research-article

Exploring usability effects of increasing security in click-based graphical passwords

Authors:

Elizabeth Stobert,

Sonia Chiasson,

P. C. van Oorschot,

Robert BiddleAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 79 - 88

https://doi.org/10.1145/1920261.1920273

Published: 06 December 2010 Publication History

Abstract

Graphical passwords have been proposed to address known problems with traditional text passwords. For example, memorable user-chosen text passwords are predictable, but random system-assigned passwords are difficult to remember. We explore the usability effects of modifying system parameters to increase the security of a click-based graphical password system. Generally, usability tests for graphical passwords have used configurations resulting in password spaces smaller than that of common text passwords. Our two-part lab study compares the effects of varying the number of click-points and the image size, including when different configurations provide comparable password spaces. For comparable spaces, no usability advantage was evident between more click-points, or a larger image. This is contrary to our expectation that larger image size (with fewer click-points) might offer usability advantages over more click-points (with correspondingly smaller images). The results suggest promising opportunities for better matching graphical password system configurations to device constraints, or capabilities of individual users, without degrading usability. For example, more click-points could be used on smart-phone displays where larger image sizes are not possible.

References

[1]

M. Anderson and J. Neely. Interference and inhibition in memory retrieval. In E. Bjork and R. Bjork, editors, Handbook of Perception and Cognition, pages 237--313. Academic Press, 1996.

[2]

A. Baddeley and R. Turner. R. Spatstat: An R package for analyzing spatial point patterns. Journal of Statistical Software, 12(6):1--42, 2005.

[3]

K. Bicakci, M. Yuceel, B. Erdeniz, H. Gurbaslar, and N. Atalay. Graphical Passwords as Browser Extension: Implementation and Usability Study. In Third IFIP WG 11.11 International Conference on Trust Management, Purdue University, USA, June 2009.

[4]

R. Biddle, S. Chiasson, and P. C. van Oorschot. Graphical passwords: Learning from the first generation. Technical Report TR-09-09, Computer Science, Carleton University, www.scs.carleton.ca/research/tech_reports, 2009.

[5]

S. Chiasson, R. Biddle, and P. C. van Oorschot. A second look at the usability of click-based graphical passwords. In 3rd Symposium on Usable Privacy and Security (SOUPS), July 2007.

Digital Library

[6]

S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot. Influencing users towards better passwords: Persuasive Cued Click-Points. In Human Computer Interaction (HCI), British Computer Society, 2008.

Digital Library

[7]

S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot. User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security, 8(6):387--398, 2009.

Digital Library

[8]

S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In 15th USENIX Security Symposium. Usenix, August 2006.

Digital Library

[9]

R. G. Crowder and R. L. Greene. Serial Learning: Cognition and Behaviour. In E. Tulving and F. I. Craik, editors, The Oxford Handbook of Memory, chapter 8. Oxford University Press, 2000.

[10]

D. Davis, F. Monrose, and M. Reiter. On user choice in graphical password schemes. In 13th USENIX Security Symposium, August 2004.

Digital Library

[11]

A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63(1--2):128--152, 2005.

Digital Library

[12]

S. Designer. John the Ripper password cracker. http://www.openwall.com/john/.

[13]

R. Dhamija and A. Perrig. Déjà Vu: A user study using images for authentication. In 9th USENIX Security Symposium, August 2000.

Digital Library

[14]

P. Diggle. Statistical Analysis of Spatial Point Patterns. Academic Press: New York, NY, 1983.

[15]

A. Dirik, N. Menon, and J. Birget. Modeling user choice in the Passpoints graphical password scheme. In 3rd ACM Conference on Symposium on Usable Privacy and Security (SOUPS), July 2007.

Digital Library

[16]

A. Duchowski. Eye Tracking Methodology: Theory and Practice. Springer, 2nd edition, 2007.

Digital Library

[17]

D. Florencio and C. Herley. A large-scale study of WWW password habits. In 16th ACM International World Wide Web Conference (WWW), May 2007.

Digital Library

[18]

S. Gaw and E. Felten. Password management strategies for online accounts. In 2nd Symposium On Usable Privacy and Security (SOUPS), July 2006.

Digital Library

[19]

K. Golofit. Click passwords under investigation. In 12th European Symposium On Research In Computer Security (ESORICS), LNCS 4734, September 2007.

Digital Library

[20]

I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The design and analysis of graphical passwords. In 8th USENIX Security Symposium, August 1999.

Digital Library

[21]

L. Jones, A. Anton, and J. Earp. Towards understanding user perceptions of authentication technologies. In ACM Workshop on Privacy in Electronic Society, 2007.

Digital Library

[22]

I. S. MacKenzie. Fitts' law as a research and design tool in human-computer interaction. Human-Computer Interaction, 7(1):91--139, 1992.

Digital Library

[23]

D. Nelson, V. Reed, and J. Walling. Pictorial Superiority Effect. Journal of Experimental Psychology: Human Learning and Memory, 2(5):523--528, 1976.

[24]

K. Renaud. Guidelines for designing graphical authentication mechanism interfaces. International Journal of Information and Computer Security, 3(1):60--85, June 2009.

Digital Library

[25]

M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' -- a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, July 2001.

Digital Library

[26]

X. Suo, Y. Zhu, and G. Owen. Graphical passwords: A survey. In Annual Computer Security Applications Conference (ACSAC), December 2005.

Digital Library

[27]

H. Tao and C. Adams. Pass-Go: A proposal to improve the usability of graphical passwords. International Journal of Network Security, 7(2):273--292, 2008.

[28]

M. van Lieshout and A. Baddeley. A nonparametric measure of spatial interaction in point patterns. Statistica Neerlandica, 50(3):344--361, 1996.

[29]

P. C. van Oorschot, A. Salehi-Abari, and J. Thorpe. Purely automated attacks on passpoints-style graphical passwords. IEEE Trans. Info. Forensics and Security, 5(9):393--405, 2010.

Digital Library

[30]

P. C. van Oorschot and J. Thorpe. Exploiting predictability in click-based graphical passwords. Journal of Computer Security, to appear, 2011.

Digital Library

[31]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Effects of tolerance and image choice. In 1st Symposium on Usable Privacy and Security (SOUPS), July 2005.

Digital Library

Cited By

D JV RP TIyer AS N(2023)Resisting Visual Hacking: A Novel Graphical Password Authentication System2023 3rd International Conference on Pervasive Computing and Social Networking (ICPCSN)10.1109/ICPCSN58827.2023.00155(910-915)Online publication date: Jun-2023
https://doi.org/10.1109/ICPCSN58827.2023.00155
Srinivasa Ravi Kiran TSrisaila ALakshmanarao A(2021)Implementing Multilevel Graphical Password Authentication Scheme in Combination with One Time PasswordInternational Conference on Innovative Computing and Communications10.1007/978-981-16-2594-7_2(11-28)Online publication date: 18-Aug-2021
https://doi.org/10.1007/978-981-16-2594-7_2
Saravanos AZheng DZervoudakis SDelfino D(2021)Exploring the Effect of Resolution on the Usability of Locimetric AuthenticationHCI International 2021 - Late Breaking Papers: Design and User Experience10.1007/978-3-030-90238-4_27(387-396)Online publication date: 20-Nov-2021
https://doi.org/10.1007/978-3-030-90238-4_27
Show More Cited By

Recommendations

Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

The underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Memory retrieval and graphical passwords
SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

Graphical passwords are an alternative form of authentication that use images for login, and leverage the picture superiority effect for good usability and memorability. Categories of graphical passwords have been distinguished on the basis of different ...
Graphical passwords: Learning from the first twelve years

Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
467
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

D JV RP TIyer AS N(2023)Resisting Visual Hacking: A Novel Graphical Password Authentication System2023 3rd International Conference on Pervasive Computing and Social Networking (ICPCSN)10.1109/ICPCSN58827.2023.00155(910-915)Online publication date: Jun-2023
https://doi.org/10.1109/ICPCSN58827.2023.00155
Srinivasa Ravi Kiran TSrisaila ALakshmanarao A(2021)Implementing Multilevel Graphical Password Authentication Scheme in Combination with One Time PasswordInternational Conference on Innovative Computing and Communications10.1007/978-981-16-2594-7_2(11-28)Online publication date: 18-Aug-2021
https://doi.org/10.1007/978-981-16-2594-7_2
Saravanos AZheng DZervoudakis SDelfino D(2021)Exploring the Effect of Resolution on the Usability of Locimetric AuthenticationHCI International 2021 - Late Breaking Papers: Design and User Experience10.1007/978-3-030-90238-4_27(387-396)Online publication date: 20-Nov-2021
https://doi.org/10.1007/978-3-030-90238-4_27
Katsini CAvouris NFidas C(2020)CogniPGA: Longitudinal Evaluation of Picture Gesture Authentication with Cognition-Based Interventioni-com10.1515/icom-2019-001118:3(237-257)Online publication date: 14-Jan-2020
https://doi.org/10.1515/icom-2019-0011
Ho YLau SAzman A(2020)Comparison Between BlindLogin and Other Graphical Password Authentication SystemsAdvances in Cyber Security10.1007/978-981-15-2693-0_17(235-246)Online publication date: 17-Jan-2020
https://doi.org/10.1007/978-981-15-2693-0_17
Liang HFleming CMan K(2019)Personal Mobile devices at work: factors affecting the adoption of security mechanismsMultimedia Tools and Applications10.1007/s11042-019-7349-2Online publication date: 26-Feb-2019
https://doi.org/10.1007/s11042-019-7349-2
Katsini CRaptis GFidas CAvouris NSharif BKrejtz K(2018)Towards gaze-based quantification of the security of graphical authentication schemesProceedings of the 2018 ACM Symposium on Eye Tracking Research & Applications10.1145/3204493.3204589(1-5)Online publication date: 14-Jun-2018
https://dl.acm.org/doi/10.1145/3204493.3204589
Shaikh ZMohadikar ANayak RPadamadan R(2017)Security and Verification of Server Data Using Frequent Itemset Mining in EcommerceInternational Journal of Synthetic Emotions10.4018/IJSE.20170101038:1(31-43)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.4018/IJSE.2017010103
Alomar NAlsaleh MAlarifi A(2017)Someone in Your Contact List: Cued Recall-Based Textual PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.271212612:11(2574-2589)Online publication date: Nov-2017
https://doi.org/10.1109/TIFS.2017.2712126
Chaudhry JFarmand SIslam SIslam MHannay PValli C(2017)Discovering Trends for the Development of Novel Authentication Applications for Dementia PatientsInternational Conference on Applications and Techniques in Cyber Security and Intelligence10.1007/978-3-319-67071-3_29(220-237)Online publication date: 21-Oct-2017
https://doi.org/10.1007/978-3-319-67071-3_29
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten