research-article

Revisiting graphical passwords for augmenting, not replacing, text passwords

Authors:

Ugur CilAuthors Info & Claims

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Pages 119 - 128

https://doi.org/10.1145/2523649.2523672

Published: 09 December 2013 Publication History

Abstract

Users generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and introduce in this study Type&Click (T&C), a hybrid scheme supporting text passwords with the graphical passwords. In T&C, users first type a text as usual and then make a single click on an image to complete the password entry. While largely preserving the login experience with the text passwords, the new scheme utilizes accumulated scientific knowledge in graphical password research (implicit feedback, persuasion during password creation, leveraging cued recall memory). The results of our user study suggest that T&C is promising for augmenting text passwords for improved security without degrading usability.

References

[1]

The science behind passfaces. www.realuser.com/published/ScienceBehindPassfaces.pdf. Accessed: 03/03/2012.

[2]

Weak password brings 'happiness' to twitter hacker. www.wired.com/threatlevel/2009/01/professed-twitt. Accessed: 03/03/2013.

[3]

K. Bicakci, N. Atalay, M. Yuceel, H. Gurbaslar, and B. Erdeniz. Towards usable solutions to graphical password hotspot problem. In Computer Software and Applications Conference, 2009. COMPSAC'09. 33rd Annual IEEE International, volume 2, pages 318--323. IEEE, 2009.

Digital Library

[4]

K. Bicakci, N. B. Atalay, M. Yuceel, and P. C. van Oorschot. Exploration and field study of a browser-based password manager using icon-based passwords. In Workshop on Real-Life Cryptographic Protocols and Standardization, 2011.

Digital Library

[5]

R. Biddle, S. Chiasson, and P. C. van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys 44(4), 2011.

Digital Library

[6]

J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE Symposium on Security and Privacy, pages 538--552, 2012.

Digital Library

[7]

J. Bonneau. Statistical metrics for individual password strength. In 20th International Workshop on Security Protocols, 2012.

Digital Library

[8]

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In IEEE Symposium on Security and Privacy, pages 553--567, 2012.

Digital Library

[9]

J. Bonneau and S. Preibusch. The password thicket: technical and market failures in human authentication on the web. In Proc. WEIS, 2010.

[10]

S. Brostoff and M. Sasse. Are passfaces more usable than passwords? a field trial investigation. People and Computers, pages 405--424, 2000.

[11]

W. Burr. Electronic authentication guideline. NIST special publication, 800:63.

[12]

S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. van Oorschot. Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Trans. Dependable Sec. Comput., 9(2):222--235, 2012.

Digital Library

[13]

R. Dhamija and A. Perrig. Déjà vu: A user study using images for authentication. In Proceedings of the 9th conference on USENIX Security Symposium - Volume 9, SSYM'00, pages 4--4, Berkeley, CA, USA, 2000. USENIX Association.

Digital Library

[14]

M. Hart, C. Castille, M. Harpalani, J. Toohill, and R. Johnson. Phorcefield: a phish-proof password ceremony. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 159--168. ACM, 2011.

Digital Library

[15]

C. Herley and P. C. van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1):28--36, 2012.

Digital Library

[16]

I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium, pages 1--14. Washington DC, 1999.

Digital Library

[17]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 523--537. IEEE, 2012.

Digital Library

[18]

W. Khan, Y. Xiang, M. Aalsalem, and Q. Arshad. A hybrid graphical password based system. In ICA3PP 2011 Workshops, Part II, LNCS 7017, pages 153--164, 2011.

Digital Library

[19]

C. Singh, L. Singh, C. Singh, and L. Singh. Investigating the combination of text and graphical passwords for a more secure and usable experience. International Journal of Network Security & Its Applications (IJNSA), 3(2), 2011.

[20]

P. C. van Oorschot and T. Wan. Twostep: An authentication method combining text and graphical passwords. In MCETECH, pages 233--239, 2009.

Cited By

Gopali SSharma PKhethavath PPal D(2021)HyPA: A Hybrid Password-Based Authentication MechanismAdvances in Information and Communication10.1007/978-3-030-73100-7_47(651-665)Online publication date: 13-Apr-2021
https://doi.org/10.1007/978-3-030-73100-7_47
Yusuf SBoukar MMukhtar AYusuf A(2018)User Define Time Based Change Pattern Dynamic Password Authentication Scheme2018 14th International Conference on Electronics Computer and Computation (ICECCO)10.1109/ICECCO.2018.8634675(206-212)Online publication date: Nov-2018
https://doi.org/10.1109/ICECCO.2018.8634675

Index Terms

Revisiting graphical passwords for augmenting, not replacing, text passwords
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. Interaction paradigms
      1. Graphical user interfaces
2. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

The underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
A Password Manager that Doesn't Remember Passwords
NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

The problems with passwords are well-known: secure passwords are difficult to remember, users have too many passwords, and users have difficulty matching their passwords to accounts. Password managers and cued graphical passwords are two password ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

December 2013

374 pages

ISBN:9781450320153

DOI:10.1145/2523649

Conference Chair:
Charles N. Payne
Adventium Labs

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '13

Sponsor:

ACSA

ACSAC '13: Annual Computer Security Applications Conference

December 9 - 13, 2013

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
436
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gopali SSharma PKhethavath PPal D(2021)HyPA: A Hybrid Password-Based Authentication MechanismAdvances in Information and Communication10.1007/978-3-030-73100-7_47(651-665)Online publication date: 13-Apr-2021
https://doi.org/10.1007/978-3-030-73100-7_47
Yusuf SBoukar MMukhtar AYusuf A(2018)User Define Time Based Change Pattern Dynamic Password Authentication Scheme2018 14th International Conference on Electronics Computer and Computation (ICECCO)10.1109/ICECCO.2018.8634675(206-212)Online publication date: Nov-2018
https://doi.org/10.1109/ICECCO.2018.8634675

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents