Abstract
Picture gesture authentication has been recently introduced as an alternative login experience to text-based password on touch-screen devices. In particular, the newly on market Microsoft Windows 8™ operating system adopts such an alternative authentication to complement its traditional text-based authentication. We present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies. Based on the findings of our user studies, we propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users’ thought processes in selecting picture passwords. Our evaluation results show the proposed approach could crack a considerable portion of picture passwords under different settings. Based on the empirical analysis and attack results, we comparatively evaluate picture gesture authentication using a set of criteria for a better understanding of its advantages and limitations.
- Bogdan Alexe, Thomas Deselaers, and Vittorio Ferrari. 2012. Measuring the objectness of image windows. IEEE Transactions Pattern Analysis and Machine Intelligence (2012), 2189--2202. Google Scholar
Digital Library
- Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies. USENIX Association, 1--7. Google Scholar
Digital Library
- Dana H. Ballard. 1981. Generalizing the hough transform to detect arbitrary shapes. Pattern Recognition 13, 2 (1981), 111--122.Google Scholar
Cross Ref
- Kemal Bicakci, Nart Bedin Atalay, Mustafa Yuceel, Hakan Gurbaslar, and Burak Erdeniz. 2009. Towards usable solutions to graphical password hotspot problem. In Proceedings of the 33rd IEEE International Conference on Computer Software and Applications Conference, Vol. 2. IEEE, 318--323. Google Scholar
Digital Library
- Robert Biddle, Sonia Chiasson, and Paul C. Van Oorschot. 2011. Graphical passwords: Learning from the first twelve years. Computer Surveys 44, 4 (2011). Google Scholar
Digital Library
- Joseph Bonneau. 2012a. Guessing human-chosen secrets. University of Cambridge.Google Scholar
- Joseph Bonneau. 2012b. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 538--552. Google Scholar
Digital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012a. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. Technical Report UCAM-CL-TR-817. University of Cambridge, Computer Laboratory.Google Scholar
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012b. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 553--567. Google Scholar
Digital Library
- Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012c. A birthday present every eleven wallets? The security of customer-chosen banking PINs. In Proceedings of the the 16th International Conference on Financial Cryptography.Google Scholar
- Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012d. A birthday present every eleven wallets? The security of customer-chosen banking PINs. Financial Cryptography and Data Security (2012), 25--40.Google Scholar
- Ali Borji, Dicky N. Sihite, and Laurent Itti. 2012. Salient object detection: A benchmark. In Proceedings of the 2012 European Conference on Computer Vision. Springer, 414--429.Google Scholar
Cross Ref
- Ali Borji, Hamed R. Tavakoli, Dicky N. Sihite, and Laurent Itti. 2013. Analysis of scores, datasets, and models in visual saliency prediction. In Proceedings of the 2013 IEEE International Conference on Computer Vision. IEEE, 921--928. Google Scholar
Digital Library
- Sacha Brostoff and M. Angela Sasse. 2000. Are Passfaces more usable than passwords? A field trial investigation. People and Computers (2000), 405--424.Google Scholar
- John Canny. 1986. A computational approach to edge detection. IEEE Transactions on Pattern Analysis and Machine Intelligence 6 (1986), 679--698. Google Scholar
Digital Library
- Claude Castelluccia, Markus Dürmuth, and Daniele Perito. 2012. Adaptive password-strength meters from Markov models. In Proceedings of the 19th Network and Distributed System Security Symposium.Google Scholar
- Sonia Chiasson, Alain Forget, Robert Biddle, and Paul C. van Oorschot. 2009. User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security 8, 6 (2009), 387--398. Google Scholar
Digital Library
- Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, and Paul C. Van Oorschot. 2012. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Transactions on Dependable and Secure Computing 9, 2 (2012), 222--235. Google Scholar
Digital Library
- Sonia Chiasson, Paul van Oorschot, and Robert Biddle. 2007. Graphical password authentication using cued click points. In Proceedings of the 12th European Symposium on Research in Computer Security. Springer, 359--374. Google Scholar
Digital Library
- Darren Davis, Fabian Monrose, and Michael K. Reiter. 2004. On user choice in graphical password schemes. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 11--23. Google Scholar
Digital Library
- Antonella De Angeli, Lynne Coventry, Graham Johnson, and Karen Renaud. 2005. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies 63, 1 (2005), 128--152. Google Scholar
Digital Library
- Rachna Dhamija and Adrian Perrig. 2000. Déjà Vu: A user study using images for authentication. In Proceedings of the 9th Conference on USENIX Security Symposium. USENIX Association. Google Scholar
Digital Library
- Ahmet Emir Dirik, Nasir Memon, and Jean-Camille Birget. 2007. Modeling user choice in the PassPoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security. ACM, 20--28. Google Scholar
Digital Library
- Paul Dunphy and Jeff Yan. 2007. Do background images improve draw a secret graphical passwords? In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, 36--47. Google Scholar
Digital Library
- Uriel Feige, László Lovász, and Prasad Tetali. 2004. Approximating min sum set cover. Algorithmica 40, 4 (2004), 219--234. Google Scholar
Digital Library
- Pedro F. Felzenszwalb, Ross B. Girshick, David McAllester, and Deva Ramanan. 2010. Object detection with discriminatively trained part-based models. IEEE Transactions on Pattern Analysis and Machine Intelligence 32, 9 (2010), 1627--1645. Google Scholar
Digital Library
- Alain Forget, Sonia Chiasson, and Robert Biddle. 2010. Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In Proceedings of the 28th International Conference on Human Factors in Computing Systems. ACM, 1107--1110. Google Scholar
Digital Library
- Haichang Gao, Xuewu Guo, Xiaoping Chen, Liming Wang, and Xiyang Liu. 2008. Yagp: Yet another graphical password strategy. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 121--129. Google Scholar
Digital Library
- Ross B. Girshick, Pedro F. Felzenszwalb, and David McAllester. 2010. Discriminatively Trained Deformable Part Models, Release 5. Retrieved from http://people.cs.uchicago.edu/rbg/latent-release5/.Google Scholar
- Brian Honan. 2012. Visual Data Security White Paper. Retrieved from http://www.visualdatasecurity.eu/wp-content/uploads/2012/07/Visual-Data-Security-White-Paper.pdf.Google Scholar
- Dawei Hong, Jean-Camille Birget, and Nasir Memon. 2006. Graphical passwords based on robust discretization. IEEE Transactions on Information Forensics and Security 1, 3 (2006), 395--399. Google Scholar
Digital Library
- Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium. USENIX Association, 1--14. Google Scholar
Digital Library
- Huaizu Jiang, Jingdong Wang, Zejian Yuan, Yang Wu, Nanning Zheng, and Shipeng Li. 2013. Salient object detection: A discriminative regional feature integration approach. In Proceedings of the 2013 IEEE Conference on Computer Vision and Pattern Recognition. IEEE, 2083--2090. Google Scholar
Digital Library
- Jeff Johnson, Steve Seixeiro, Zachary Pace, Giles Van der Bogert, Sean Gilmour, Levi Siebens, and Ken Tubbs. US Patent 163201, 2012. Picture gesture authentication. (US Patent 163201, 2012).Google Scholar
- Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 523--537. Google Scholar
Digital Library
- Microsoft. 2013. Microsoft by the Numbers. Retrieved from http://www.microsoft.com/en-us/news/bythenumbers/ms_numbers.pdf.Google Scholar
- Zach Pace. 2011a. Signing in with a Picture Password. Retrieved from http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx.Google Scholar
- Zach Pace. 2011b. Signing into Windows 8 with a Picture Password. Retrieved from http://www.youtube.com/watch?v=Ek9N2tQzHOA.Google Scholar
- Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. ACM, 317--324. Google Scholar
Digital Library
- Karen Renaud. 2009. Guidelines for designing graphical authentication mechanism interfaces. International Journal of Information and Computer Security 3, 1 (2009), 60--85. Google Scholar
Digital Library
- Amirali Salehi-Abari, Julie Thorpe, and Paul C. van Oorschot. 2008. On purely automated attacks and click-based graphical passwords. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 111--120. Google Scholar
Digital Library
- Stuart Schechter, Cormac Herley, and Michael Mitzenmacher. 2010. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proceedings of the 5th USENIX conference on Hot Topics in Security. USENIX Association, 1--8. Google Scholar
Digital Library
- Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. 2007. The emperor’s new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. IEEE, 51--65. Google Scholar
Digital Library
- Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. 2005. Graphical passwords: A survey. In Proceedings of the 21st Annual Computer Security Applications Conference. IEEE, 10--19. Google Scholar
Digital Library
- Satoshi Suzuki. 1985. Topological structural analysis of digitized binary images by border following. Computer Vision, Graphics, and Image Processing 30, 1 (1985), 32--46.Google Scholar
- Hai Tao and Carlisle Adams. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. International Journal of Network Security 7, 2 (2008), 273--292.Google Scholar
- Julie Thorpe, Muath Al-Badawi, Brent MacRae, and Amirali Salehi-Abari. 2014. The presentation effect on graphical passwords. In Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2947--2950. Google Scholar
Digital Library
- Julie Thorpe and Paul Van Oorschot. 2004. Towards secure design choices for implementing graphical passwords. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE, 50--60. Google Scholar
Digital Library
- Julie Thorpe and Paul Van Oorschot. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of 16th USENIX Security Symposium. USENIX Association, 8. Google Scholar
Digital Library
- Julie Thorpe and Paul C. van Oorschot. 2004. Graphical dictionaries and the memorable space of graphical passwords. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 135--150. Google Scholar
Digital Library
- Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the security of graphical passwords: The case of Android unlock patterns. In Proceedings of the 20th ACM Conference on Computer and Communications Security. ACM, 161--172. Google Scholar
Digital Library
- Paul C. Van Oorschot, Amirali Salehi-Abari, and Julie Thorpe. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Transactions on Information Forensics and Security 5, 3 (2010), 393--405. Google Scholar
Digital Library
- Paul C. van Oorschot and Julie Thorpe. 2008. On predictive models and user-drawn graphical passwords. ACM Transactions on Information and System Security 10, 4 (2008), 5. Google Scholar
Digital Library
- Paul C. van Oorschot and Julie Thorpe. 2011. Exploiting predictability in click-based graphical passwords. Journal of Computer Security 19, 4 (2011), 669--702. Google Scholar
Digital Library
- Christopher Varenhorst, M. V. Kleek, and Larry Rudolph. 2004. Passdoodles: A lightweight authentication method. MIT Research Science Institute (2004).Google Scholar
- Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
Cross Ref
- Paul Viola and Michael J. Jones. 2004. Robust real-time face detection. International Journal of Computer Vision 57, 2 (2004), 137--154. Google Scholar
Digital Library
- Roman Weiss and Alexander De Luca. 2008. PassShapes: Utilizing stroke based authentication to increase password memorability. In Proceedings of the 5th Nordic Conference on Human-Computer Interaction: Building Bridges. ACM, 383--392. Google Scholar
Digital Library
- Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005a. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the Symposium on Usable Privacy and Security. ACM, 1--12. Google Scholar
Digital Library
- Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005b. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1 (2005), 102--127. Google Scholar
Digital Library
- Qiang Yan, Jin Han, Yingjiu Li, and Robert H. Deng. 2012. On limitations of designing leakage-resilient password systems: Attacks, principles and usability. In Proceedings of the 19th Network and Distributed System Security Symposium.Google Scholar
- John C. Yuille. 1983. Imagery, Memory, and Cognition. Lawrence Erlbaum Associates, Inc.Google Scholar
- Nur Haryani Zakaria, David Griffiths, Sacha Brostoff, and Jeff Yan. 2011. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM, 6--17. Google Scholar
Digital Library
- Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. 2010. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 176--186. Google Scholar
Digital Library
- Ziming Zhao, Gail-Joon Ahn, Jeongjin Seo, and Hongxin Hu. 2013. On the security of picture gesture authentication. In Proceedings of the 22nd USENIX Security Symposium. USENIX Association, 383--398. Google Scholar
Digital Library
Index Terms
Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation
Recommendations
On the security of picture gesture authentication
SEC'13: Proceedings of the 22nd USENIX conference on SecurityComputing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture ...
Parallel authentication and public-key encryption
ACISP'03: Proceedings of the 8th Australasian conference on Information security and privacyA parallel authentication and public-key encryption is introduced and exemplified on joint encryption and signing which compares favorably with sequential Encrypt-then-Sign (EtS) or Sign-then-Encrypt (StE) schemes as far as both efficiency and security ...
Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications securityWe propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...






Comments