On Purely Automated Attacks and Click-Based Graphical Passwords

Salehi‐Abari, Amirali; Thorpe, Julie; Oorschot, Paul C. van

doi:10.1109/acsac.2008.18

Cited by 40 publications

(32 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We further demonstrate how they can be used as an optimization for human-seeded dictionaries. As discussed under Related Work, additional results on patterns can be found in other papers [42,37,6,30].…”

Section: Discussionmentioning

confidence: 88%

“…Chiasson et al [6] further compared the popularity of a set of click-order patterns across three different schemes: PassPoints, CCP, and PCCP. Salehi-Abari et al [37] defined additional patterns and demonstrated their exploitability with both strict and relaxed pattern definitions; an extension of that paper [30] indicates that some click-order patterns result in a better offline attack than S hs−ind herein, but the accuracy of S hs−dep herein remains superior. As such, human-seeded and click-order pattern based attacks are complimentary approaches: human seeded attacks offer better guessing accuracy such that they are the primary threat in online environments, whereas click-order pattern attacks find a higher percentage of passwords in an offline attack.…”

Section: Related Workmentioning

confidence: 99%

“…Our predictive dictionaries in the present paper are both more effective (guessing a higher percentage of passwords), and more efficient (smaller in size, requiring fewer guesses). Most recently, Salehi-Abari et al [37] combine attacks employing focus-of-attention automated image processing tools and click-order patterns (compare to Section 4.2), as well as relaxing constraints on click-order patterns independent of focus-of-attention models, for improved automated attacks.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Exploiting predictability in click-based graphical passwords*

Oorschot

Thorpe

2011

JCS

Self Cite

View full text Add to dashboard Cite

We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short-and long-term user studies: one labcontrolled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of "human-computation" (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two "human-seeded" attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4% of passwords in one image's data set, and 10% of passwords in a second image's data set. Our independent model-based attack finds 20% within 2 33 guesses in one image's data set and 36% within 2 31 guesses in a second image's data set. These are all for a system whose full password space has cardinality 2 43 . We also evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7-10% of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.

show abstract

Section: Discussionmentioning

confidence: 88%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Exploiting predictability in click-based graphical passwords*

Oorschot

Thorpe

2011

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…A good overview of popular graphical password schemes has been reported in [2]. Different usability studies have outlined the advantages of graphical passwords, such as their reasonable login and creation times, acceptable error rates, good general perception and reduced interference compared to text passwords, but also their vulnerabilities [27] [30]. As mentioned earlier, lock patterns are one type of recall-based graphical password [2].…”

Section: Related Workmentioning

confidence: 99%

Exploring Touch-Screen Biometrics for User Identification on Smart Phones

Angulo

Wästlund

2012

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. The use of mobile smart devices for storing sensitive information and accessing online services is increasing. At the same time, methods for authenticating users into their devices and online services that are not only secure, but also privacy and user-friendly are needed. In this paper, we present our initial explorations of the use of lock pattern dynamics as a secure and user-friendly two-factor authentication method. We developed an application for the Android mobile platform to collect data on the way individuals draw lock patterns on a touchscreen. Using a Random Forest machine learning classifier this method achieves an average Equal Error Rate (EER) of approximately 10.39%, meaning that lock patterns biometrics can be used for identifying users towards their device, but could also pose a threat to privacy if the users' biometric information is handled outside their control.

show abstract

“…In this scheme, users should choose several points on an image and click orderly on them within a tolerance for authentication. Security analyses find it vulnerable to hotspots and simple patterns within images [13,17,18]. A commercial version of PassPoints for the PocketPC is available from visKey for screen-unlock [16].…”

Section: Related Workmentioning

confidence: 99%

A New Graphical Password Scheme Resistant to Shoulder-Surfing

et al. 2010

View full text Add to dashboard Cite

Abstract-Shoulder-surfing is a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Due to the visual interface, this problem has become exacerbated in graphical passwords. There have been some graphical schemes resistant or immune to shoulder-surfing, but they have significant usability drawbacks, usually in the time and effort to log in. In this paper, we propose and evaluate a new shoulder-surfing resistant scheme which has a desirable usability for PDAs. Our inspiration comes from the drawing input method in DAS and the association mnemonics in Story for sequence retrieval. The new scheme requires users to draw a curve across their password images orderly rather than click directly on them. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shouldersurfing. A preliminary user study showed that users were able to enter their passwords accurately and to remember them over time.

show abstract

On Purely Automated Attacks and Click-Based Graphical Passwords

Abstract: Abstract

Cited by 40 publications

References 17 publications

Exploiting predictability in click-based graphical passwords*

Exploiting predictability in click-based graphical passwords*

Exploring Touch-Screen Biometrics for User Identification on Smart Phones

A New Graphical Password Scheme Resistant to Shoulder-Surfing

Contact Info

Product

Resources

About