Abstract
Picture gesture authentication has been recently introduced as an alternative login experience to text-based password on touch-screen devices. In particular, the newly on market Microsoft Windows 8™ operating system adopts such an alternative authentication to complement its traditional text-based authentication. We present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies. Based on the findings of our user studies, we propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users’ thought processes in selecting picture passwords. Our evaluation results show the proposed approach could crack a considerable portion of picture passwords under different settings. Based on the empirical analysis and attack results, we comparatively evaluate picture gesture authentication using a set of criteria for a better understanding of its advantages and limitations.
- Bogdan Alexe, Thomas Deselaers, and Vittorio Ferrari. 2012. Measuring the objectness of image windows. IEEE Transactions Pattern Analysis and Machine Intelligence (2012), 2189--2202. Google ScholarDigital Library
- Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies. USENIX Association, 1--7. Google ScholarDigital Library
- Dana H. Ballard. 1981. Generalizing the hough transform to detect arbitrary shapes. Pattern Recognition 13, 2 (1981), 111--122.Google ScholarCross Ref
- Kemal Bicakci, Nart Bedin Atalay, Mustafa Yuceel, Hakan Gurbaslar, and Burak Erdeniz. 2009. Towards usable solutions to graphical password hotspot problem. In Proceedings of the 33rd IEEE International Conference on Computer Software and Applications Conference, Vol. 2. IEEE, 318--323. Google ScholarDigital Library
- Robert Biddle, Sonia Chiasson, and Paul C. Van Oorschot. 2011. Graphical passwords: Learning from the first twelve years. Computer Surveys 44, 4 (2011). Google ScholarDigital Library
- Joseph Bonneau. 2012a. Guessing human-chosen secrets. University of Cambridge.Google Scholar
- Joseph Bonneau. 2012b. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 538--552. Google ScholarDigital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012a. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. Technical Report UCAM-CL-TR-817. University of Cambridge, Computer Laboratory.Google Scholar
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012b. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 553--567. Google ScholarDigital Library
- Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012c. A birthday present every eleven wallets? The security of customer-chosen banking PINs. In Proceedings of the the 16th International Conference on Financial Cryptography.Google Scholar
- Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012d. A birthday present every eleven wallets? The security of customer-chosen banking PINs. Financial Cryptography and Data Security (2012), 25--40.Google Scholar
- Ali Borji, Dicky N. Sihite, and Laurent Itti. 2012. Salient object detection: A benchmark. In Proceedings of the 2012 European Conference on Computer Vision. Springer, 414--429.Google ScholarCross Ref
- Ali Borji, Hamed R. Tavakoli, Dicky N. Sihite, and Laurent Itti. 2013. Analysis of scores, datasets, and models in visual saliency prediction. In Proceedings of the 2013 IEEE International Conference on Computer Vision. IEEE, 921--928. Google ScholarDigital Library
- Sacha Brostoff and M. Angela Sasse. 2000. Are Passfaces more usable than passwords? A field trial investigation. People and Computers (2000), 405--424.Google Scholar
- John Canny. 1986. A computational approach to edge detection. IEEE Transactions on Pattern Analysis and Machine Intelligence 6 (1986), 679--698. Google ScholarDigital Library
- Claude Castelluccia, Markus Dürmuth, and Daniele Perito. 2012. Adaptive password-strength meters from Markov models. In Proceedings of the 19th Network and Distributed System Security Symposium.Google Scholar
- Sonia Chiasson, Alain Forget, Robert Biddle, and Paul C. van Oorschot. 2009. User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security 8, 6 (2009), 387--398. Google ScholarDigital Library
- Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, and Paul C. Van Oorschot. 2012. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Transactions on Dependable and Secure Computing 9, 2 (2012), 222--235. Google ScholarDigital Library
- Sonia Chiasson, Paul van Oorschot, and Robert Biddle. 2007. Graphical password authentication using cued click points. In Proceedings of the 12th European Symposium on Research in Computer Security. Springer, 359--374. Google ScholarDigital Library
- Darren Davis, Fabian Monrose, and Michael K. Reiter. 2004. On user choice in graphical password schemes. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 11--23. Google ScholarDigital Library
- Antonella De Angeli, Lynne Coventry, Graham Johnson, and Karen Renaud. 2005. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies 63, 1 (2005), 128--152. Google ScholarDigital Library
- Rachna Dhamija and Adrian Perrig. 2000. Déjà Vu: A user study using images for authentication. In Proceedings of the 9th Conference on USENIX Security Symposium. USENIX Association. Google ScholarDigital Library
- Ahmet Emir Dirik, Nasir Memon, and Jean-Camille Birget. 2007. Modeling user choice in the PassPoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security. ACM, 20--28. Google ScholarDigital Library
- Paul Dunphy and Jeff Yan. 2007. Do background images improve draw a secret graphical passwords? In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, 36--47. Google ScholarDigital Library
- Uriel Feige, László Lovász, and Prasad Tetali. 2004. Approximating min sum set cover. Algorithmica 40, 4 (2004), 219--234. Google ScholarDigital Library
- Pedro F. Felzenszwalb, Ross B. Girshick, David McAllester, and Deva Ramanan. 2010. Object detection with discriminatively trained part-based models. IEEE Transactions on Pattern Analysis and Machine Intelligence 32, 9 (2010), 1627--1645. Google ScholarDigital Library
- Alain Forget, Sonia Chiasson, and Robert Biddle. 2010. Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In Proceedings of the 28th International Conference on Human Factors in Computing Systems. ACM, 1107--1110. Google ScholarDigital Library
- Haichang Gao, Xuewu Guo, Xiaoping Chen, Liming Wang, and Xiyang Liu. 2008. Yagp: Yet another graphical password strategy. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 121--129. Google ScholarDigital Library
- Ross B. Girshick, Pedro F. Felzenszwalb, and David McAllester. 2010. Discriminatively Trained Deformable Part Models, Release 5. Retrieved from http://people.cs.uchicago.edu/rbg/latent-release5/.Google Scholar
- Brian Honan. 2012. Visual Data Security White Paper. Retrieved from http://www.visualdatasecurity.eu/wp-content/uploads/2012/07/Visual-Data-Security-White-Paper.pdf.Google Scholar
- Dawei Hong, Jean-Camille Birget, and Nasir Memon. 2006. Graphical passwords based on robust discretization. IEEE Transactions on Information Forensics and Security 1, 3 (2006), 395--399. Google ScholarDigital Library
- Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium. USENIX Association, 1--14. Google ScholarDigital Library
- Huaizu Jiang, Jingdong Wang, Zejian Yuan, Yang Wu, Nanning Zheng, and Shipeng Li. 2013. Salient object detection: A discriminative regional feature integration approach. In Proceedings of the 2013 IEEE Conference on Computer Vision and Pattern Recognition. IEEE, 2083--2090. Google ScholarDigital Library
- Jeff Johnson, Steve Seixeiro, Zachary Pace, Giles Van der Bogert, Sean Gilmour, Levi Siebens, and Ken Tubbs. US Patent 163201, 2012. Picture gesture authentication. (US Patent 163201, 2012).Google Scholar
- Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 523--537. Google ScholarDigital Library
- Microsoft. 2013. Microsoft by the Numbers. Retrieved from http://www.microsoft.com/en-us/news/bythenumbers/ms_numbers.pdf.Google Scholar
- Zach Pace. 2011a. Signing in with a Picture Password. Retrieved from http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx.Google Scholar
- Zach Pace. 2011b. Signing into Windows 8 with a Picture Password. Retrieved from http://www.youtube.com/watch?v=Ek9N2tQzHOA.Google Scholar
- Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. ACM, 317--324. Google ScholarDigital Library
- Karen Renaud. 2009. Guidelines for designing graphical authentication mechanism interfaces. International Journal of Information and Computer Security 3, 1 (2009), 60--85. Google ScholarDigital Library
- Amirali Salehi-Abari, Julie Thorpe, and Paul C. van Oorschot. 2008. On purely automated attacks and click-based graphical passwords. In Proceedings of the 24th Annual Computer Security Applications Conference. IEEE, 111--120. Google ScholarDigital Library
- Stuart Schechter, Cormac Herley, and Michael Mitzenmacher. 2010. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proceedings of the 5th USENIX conference on Hot Topics in Security. USENIX Association, 1--8. Google ScholarDigital Library
- Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. 2007. The emperor’s new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. IEEE, 51--65. Google ScholarDigital Library
- Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. 2005. Graphical passwords: A survey. In Proceedings of the 21st Annual Computer Security Applications Conference. IEEE, 10--19. Google ScholarDigital Library
- Satoshi Suzuki. 1985. Topological structural analysis of digitized binary images by border following. Computer Vision, Graphics, and Image Processing 30, 1 (1985), 32--46.Google ScholarCross Ref
- Hai Tao and Carlisle Adams. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. International Journal of Network Security 7, 2 (2008), 273--292.Google Scholar
- Julie Thorpe, Muath Al-Badawi, Brent MacRae, and Amirali Salehi-Abari. 2014. The presentation effect on graphical passwords. In Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2947--2950. Google ScholarDigital Library
- Julie Thorpe and Paul Van Oorschot. 2004. Towards secure design choices for implementing graphical passwords. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE, 50--60. Google ScholarDigital Library
- Julie Thorpe and Paul Van Oorschot. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of 16th USENIX Security Symposium. USENIX Association, 8. Google ScholarDigital Library
- Julie Thorpe and Paul C. van Oorschot. 2004. Graphical dictionaries and the memorable space of graphical passwords. In Proceedings of the 13th Conference on USENIX Security Symposium. USENIX Association, 135--150. Google ScholarDigital Library
- Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the security of graphical passwords: The case of Android unlock patterns. In Proceedings of the 20th ACM Conference on Computer and Communications Security. ACM, 161--172. Google ScholarDigital Library
- Paul C. Van Oorschot, Amirali Salehi-Abari, and Julie Thorpe. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Transactions on Information Forensics and Security 5, 3 (2010), 393--405. Google ScholarDigital Library
- Paul C. van Oorschot and Julie Thorpe. 2008. On predictive models and user-drawn graphical passwords. ACM Transactions on Information and System Security 10, 4 (2008), 5. Google ScholarDigital Library
- Paul C. van Oorschot and Julie Thorpe. 2011. Exploiting predictability in click-based graphical passwords. Journal of Computer Security 19, 4 (2011), 669--702. Google ScholarDigital Library
- Christopher Varenhorst, M. V. Kleek, and Larry Rudolph. 2004. Passdoodles: A lightweight authentication method. MIT Research Science Institute (2004).Google Scholar
- Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
- Paul Viola and Michael J. Jones. 2004. Robust real-time face detection. International Journal of Computer Vision 57, 2 (2004), 137--154. Google ScholarDigital Library
- Roman Weiss and Alexander De Luca. 2008. PassShapes: Utilizing stroke based authentication to increase password memorability. In Proceedings of the 5th Nordic Conference on Human-Computer Interaction: Building Bridges. ACM, 383--392. Google ScholarDigital Library
- Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005a. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the Symposium on Usable Privacy and Security. ACM, 1--12. Google ScholarDigital Library
- Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005b. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1 (2005), 102--127. Google ScholarDigital Library
- Qiang Yan, Jin Han, Yingjiu Li, and Robert H. Deng. 2012. On limitations of designing leakage-resilient password systems: Attacks, principles and usability. In Proceedings of the 19th Network and Distributed System Security Symposium.Google Scholar
- John C. Yuille. 1983. Imagery, Memory, and Cognition. Lawrence Erlbaum Associates, Inc.Google Scholar
- Nur Haryani Zakaria, David Griffiths, Sacha Brostoff, and Jeff Yan. 2011. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM, 6--17. Google ScholarDigital Library
- Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. 2010. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 176--186. Google ScholarDigital Library
- Ziming Zhao, Gail-Joon Ahn, Jeongjin Seo, and Hongxin Hu. 2013. On the security of picture gesture authentication. In Proceedings of the 22nd USENIX Security Symposium. USENIX Association, 383--398. Google ScholarDigital Library
Index Terms
- Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation
Recommendations
On the security of picture gesture authentication
SEC'13: Proceedings of the 22nd USENIX conference on SecurityComputing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture ...
Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications securityWe propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityAnonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
Comments