10-12-2012, 12:08 PM
Authentication Using Graphical Passwords: Basic Results
Authentication Using Graphical.pdf (Size: 254.19 KB / Downloads: 25)
Abstract
Access to computer systems is most often based on the use of alphanumeric passwords. However, users have difficulty remembering a password that is long and random-appearing. Instead, they create short, simple, and insecure passwords. Graphical passwords have been designed to try to make passwords more memorable and easier for people to use and, therefore, more secure. Using a graphical password, users click on images rather than type alphanumeric characters. We have designed a new and more secure graphical password system, called PassPoints. In this paper we describe the PassPoints system, its security characteristics, and the empirical study we carried out comparing PassPoints to alphanumeric passwords. In the empirical study participants learned either an alphanumeric or graphical password and subsequently carried out three longitudinal trials to input their passwords over a period of five weeks. The results show that the graphical group took longer and made more errors in learning the password, but that the difference was largely a consequence of just a few graphical participants who had difficulty learning to use graphical passwords. In the longitudinal trials the two groups performed similarly on memory of their password, but the graphical group took more time to input a password.
Introduction
Until recently computer and network security has been formulated as a technical problem. However, it is now widely recognized that most security mechanisms cannot succeed without taking into account the user (Patrick, Long, & Flinn, 2003).. A key area in security research is authentication, the determination of whether a user should be allowed access to a given system or resource. Traditionally, alphanumeric passwords have been used for authentication, but they are known to have security and usability problems. Today other methods, including graphical passwords, are possible alternatives. This paper reports on research aimed to design a new kind of graphical password system, empirically test its usability, and compare it to alphanumeric passwords. The significance of this research is the provision of a flexible graphical password system with extensive human factors data to support it.
We refer to the security and usability problems associated with alphanumeric passwords as “the password problem” (Wiedenbeck, Waters, Birget, Broditskiy & Memon, 2005).
Background on Passwords
Problems with Alphanumeric Passwords
The password problem arises largely from limitations of humans’ long-term memory (LTM). Once a password has been chosen and learned the user must be able to recall it to log in. But, people regularly forget their passwords. Decay and interference explain why people forget their passwords. Items in memory may compete with a password and prevent its accurate recall (Wixted, 2004). If a password is not used frequently it will be even more susceptible to forgetting. A further complication is that users have many passwords for computers, networks, and web sites. The large number of passwords increases interference and is likely to lead to forgetting or confusing passwords.
Users typically cope with the password problem by decreasing their memory load at the expense of security. First, they write down their passwords (Adams & Sasse, 1999). Second, when they have multiple passwords, they use one password for all systems or trivial variations of a single password. In terms of security, a password should consist of a string of 8 or more random characters, including upper and lower case alphabetic characters, digits, and special characters. A random password does not have meaningful content and must be memorized by rote, but rote learning is a weak way of remembering (Rundus, 1971). As a result, users are known to ignore the recommendations on password choice. Two recent surveys have shown that users choose short, simple passwords that are easily guessable, for example, “password,” personal names of family members, names of pets, and dictionary words (Sasse et al., 2001; Brown, Bracken, Zoccoli, & Douglas, 2004). To users the most important issue is having a password that can be remembered reliably and input quickly. They are unlikely to give priority to security over their immediate need to get on with their real work.
Why Graphical Passwords?
Graphical passwords were originally described by Blonder (1996). In his description of the concept an image would appear on the screen, and the user would click on a few chosen regions of it. If the correct regions were clicked in, the user would be authenticated.
Memory of passwords and efficiency of their input are two key human factors criteria. Memorability has two aspects: (1) how the user chooses and encodes the password and (2) what task the user does when later retrieving the password. In a graphical password system, a user needs to choose memorable locations in an image. Choosing memorable locations depends on the nature of the image itself and the specific sequence of click locations. To support memorability, images should have semantically meaningful content because meaning for arbitrary things is poor (Norman, 1988). This suggests that jumbled or abstract images will be less memorable than concrete, real-world scenes. LTM does not store a replica of the image itself, but rather a meaningful interpretation (Mandler & Ritchey, 1977). To retrieve the locations a user will be dependent on the encoding used while learning. A poor encoding will hurt retrieval by failing to distinguish similar objects.
Design of PassPoints
Background on Graphical Password Systems
Here we discuss some graphical password systems based on recognition or cued recall of images. Most existing systems are based on recognition. The best known of these systems are Passfaces (Brostoff & Sasse, 2000; Real User Corporation, 2001) and Déjà Vu (Dhamija & Perrig, 2000). Brostoff and Sasse (2000) carried out an empiricial study of Passfaces, which illustrates well how a graphical password recognition system typically operates. To create a password, the user chose four images of human faces from a portfolio of faces. To log in the user saw a grid of nine faces, which included one face previously chosen by the user and eight decoy faces. The user had to click anywhere on the known face. This procedure was repeated with different target and decoy faces, for a total of four rounds. If the user chose all four correct faces, he or she successfully logged in. Data from this study suggest that Passfaces are more memorable than alphanumeric passwords. A small study of the use of Déjà Vu came to the same conclusion. On the other hand, passwords based on image recognition have a serious disadvantage. Only a small number of faces can be displayed on each screen, e.g., in Passfaces nine faces. An attacker has a 1-in-9 chance of guessing this passface. Consequently, the login process requires repetitive rounds of face recognition. If four rounds are used the chance of guessing the password is (1/9)4 = 1.5 х 10-4. With a few thousand random guesses an attacker would be likely to find the password. To increase security similar to that of 8-character alphanumeric password, 15 or 16 rounds would be required. This could be slow and annoying to the user.
Procedure
A single PC with a high resolution 19 inch monitor was used in the experiment. Testing was done individually. Participants were randomly assigned to the graphical or alphanumeric condition. Each individual participated in three sessions. The first session lasted about 35 minutes. First, the participants were explained the procedures of the experiment Then they chose a graphical password, given instructions on the screen. Graphical password users had to select and enter five distinct points on the picture with no point within the tolerance around any other chosen point. They were told that they would have to remember the points and the order in which they were input. Alphanumeric users had to enter eight characters including at least one upper case letter and one digit. They were also told not to choose a password they had already used. The system enforced that the participants re-enter the password until they chose a valid password. A graphical password of 5 points was used based on our analysis (Wiedenbeck et al., 2005), which shows that in terms of security 5 click points provide a password space as large as or larger than an alphanumeric password of 8 characters. When the participant had created a valid password, the password was displayed as feedback to the participant before going on to the next phase.
Conclusion
The empirical testing of PassPoints indicates strengths and weaknesses, but is overall encouraging. Graphical users’ retention of their password over five weeks was similar to alphanumeric users, perhaps even a bit better, This result is notable because it was achieved in very intermittent use and with very little experience with graphical passwords. In practice users of graphical passwords may exceed alphanumeric password users, given more experience with graphical passwords and the opportunity to use their graphical passwords regularly for some period of time. While graphical users always took more time to input their passwords than alphanumeric users, even so there was evidence that with continuous use graphical passwords can be entered quite quickly.
This work focused on the usability of PassPoints, but its security is also an important issue. PassPoints seems to hold out the prospect of a much more secure system. It is easy to obtain large passwords spaces. Furthermore, in our experiment it appears that users rarely chose points that were within the tolerance around the click point of another participant. That is, people were not strongly drawn to a few salient areas that an attacker might guess. Finally, there is currently no efficient way of creating dictionary attacks against the system. These observations point to further study of the security and usability of PassPoints.