Article

The design and analysis of graphical passwords

Authors:

Fabian Monrose,

Michael K. Reiter,

Aviel D. RubinAuthors Info & Claims

SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium - Volume 8

Page 1

Published: 23 August 1999 Publication History

Abstract

In this paper we propose and evaluate new graphical password schemes that exploit features of graphical input displays to achieve better security than text-based passwords. Graphical input devices enable the user to decouple the position of inputs from the temporal order in which those inputs occur, and we show that this decoupling can be used to generate password schemes with substantially larger (memorable) password spaces. In order to evaluate the security of one of our schemes, we devise a novel way to capture a subset of the "memorable" passwords that, we believe, is itself a contribution. In this work we are primarily motivated by devices such as personal digital assistants (PDAs) that offer graphical input capabilities via a stylus, and we describe our prototype implementation of one of our password schemes on such a PDA, namely the Palm Pilot^TM.

References

[1]

{1} A. Alvare. How crackers crack passwords or what passwords to avoid. In Proceedings of the 2nd USENIX Security Workshop, August 1990.]]

[2]

{2} M. Bishop. Password management. In Proceedings of COMPCON '91, pages 167-169, February 1991.]]

[3]

{3} M. Bishop. Improving system security via proactive password checking. Computers and Security, 14(3):233-249, April 1995.]]

Digital Library

[4]

{4} G. Blonder. Graphical passwords. United States Patent 5559961, 1996.]]

[5]

{5} G. H. Bower, M. B. Karlin, and A. Dueck. Comprehension and memory for pictures. Memory and Cognition, 2:216-220, 1975.]]

[6]

{6} M. A. Borges, M. A. Stepnowsky, and L. H. Holt. Recall and recognition of words and pictures by adults and children. Bulletin of the Psychonomic Society, 9:113-114, 1977.]]

[7]

{7} M. W. Calkins. Short studies in memory and association from the Wellesley College Laboratory. Psychological Review, 5:451-462, 1898.]]

[8]

{8} T. M. Cover, and J. A. Thomas. Elements of Information Theory, John Wiley and Sons, 1991.]]

Digital Library

[9]

{9} D. Feldmeier and P. Karn. UNIX password security-- Ten years later. In Advances in Cryptology--CRYPTO '89 Proceedings (Lecture Notes in Computer Science 435), 1990.]]

Digital Library

[10]

{10} S. Garfinkel and E. Spafford. Practical Unix & Internet Security. O'Reilly & Associates, Inc., 1996.]]

Digital Library

[11]

{11} N. Haller. The s/key(tm) one-time password system. In Proceedings of the 1994 Symposium on Network and Distributed System Security, pages 151-157, February 1994.]]

[12]

{12} D. Klein. Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Security Workshop, August 1990.]]

[13]

{13} F. Leclerc and R. Plamondon. Automatic signature verification: The state of the art--1989-1993. International Journal on Pattern Recognition and Artificial Intelligence , 8(3):643-660, June 1994.]]

[14]

{14} G. Lorette and R. Plamondon. Dynamic approaches to handwritten signature verification. In Computer Processing of Handwriting, pages 21-47, World Scientific, 1990.]]

[15]

{15} S. Madigan. Picture memory. In Imagery, Memory, and Cognition, pages 65-86, Lawrence Erlbaum Associates, 1983.]]

[16]

{16} U. Manber. A simple scheme to make passwords based on one-way functions much harder to crack. Computers & Security, 15(2):171-176, 1996.]]

Digital Library

[17]

{17} G. Mandler. Your face looks familiar but I can't remember your name: A review of dual process theory. Relating Theory and Data, 207-225, 1991.]]

[18]

{18} G. A. Miller. The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63:81-97, 1956.]]

[19]

{19} R. Morris and K. Thompson. Password security: A case history. Communications of the ACM, 22(11):594-597, November 1979.]]

Digital Library

[20]

{20} A. Muffet. Crack: A sensible password checker for Unix. Available via anonymous ftp from cert.org.]]

[21]

{21} V. S. Nalwa. Automatic on-line signature verification. Proceedings of the IEEE, pages 215-239, February 1997.]]

[22]

{22} D. L. Nelson, U. S. Reed, and J. R. Walling. Picture superiority effect. Journal of Experimental Psychology: Human Learning and Memory, 3:485-497, 1977.]]

[23]

{23} A. Paivio. Imagery and Verbal Processes. Holt, Rinehard, and Winston, New York, 1971.]]

[24]

{24} A. Paivio. Imagery in recall and recognition. Recall and Recognition, John Wiley, New York, 1976.]]

[25]

{25} A. Paivio, T. B. Rogers, and P. C. Smythe. Why are pictures easier to recall than words? Psychonomic Science, 11:137-138, 1968.]]

[26]

{26} T. Raleigh and R. Underwood. CRACK: A distributed password advisor. In Proceedings of the 1st USENIX Security Workshop, pages 12-13, August, 1988.]]

[27]

{27} R. N. Shepard. Recognition memory for words, sentences, and pictures. Journal of Verbal Learnings and Verbal Behavior, 6: 156-163, 1967.]]

[28]

{28} E. Spafford. Preventing weak password choices. In Proceedings of the 14th National Computer Security Conference , pages 446-455, October 1991.]]

[29]

{29} E. Spafford. Observations on reusable password choices. In Proceedings of the 3rd USENIX Security Symposium, September 1992.]]

[30]

{30} L. Standing. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, 25:207-222, 1973.]]

[31]

{31} Cynthia J. Solomon and Seymour Papert. A case study of a young child doing Turtle Graphics in LOGO. MIT AI memo 375, July 1976.]]

[32]

{32} J. E. Wells. Encoding and memory for verbal and pictorial stimuli. Journal of Experimental Psychology, 24:242-252, 1972.]]

[33]

{33} Max Wertheimer. Laws of organization in perceptual forms. A source book of Gestalt psychology (pp. 71-88). London: Routledge & Kegan Paul. 1938.]]

[34]

{34} T. Wu. A real-world analysis of Kerberos password security. In Proceedings of the ISOC Symposium on Network and Distributed System Security, 1999.]]

Cited By

Ndako Adama VOyebisi Oyefolahan INdunagu JLamas DNeves Cabral Domingos LOgunyemi AOrji RBidwell NMboya A(2021)Pure Recall-Based Graphical User Authentication Schemes: Perspectives from a Closer LookProceedings of the 3rd African Human-Computer Interaction Conference: Inclusiveness and Empowerment10.1145/3448696.3448721(141-145)Online publication date: 8-Mar-2021
https://dl.acm.org/doi/10.1145/3448696.3448721
Katsini CRaptis GCen AGamagedara Arachchilage NNacke L(2021)Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through GamificationACM Symposium on Eye Tracking Research and Applications10.1145/3448018.3458615(1-7)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1145/3448018.3458615
Liu CLindqvist J(2021)Secure Gestures—Case Study 4Intelligent Computing for Interactive System Design10.1145/3447404.3447422(323-338)Online publication date: 23-Feb-2021
https://dl.acm.org/doi/10.1145/3447404.3447422
Show More Cited By

Index Terms

The design and analysis of graphical passwords

Recommendations

Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
Passwords: Stunning Notebook Journal for your Passwords, Usernames and URLs/ 5in. x 8in./ Sturdy softback glossy cover/ 50 white pages (Volume 1)
Passwords: Stunning Password Notebook/ Logbook/ Journal/ paperback/ 50 pages/ bright white paper (5 in. x 8 in.) beautiful glossy cover (Volume 2)

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium - Volume 8

August 1999

248 pages

Publisher

USENIX Association

United States

Publication History

Published: 23 August 1999

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

162
Total Citations
View Citations
149
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ndako Adama VOyebisi Oyefolahan INdunagu JLamas DNeves Cabral Domingos LOgunyemi AOrji RBidwell NMboya A(2021)Pure Recall-Based Graphical User Authentication Schemes: Perspectives from a Closer LookProceedings of the 3rd African Human-Computer Interaction Conference: Inclusiveness and Empowerment10.1145/3448696.3448721(141-145)Online publication date: 8-Mar-2021
https://dl.acm.org/doi/10.1145/3448696.3448721
Katsini CRaptis GCen AGamagedara Arachchilage NNacke L(2021)Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through GamificationACM Symposium on Eye Tracking Research and Applications10.1145/3448018.3458615(1-7)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1145/3448018.3458615
Liu CLindqvist J(2021)Secure Gestures—Case Study 4Intelligent Computing for Interactive System Design10.1145/3447404.3447422(323-338)Online publication date: 23-Feb-2021
https://dl.acm.org/doi/10.1145/3447404.3447422
Raptis GKatsini CCen AArachchilage NNacke LKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)Better, Funner, Stronger: A Gameful Approach to Nudge People into Making Less Predictable Graphical Password ChoicesProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445658(1-17)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445658
Zhang LGuo YGuo XShao X(2021)Does the layout of the Android unlock pattern affect the security and usability of the password?Journal of Information Security and Applications10.1016/j.jisa.2021.10301162:COnline publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1016/j.jisa.2021.103011
Tian YLi LPeng HYang Y(2021)Achieving flatnessComputers and Security10.1016/j.cose.2021.102212104:COnline publication date: 1-May-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102212
Abdrabou YAbdelrahman YAyman AElmougy AKhamis M(2020)Are Thermal Attacks Ubiquitous?Proceedings of the 2020 International Conference on Advanced Visual Interfaces10.1145/3399715.3399819(1-5)Online publication date: 28-Sep-2020
https://dl.acm.org/doi/10.1145/3399715.3399819
Feth DPolst S(2019)Heuristics and Models for Evaluating the Usability of Security MeasuresProceedings of Mensch und Computer 201910.1145/3340764.3340789(275-285)Online publication date: 8-Sep-2019
https://dl.acm.org/doi/10.1145/3340764.3340789
Rao MSanthi SHussain M(2019)Multi factor user authentication mechanism using internet of thingsProceedings of the Third International Conference on Advanced Informatics for Computing Research10.1145/3339311.3339335(1-5)Online publication date: 15-Jun-2019
https://dl.acm.org/doi/10.1145/3339311.3339335
K MA S(2019)Authentication using alignment of the graphical passwordProceedings of the Third International Conference on Advanced Informatics for Computing Research10.1145/3339311.3339332(1-5)Online publication date: 15-Jun-2019
https://dl.acm.org/doi/10.1145/3339311.3339332
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents