Home > Research > Publications & Outputs > Security analyses of click-based graphical pass...

Links

Text available via DOI:

View graph of relations

Security analyses of click-based graphical passwords via image point memorability

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published
  • Bin B. Zhu
  • Jeff Yan
  • Maowei Yang
  • Dongchen Wei
Close
Publication date3/11/2014
Host publicationCCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
Place of PublicationNew York
PublisherACM
Pages1217-1231
Number of pages15
ISBN (print)9781450329576
<mark>Original language</mark>English
Event21st ACM Conference on Computer and Communications Security, CCS 2014 - Scottsdale, United States
Duration: 3/11/20147/11/2014

Conference

Conference21st ACM Conference on Computer and Communications Security, CCS 2014
Country/TerritoryUnited States
CityScottsdale
Period3/11/147/11/14

Conference

Conference21st ACM Conference on Computer and Communications Security, CCS 2014
Country/TerritoryUnited States
CityScottsdale
Period3/11/147/11/14

Abstract

We propose a novel concept and a model of image point memorability (IPM) for analyzing click-based graphical passwords that have been studied extensively in both the security and HCI communities. In our model, each point in an image is associated with a numeric index that indicates the point's memorability level. This index can be approximated either by automatic computer vision algorithms or via human assistance. Using our model, we can rank-order image points by their relative memorability with a decent accuracy. We show that the IPM model has both defensive and offensive applications. On the one hand, we apply the model to generate high-quality graphical honeywords. This is the first work on honeywords for graphical passwords, whereas all previous methods are only for generating text honeywords and thus inapplicable. On the other hand, we use the IPM model to develop the first successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is the state-of-the-art click-based graphical password scheme and robust to all prior dictionary attacks. We show that the probability distribution of PCCP passwords is seriously biased when it is examined with the lens of the IPM model. Although PCCP was designed to generate random passwords, its effective password space as we measured can be as small as 30.58 bits, which is substantially weaker than its theoretical and commonly believed strength (43 bits). The IPM model is applicable to all click-based graphical password schemes, and our analyses can be extended to other graphical passwords as well.