Final published version
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Publication date | 3/11/2014 |
---|---|
Host publication | CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security |
Place of Publication | New York |
Publisher | ACM |
Pages | 1217-1231 |
Number of pages | 15 |
ISBN (print) | 9781450329576 |
<mark>Original language</mark> | English |
Event | 21st ACM Conference on Computer and Communications Security, CCS 2014 - Scottsdale, United States Duration: 3/11/2014 → 7/11/2014 |
Conference | 21st ACM Conference on Computer and Communications Security, CCS 2014 |
---|---|
Country/Territory | United States |
City | Scottsdale |
Period | 3/11/14 → 7/11/14 |
Conference | 21st ACM Conference on Computer and Communications Security, CCS 2014 |
---|---|
Country/Territory | United States |
City | Scottsdale |
Period | 3/11/14 → 7/11/14 |
We propose a novel concept and a model of image point memorability (IPM) for analyzing click-based graphical passwords that have been studied extensively in both the security and HCI communities. In our model, each point in an image is associated with a numeric index that indicates the point's memorability level. This index can be approximated either by automatic computer vision algorithms or via human assistance. Using our model, we can rank-order image points by their relative memorability with a decent accuracy. We show that the IPM model has both defensive and offensive applications. On the one hand, we apply the model to generate high-quality graphical honeywords. This is the first work on honeywords for graphical passwords, whereas all previous methods are only for generating text honeywords and thus inapplicable. On the other hand, we use the IPM model to develop the first successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is the state-of-the-art click-based graphical password scheme and robust to all prior dictionary attacks. We show that the probability distribution of PCCP passwords is seriously biased when it is examined with the lens of the IPM model. Although PCCP was designed to generate random passwords, its effective password space as we measured can be as small as 30.58 bits, which is substantially weaker than its theoretical and commonly believed strength (43 bits). The IPM model is applicable to all click-based graphical password schemes, and our analyses can be extended to other graphical passwords as well.