J., Biddle, R., and van Oorschot, P. C. 2008. Centered discretization with application to graphical passwords. In Proc. 1st Conf. on Usability, Psychology, and Security (UPSEC'08). Google ScholarDigital Library
- Bonneau. J. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE Symp. on Security and Privacy. Google ScholarDigital Library
- Mazurek, M.L., Komanduri, S., Vidas, T., Bauer, L., Christin, C. Cranor, L.F., Kelley, P.G., Shay, R., and Ur, B. 2013. Measuring password guessability for an entire university. In ACM CCS'13. 173--186. Google ScholarDigital Library
Index Terms
Security Analyses of Click-based Graphical Passwords via Image Point Memorability
Comments