Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: van Oorschot, P.C.a | Thorpe, Julieb; **
Affiliations: [a] School of Computer Science, Carleton University, Ottawa, ON, Canada. E-mail: [email protected] | [b] Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, ON, Canada. E-mail: [email protected]
Correspondence: [**] Corresponding author. Authors ordered alphabetically.
Note: [*] Manuscript received November 7, 2008; revised July 28, 2010; accepted August 4, 2010. Parts of this work appeared previously in [41] and in the PhD thesis [40] of the second author.
Abstract: We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of “human-computation” (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two “human-seeded” attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4% of passwords in one image's data set, and 10% of passwords in a second image's data set. Our independent model-based attack finds 20% within 233 guesses in one image's data set and 36% within 231 guesses in a second image's data set. These are all for a system whose full password space has cardinality 243. We evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7–10% of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.
Keywords: Graphical passwords, PassPoints, passwords, hot spots, human-seeded attacks, human computation, click-order patterns, password guessing, dictionary attack, empirical studies, user choice
DOI: 10.3233/JCS-2010-0411
Journal: Journal of Computer Security, vol. 19, no. 4, pp. 669-702, 2011
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
[email protected]
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office [email protected]
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
如果您在出版方面需要帮助或有任何建, 件至: [email protected]