Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - Security implications of password discretization for click-based graphical passwords
AU - Zhu, Bin B.
AU - Wei, Dongchen
AU - Yang, Maowei
AU - Yan, Jeff
PY - 2013/5
Y1 - 2013/5
N2 - Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points - both have been extensively studied in the research communities. Copyright is held by the International World Wide Web Conference Committee (IW3C2).
AB - Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points - both have been extensively studied in the research communities. Copyright is held by the International World Wide Web Conference Committee (IW3C2).
KW - Authentication
KW - Dictionary attack
KW - Discretization
KW - Graphical passwords
M3 - Conference contribution/Paper
AN - SCOPUS:84893091793
SN - 9781450320351
SP - 1581
EP - 1591
BT - WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web
PB - ACM
CY - New York
T2 - 22nd International Conference on World Wide Web, WWW 2013
Y2 - 13 May 2013 through 17 May 2013
ER -