Paul Dunphy
James Nicholson
Patrick Olivier
ABSTRACT
One common practice in relation to alphanumeric passwords is to write them down or share them with a trusted friend or colleague. Graphical password schemes often claim the advantage that they are significantly more secure with respect to both verbal disclosure and writing down. We investigated the reality of this claim in relation to the Passfaces graphical password scheme. By collecting a corpus of naturalistic descriptions of a set of 45 faces, we explored participants' ability to associate descriptions with faces across three conditions in which the decoy faces were selected: (1) at random; (2) on the basis of their visual similarity to the target face; and (3) on the basis of the similarity of the verbal descriptions of the decoy faces to the target face. Participants were found to perform significantly worse when presented with visual and verbally grouped decoys, suggesting that Passfaces can be further secured for description. Subtle differences in both the nature of male and female descriptions, and male and female performance were also observed.
- A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40--46, 1999. Google Scholar
Digital Library
- G. Blonder. United States Patent 5559961, Graphical Passwords, 1996.Google Scholar
- S. Brostoff and A. Sasse. Are Passfaces more usable than passwords? A field trial investigation. In HCI 2000: Proceedings of People and Computers XIV - Usability or Else, pages 405--424. Springer, 2000.Google ScholarCross Ref
- S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium, pages 1--1, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- J. Davies. Visual Code Recordal and Communication Thereof International Patent PCT/GB1999/001688, 1999.Google Scholar
- D. Davis, F. Monrose, and M. K. Reiter. On user choice in graphical password schemes. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 11--11, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- D. Davis, F. Monrose, and M. K. Reiter. On user choice in graphical password schemes. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 11--11, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- A. De Angeli, L. Coventry, G. Johnson, and M. Coutts. Usability and user authentication: Pictorial passwords vs. pin. In McCabe, P. T. (Ed.), Contemporary Ergonomics 2003., pages 253--258. Taylor & Francis. London, 2003.Google Scholar
- R. Dhamija and A. Perrig. Déjà Vu: a user study using images for authentication. In SSYM'00: Proceedings of the 9th conference on USENIX Security Symposium, pages 4--4, Berkeley, CA, USA, 2000. USENIX Association. Google ScholarDigital Library
- A. E. Dirik, N. Memon, and J.-C. Birget. Modeling user choice in the PassPoints graphical password scheme. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 20--28, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- D. M. Horgan. Language development. University of Michigan doctoral dissertation, 1975.Google Scholar
- P. Dunphy and J. Yan. Is FacePIN secure and usable? In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 165--166, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- D. F. Halpern. Sex Differences in Cognitive Abilities. Lawrence Erlbaum, 3 edition, 2000.Google Scholar
- J. Huttenlocher, W. Haight, A. Bryk, M. Seltzer, and T. Lyons. Early Vocabulary growth:Relation to Language Input and Gender. In Developmental Psychology, volume 27, pages 236--248.Google Scholar
- Ian Jermyn and Alain Mayer and Fabian Monrose and Michael K. Reiter and Aviel D. Rubin. The design and analysis of graphical passwords. In SSYM'99: Proceedings of the 8th Conference on USENIX Security Symposium, pages 1--1, Berkeley, CA, USA, 1999. USENIX Association. Google ScholarDigital Library
- M. Keith, B. Shao, and P. J. Steinbart. The usability of passphrases for authentication: An empirical field study. Int. J. Hum.-Comput. Stud., 65(1):17--28, 2007. Google ScholarDigital Library
- E. Lieberman and R. C. Miller. Facemail: showing faces of recipients to prevent misdirected email. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 122--131, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- Passfaces Corporation. The Science Behind Passfaces.Google Scholar
- Passfaces Corporation: http://www.passfaces.com.Google Scholar
- M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, 2001. Google ScholarDigital Library
- SearchSecurity.com - http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci895483,00.html. Employees willing to share passwords with strangers (2003) last accessed 23/02/2008.Google Scholar
- Searchsecurity.com - http://searchsecurity.techtarget.com/news/article/0,289142,sid14_ gci902867,00.html. Most workers must remember 6 passwords or more (2003) last accessed 23/02/2008.Google Scholar
- S. L. Smith. Authenticating users by word association. Comput. Secur., 6:464--470, 1987. Google ScholarDigital Library
- X. Suo, Y. Zhu, and G. S. Owen. Graphical Passwords: A Survey. In ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, pages 463--472, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- J. Thorpe and P. V. Oorschott. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. In 16th USENIX Security Symposium, Aug. 6--10, 2007. Google ScholarDigital Library
- T. Valentine. An Evaluation of the Passface Personal Authentication System. Technical Report. London: Goldmsiths College University of London., 1998.Google Scholar
- T. Valentine. Memory for Passfaces after a long delay. Technical Report. London: Goldmsiths College University of London., 1998.Google Scholar
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud., 63(1--2):102--127, 2005. Google ScholarDigital Library
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security and Privacy, 2(5):25--31, 2004. Google ScholarDigital Library
- M. Zviran and W. J. Haga. Cognitive passwords: the key to easy access control. Comput. Secur., 9(9):723--736, 1990. Google ScholarDigital Library
- M. Zviran and W. J. Haga. A comparison of password techniques for multilevel authentication mechanisms. The Computer Journal, 3(3), 1993.Google ScholarCross Ref
Index Terms
- Securing passfaces for description
Recommendations
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
A Password Manager that Doesn't Remember Passwords
NSPW '14: Proceedings of the 2014 New Security Paradigms WorkshopThe problems with passwords are well-known: secure passwords are difficult to remember, users have too many passwords, and users have difficulty matching their passwords to accounts. Password managers and cued graphical passwords are two password ...
Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityThe underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Comments