Abstract-We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., 5 points all along a line). Some of our methods combine click-order heuristics with focusof-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7-16% of passwords for two representative images using dictionaries of approximately 2 26 entries (where the full password space is 2 43 ). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 2 35 entries, allowing attacks that guessed 48-54% of passwords (compared to previous results of 1% and 9% on the same dataset for two images with 2 35 guesses). These latter attacks are independent of focus-of-attention models, and are based on imageindependent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat to basic PassPoints-style graphical passwords.
We provide a simple yet powerful demonstration of how an unobtrusive change to a graphical password interface can modify the distribution of user chosen passwords, and thus possibly the security it provides. The only change to the interface is how the background image is presented to the user in the password creation phase-we call the effect of this change the "presentation effect". We demonstrate the presentation effect by performing a comparative user study of two groups using the same background image, where the image is presented in two different ways prior to password creation. Our results show a statistically different distribution of user's graphical passwords, with no observed usability consequences.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.