Sonia Chiasson
Alain Forget
P. C. van Oorschot
Robert Biddle
ABSTRACT
The underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password for different systems or reveal other passwords as they try to log in. We report on a laboratory study comparing recall of multiple text passwords with recall of multiple click-based graphical passwords. In a one-hour session (short-term), we found that participants in the graphical password condition coped significantly better than those in the text password condition. In particular, they made fewer errors when recalling their passwords, did not resort to creating passwords directly related to account names, and did not use similar passwords across multiple accounts. After two weeks, participants in the two conditions had recall success rates that were not statistically different from each other, but those with text passwords made more recall errors than participants with graphical passwords. In our study, click-based graphical passwords were significantly less susceptible to multiple password interference in the short-term, while having comparable usability to text passwords in most other respects.
- A. Adams and M. Sasse. Users are not the enemy. Communication of the ACM, 42(12):41--46, 1999. Google Scholar
Digital Library
- M. Anderson and J. Neely. Memory. Handbook of Perception and Cognition, chapter 8: Interference and inhibition in memory retrieval, pages 237--313. Academic Press, 2nd edition, 1996.Google Scholar
- G. Blonder. Graphical passwords. United States Patent 5,559,961, 1996.Google Scholar
- I. Britton. Freefoto website. http://www.freefoto, accessed February 2007.Google Scholar
- B. Burstein, L. Bank, and L. Jarvik. Sex differences in cognitive functioning: Evidence, determinants, implications. Human Development, 23:289--313, 1980.Google ScholarCross Ref
- S. Chiasson, R. Biddle, and P. C. van Oorschot. A second look at the usability of click-based graphical passwords. In 3rd Symposium on Usable Privacy and Security (SOUPS), July 2007. Google ScholarDigital Library
- S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot. Influencing users towards better passwords: Persuasive Cued Click-Points. In BCS-HCI'08: Proceedings of the 22nd British HCI Group Annual Conference on HCI. British Computer Society, September 2008. Google ScholarDigital Library
- S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot. User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security, 8(5), 2009. Google ScholarDigital Library
- S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In 15th USENIX Security Symposium, August 2006. Google ScholarDigital Library
- L. Cranor and S. Garfinkel. Security and Usability: Designing Systems that People Can Use. O'Reilly Media, edited collection edition, 2005. Google ScholarDigital Library
- D. Davis, F. Monrose, and M. Reiter. On user choice in graphical password schemes. In 13th USENIX Security Symposium, August 2004. Google ScholarDigital Library
- S. Designer. John the Ripper password cracker. http://www.openwall.com/john/.Google Scholar
- A. Dirik, N. Menon, and J. Birget. Modeling user choice in the Passpoints graphical password scheme. In 3rd ACM Conference on Symposium on Usable Privacy and Security (SOUPS), July 2007. Google ScholarDigital Library
- K. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In ACM Conference on Human Factors in Computing Systems (CHI), April 2009. Google ScholarDigital Library
- D. Florencio and C. Herley. A large-scale study of WWW password habits. In 16th ACM International World Wide Web Conference (WWW), May 2007. Google ScholarDigital Library
- A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In 4th Symposium on Usable Privacy and Security (SOUPS), July 2008. Google ScholarDigital Library
- Free Images.com. Free Image website. http://www.freeimages.com, accessed February 2008.Google Scholar
- S. Gaw and E. Felten. Password management strategies for online accounts. In 2nd Symposium On Usable Privacy and Security (SOUPS), July 2006. Google ScholarDigital Library
- E. Goldstein. Cognitive Psychology. Wadsworth Publishing, 2006.Google Scholar
- K. Golofit. Click passwords under investigation. In 12th European Symposium On Research In Computer Security (ESORICS), Springer LNCS 4734, September 2007. Google ScholarDigital Library
- S. Komanduri and D. Hutchings. Order and entropy in Picture Passwords. In Graphics Interface Conference (GI), May 2008. Google ScholarDigital Library
- R. S. Lockhart. The Oxford Handbook of Memory, chapter 3: Methods of Memory Research, pages 45--57. Oxford University Press: New York, NY, 2000.Google Scholar
- P. A. Lowe, J. W. Mayfield, and C. R. Reynolds. Gender differences in memory test performance among children and adolescents. Archives of Clinical Neuropsychology, 18:865--878, 2003.Google ScholarCross Ref
- S. Madigan. Chapter 3: Picture memory. In J. Yuille, editor, Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio, chapter 3. Picture Memory, pages 65--89. Lawrence Erlbaum Associates, 1983.Google Scholar
- W. Moncur and G. Leplatre. Pictures at the ATM: Exploring the usability of multiple graphical passwords. In ACM Conference on Human Factors in Computing Systems (CHI), April 2007. Google ScholarDigital Library
- F. Monrose and M. Reiter. Graphical passwords. In L. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 9, pages 157--174. O'Reilly, 2005.Google Scholar
- PD Photo. PD Photo website. http://pdphoto.org, accessed February 2007.Google Scholar
- M. Peters. Revised Vandenberg&Kuse Mental Rotations Tests: forms MRT-A to MRT-D. Technical report, Department of Psychology, University of Guelph, 1995.Google Scholar
- K. Renaud. Evaluating authentication mechanisms. In L. Cranor and S. Garfinkel, editors, Security and Usability: Designing Secure Systems That People Can Use, chapter 6, pages 103--128. O'Reilly Media, 2005.Google Scholar
- A. Salehi-Abari, J. Thorpe, and P. C. van Oorschot. On purely automated attacks and click-based graphical passwords. In 24th Annual Computer Security Applications Conference (ACSAC), 2008. Google ScholarDigital Library
- L. Standing, J. Conezio, and R. Haber. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, 19(2):73--74, 1970.Google ScholarCross Ref
- X. Suo, Y. Zhu, and G. Owen. Graphical passwords: A survey. In Annual Computer Security Applications Conference (ACSAC), December 2005. Google ScholarDigital Library
- J. Thorpe and P. C. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. In 16th USENIX Security Symposium, August 2007. Google ScholarDigital Library
- E. Tulving and Z. Pearlstone. Availability versus accessibility of information in memory for words. Journal of Verbal Learning and Verbal Behavior, 5:381--391, 1966.Google ScholarCross Ref
- M. van Lieshout and A. Baddeley. A nonparametric measure of spatial interaction in point patterns. Statistica Neerlandica, 50(3):344--361, 1996.Google ScholarCross Ref
- K.-P. L. Vu, R. Proctor, A. Bhargav-Spantzel, B.-L. Tai, J. Cook, and E. Schultz. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, 65:744--757, 2007. Google ScholarDigital Library
- A. Whitten and J. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium, Washington, D.C., August 1999. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Basic results. In 11th International Conference on Human-Computer Interaction (HCI International), 2005.Google Scholar
- S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, 63(1-2):102--127, 2005. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Effects of tolerance and image choice. In 1st Symposium on Usable Privacy and Security (SOUPS), July 2005. Google ScholarDigital Library
Index Terms
- Multiple password interference in text passwords and click-based graphical passwords
Recommendations
Revisiting graphical passwords for augmenting, not replacing, text passwords
ACSAC '13: Proceedings of the 29th Annual Computer Security Applications ConferenceUsers generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
A Password Manager that Doesn't Remember Passwords
NSPW '14: Proceedings of the 2014 New Security Paradigms WorkshopThe problems with passwords are well-known: secure passwords are difficult to remember, users have too many passwords, and users have difficulty matching their passwords to accounts. Password managers and cued graphical passwords are two password ...
Comments