Purely Automated Attacks on PassPoints-Style Graphical Passwords

Oorschot, Paul C. van; Salehi‐Abari, Amirali; Thorpe, Julie

doi:10.1109/tifs.2010.2053706

Cited by 75 publications

(52 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…For example, the HOR and V ER dictionaries both contain DIAG as a subset. Further work on click-order patterns is beyond the scope of this paper, and is provided in another paper [30].…”

Section: Click-order Pattern Attack Resultsmentioning

confidence: 99%

“…Chiasson et al [6] further compared the popularity of a set of click-order patterns across three different schemes: PassPoints, CCP, and PCCP. Salehi-Abari et al [37] defined additional patterns and demonstrated their exploitability with both strict and relaxed pattern definitions; an extension of that paper [30] indicates that some click-order patterns result in a better offline attack than S hs−ind herein, but the accuracy of S hs−dep herein remains superior. As such, human-seeded and click-order pattern based attacks are complimentary approaches: human seeded attacks offer better guessing accuracy such that they are the primary threat in online environments, whereas click-order pattern attacks find a higher percentage of passwords in an offline attack.…”

Section: Related Workmentioning

confidence: 98%

See 1 more Smart Citation

Exploiting predictability in click-based graphical passwords*

Oorschot

Thorpe

2011

JCS

Self Cite

View full text Add to dashboard Cite

We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short-and long-term user studies: one labcontrolled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of "human-computation" (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two "human-seeded" attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4% of passwords in one image's data set, and 10% of passwords in a second image's data set. Our independent model-based attack finds 20% within 2 33 guesses in one image's data set and 36% within 2 31 guesses in a second image's data set. These are all for a system whose full password space has cardinality 2 43 . We also evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7-10% of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.

show abstract

“…For example, the HOR and V ER dictionaries both contain DIAG as a subset. Further work on click-order patterns is beyond the scope of this paper, and is provided in another paper [30].…”

Section: Click-order Pattern Attack Resultsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 98%

Exploiting predictability in click-based graphical passwords*

Oorschot

Thorpe

2011

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…A good overview of popular graphical password schemes has been reported in [2]. Different usability studies have outlined the advantages of graphical passwords, such as their reasonable login and creation times, acceptable error rates, good general perception and reduced interference compared to text passwords, but also their vulnerabilities [27] [30]. As mentioned earlier, lock patterns are one type of recall-based graphical password [2].…”

Section: Related Workmentioning

confidence: 99%

Exploring Touch-Screen Biometrics for User Identification on Smart Phones

Angulo

Wästlund

2012

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. The use of mobile smart devices for storing sensitive information and accessing online services is increasing. At the same time, methods for authenticating users into their devices and online services that are not only secure, but also privacy and user-friendly are needed. In this paper, we present our initial explorations of the use of lock pattern dynamics as a secure and user-friendly two-factor authentication method. We developed an application for the Android mobile platform to collect data on the way individuals draw lock patterns on a touchscreen. Using a Random Forest machine learning classifier this method achieves an average Equal Error Rate (EER) of approximately 10.39%, meaning that lock patterns biometrics can be used for identifying users towards their device, but could also pose a threat to privacy if the users' biometric information is handled outside their control.

show abstract

“…Researchers have explored three broad types of graphical passwords: recall-based draw metric schemes based on sketching shapes on screen, recognition-based cognometric schemes based on selecting known items from large sets of options, and cued-recall loci-metric schemes based on selecting regions of pre-chosen images. Loci-metric schemes are discussed as is multifactor authentication [10], as it relates to Graphical Cryptographic Verification System and its combination of a token, or something you have, on which a password, or something you know, is entered.…”

Section: Related Workmentioning

confidence: 99%

Graphical Cryptographic Verification System

Chelliah¹,

Shobana²

2017

IJMSR

View full text Add to dashboard Cite

-A Graphical Cryptographic Verification System that restores the static digital pictures naturally used in graphical password systems with personalized physical tokens, here in the form of digital pictures showed on a physical user-owned device such as a mobile phone. Users present these pictures to a scheme camera and then enter their password as a sequence of selections on live video of the token. Extremely distinctive optical characteristics are extracted from these selections and utilized as the password. We present three probability studies of examining its consistency, usability, and safety against surveillance. The consistency study Graphical Cryptographic Verification System demonstrates that imagefeature based passwords are viable and suggests appropriate system thresholds password items should include a minimum of seven features, 40% of which must geometrically equal unique stored on an authentication server in order to be moderator equivalent. The usability study calculates task completion times and error rates, revealing these to be 7.5 s and 9%, broadly comparable with preceding graphical password systems that use static digital images. In the end, the safety study highlights Graphical Cryptographic Verification System conflict to observation attack three attackers are able to compromise a password using shoulder surfing, camera based observation, or malware. These results indicate that Graphical Cryptographic Verification System shows promise for safety while maintaining the usability of current graphical password schemes.

show abstract

Purely Automated Attacks on PassPoints-Style Graphical Passwords

Cited by 75 publications

References 24 publications

Exploiting predictability in click-based graphical passwords*

Exploiting predictability in click-based graphical passwords*

Exploring Touch-Screen Biometrics for User Identification on Smart Phones

Graphical Cryptographic Verification System

Contact Info

Product

Resources

About