27-10-2016, 09:23 AM
1461506052-zhaosec13slides.pdf (Size: 1.9 MB / Downloads: 13)
• A built-in feature in Microsoft Windows 8
• 60 million Windows 8 licenses have been
sold
• 400 million computers and tablets will run
Windows 8 in one year
Research Questions
6
1. How to understand user-choice patterns in
PGA?
• Background Pictures
• Gesture Location
• Gesture Type
• Gesture Order
2. How to use these patterns to guess PGA
password?
Outline
7
Part 1: Analysis of more than 10,000 PGA
passwords collected from user studies
Part 2: A fully automated attack framework on
PGA
Part 3: Attack results on collected passwords
Part 1: User Studies
8
1. Web-based PGA system
• Similarity to Windows PGA
• Workflow
• Appearance
2. Data collection
3. Analysis: survey and results
Part 1: User Studies
Dataset-1
• ASU undergraduate computer security class (Fall 2012)
• 56 participants
• 58 unique pictures
• 86 passwords
• 2,536 login attempts
Dataset-2
• Scenario: The password is used to protect your bank
account
• Amazon MTurk
• 15 pictures selected in advance
• 762 participants
• 10,039 passwords
Survey questions
• General information of the subject
• General feeling towards PGA
• How she/he selects a background picture
• How she/he selects a password
Part 1: User-choice Patterns
Why or why not picture of people
Advocates:
i) it is more friendly
‘The image was special to me so I enjoy seeing it when I log in’
ii) it is easier for remembering passwords
‘Marking points on a person is easier to remember’
iii) it makes password more secure
‘The picture is personal so it should be much harder for someone to guess the
password’
• Others:
i) leak his or her identify or privacy
‘revealing myself or my family to anyone who picks up the device’
Part 2: Attack Framework
To generate dictionaries that have potential passwords
• Picture-specific dictionary
• Rank passwords with likelihood
• Work on previously unseen pictures
• Our approach
• Automatically learns user-choices patterns in the training
pictures and corresponding passwords
• Then applies these patterns to the target picture for
dictionary generation
Selection Function
Selection function
• Models the password creating process that users
go through
• Takes two types of parameters
• Gesture type, such as tap, circle, line
• PoI attribute, such as face, eye, …
• Generates a group of gestures