Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing.This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shoulder-surfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing.Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shoulder-surfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Anne Adams , Martina Angela Sasse, Users are not the enemy, Communications of the ACM, v.42 n.12, p.40-46, Dec. 1999  [doi>10.1145/322796.322806]
	2	Ross J. Anderson, Why cryptosystems fail, Communications of the ACM, v.37 n.11, p.32-40, Nov. 1994  [doi>10.1145/188280.188291]
	3	C. T. Beardsley, "Is Your Computer Insecure?," IEEE Spectrum, vol. 9, pp. 67--78, 1972.
	4	V. A. Brennen, "Cryptography Dictionary," vol. 2005. 1.0.0 ed. 2004.
	5	S. Brostoff and A. Sasse, "Are Passfaces More Usable Than Passwords? A Field Trial Investigation," presented at People and Computers XIV - Usability or Else! Proceedings of HCI 2000, Sunderland University, 2000.
	6	R. Chellappa. C. L. Wilson, and S. Sirohey, "Human and Machine Recognition of Faces: A Survey," Proceedings of the IEEE, vol. 83, pp. 705--741, 1995.
	7	Lorrie Faith Cranor , Simson Garfinkel, Guest Editors' Introduction: Secure or Usable?, IEEE Security and Privacy, v.2 n.5, p.16-18, September 2004  [doi>10.1109/MSP.2004.69]
	8	Lorrie Cranor , Simson Garfinkel, Security and Usability, O'Reilly Media, Inc., 2005
	9	D. Davis, F. Monrose, and M. Reiter, "On User Choice in Graphical Password Schemes," presented at 13th Usenix Security Symposium, San Diego, CA, 2004.
	10	A. De Angeli, M. Coutts, L. Coventry, D. Cameron, G. I. Johnson, and M. Fischer, "VIP: A Visual Approach to User Authentication," presented at Working Conference on Advanced Visual Interfaces: AVI2002, Trento, Italy, 2002.
	11	Department of Defense Computer Security Center, "Department of Defense Password Management Guideline," Department of Defense, Washington, DC CSC-STD-002-85, April 12 1985.
	12	R. Dhamija and A. Perrig, "Deja Vu: A User Study. Using Images for Authentication," presented at 9th USENIX Security Symposium, 2000.
	13	P. Doyle and S. Hanna, "Analysis of June 2003 Survey on Obstacles to PKI Deployment and Usage," Organization for the Advancement of Structured Information Standards, Billerica, MA August 8 2003.
	14	S. M. Furnell, I. Papadopoulos, and P. S. Dowland, "A long-term trial of alternative user authentication technologies," Information Management and Computer Security, vol. 12, pp. 178--190, 2004.
	15	S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," vol. 2006: SecurityFocus, 2001.
	16	Blake Ives , Kenneth R. Walsh , Helmut Schneider, The domino effect of password reuse, Communications of the ACM, v.47 n.4, p.75-78, April 2004  [doi>10.1145/975817.975820]
	17	I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, "The Design and Analysis of Graphical Passwords," presented at 8th USENIX Security Symposium, Washington, DC, 1999.
	18	J. Liddell, K. Renaud, and A. De Angeli, "Using a Combination of Sound and Images to Authenticate Web Users," presented at 17th Annual Human Computer Interaction Conference: Designing for Society, Bath England, 2003.
	19	S. Man, D. Hong, B. Hayes, and M. Matthews, "A password scheme strongly resistant to spyware," presented at Int. Conf. on Security and Management, Las Vegas, NV, 2004.
	20	S. Man, D. Hong, M. Matthews, and J. C. Birget, "A shoulder-surfing resistant graphical password scheme," 2006.
	21	G. A. Miller, "The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information," The Psychological Review, vol. 63, pp. 81--97, 1956.
	22	Kevin D. Mitnick , William L. Simon , William Simon, The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, Inc., New York, NY, 2002
	23	National Research Council, Who Goes There? Authentication Through the Lens of Privacy. Washington, DC: National Academy Press, 2003.
	24	Jason Nolan , Michelle Levesque, Hacking human: data-archaeology and surveillance in social networks, ACM SIGGROUP Bulletin, v.25 n.2, p.33-37, February 2005  [doi>10.1145/1067721.1067728]
	25	L. O'Gorman, "Comparing Passwords, Tokens, and Biometrics for User Authentication," Proceedings of the IEEE, vol. 91, pp. 2021--2039, 2003.
	26	Gregory L. Orgill , Gordon W. Romney , Michael G. Bailey , Paul M. Orgill, The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems, Proceedings of the 5th conference on Information technology education, October 28-30, 2004, Salt Lake City, UT, USA  [doi>10.1145/1029533.1029577]
	27	A. A. Ozok and S. H. Holden. "Alphanumeric and Graphical Authentication Solutions: A Comparative Evaluation," presented at HCI International 2005, Las Vegas, NV, 2005.
	28	Andrew S. Patrick , A. Chris Long , Scott Flinn, HCI and security systems, CHI '03 extended abstracts on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA  [doi>10.1145/765891.766146]
	29	R. W. Proctor, M.-C. Lien, K.-P. L. Vu, and G. Salvendy, "Improving Computer Security for Authentication of Users: Influence of Proactive Password Restrictions," Behavior Reearch Methods, Instruments & Computers, vol. 34, pp. 163--169, 2002.
	30	Real User Corporation, "How the Passface#8482; System Works," vol. 2005, 2005.
	31	K. Renaud and E. Smith, "Helping Users to Remember Their Passwords," presented at Annual Conference of the South African Institute of Computer Scientists and Information Technologists, Pretoria, South Africa, 2001.
	32	K. Renaud and A. D. Angeli, "My Password is here! An investigation into visio-spatial authentication mechanisms," Interacting with Computers, vol. 16, pp. 1017--1041, 2004.
	33	Volker Roth , Kai Richter , Rene Freidinger, A PIN-entry method resilient against shoulder surfing, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030116]
	34	M. A. Sasse , S. Brostoff , D. Weirich, Transforming the 'Weakest Link' — a Human/Computer Interaction Approach to Usable and Effective Security, BT Technology Journal, v.19 n.3, p.122-131, July 2001  [doi>10.1023/A:1011902718709]
	35	L. Sobrado and J. C. Birget, "Shoulder-surfing resistant graphical passwords," Draft.
	36	Wayne C. Summers , Edward Bosworth, Password policy: the good, the bad, and the ugly, Proceedings of the winter international synposium on Information and communication technologies, January 05-08, 2004, Cancun, Mexico
	37	Richard C. Thomas , Amela Karahasanovic , Gregor E. Kennedy, An investigation into keystroke latency metrics as an indicator of programming performance, Proceedings of the 7th Australasian conference on Computing education, p.127-134, January 01, 2005, Newcastle, New South Wales, Australia
	38	M. Turk, "A Random Walk Through Eigenspace," IEICE Transactions of Information and Systems, vol. E84-D, pp. 1586--1595, 2001.
	39	J. J. Turnage, "The Challenge of New Workplace Technology for Psychology," American Psychologist, vol. 45, pp. 171--178, 1990.
	40	Lucian Vasiu , Ioana Vasiu, Dissecting Computer Fraud: From Definitional Issues to a Taxonomy, Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 7, p.70170.3, January 05-08, 2004
	41	Daphna Weinshall , Scott Kirkpatrick, Passwords you'll never forget, but can't recall, CHI '04 extended abstracts on Human factors in computing systems, April 24-29, 2004, Vienna, Austria  [doi>10.1145/985921.986074]
	42	A. Whitten and J. D. Tygar, "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0," presented at 8th Usenix Security Symposium, Washington, DC, 1999.
	43	Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, PassPoints: design and longitudinal evaluation of a graphical password system, International Journal of Human-Computer Studies, v.63 n.1-2, p.102-127, July 2005  [doi>10.1016/j.ijhcs.2005.04.010]
	44	R. J. Witty and K. Brittain, "Automated Password Reset Can Cut IT Service Desk Costs," Gartner, Inc., Stamford, CT G00123531, December 13 2004.
	45	R. J. Witty, "Bank of America Implements Simplified Single Sign-On," Gartner, Inc., Stamford, CT G00123465, January 25 2005.
	46	Jeff Yan , Alan , Ross , Alasdair, Password Memorability and Security: Empirical Results, IEEE Security and Privacy, v.2 n.5, p.25-31, September 2004  [doi>10.1109/MSP.2004.81]