Draw a secret (DAS) is a representative graphical password scheme. Rigorous theoretical analysis suggests that DAS supports an overall password space larger than that of the ubiquitous textual password scheme. However, recent research suggests that DAS users tend to choose weak passwords, and their choices would render this theoretically sound scheme less secure in real life.

In this paper we investigate the novel idea of introducing background images to the DAS scheme, where users were initially supposed to draw passwords on a blank canvas overlaid with a grid. Encouraging results from our two user studies have shown that people aided with background images tended to set significantly more complicated passwords than their counterparts using the original scheme. The background images also reduced other predictable characteristics in DAS passwords such as symmetry and centering within the drawing grid, further improving the strength of the passwords. We estimate that the average strength of successfully recalled passwords in the enhanced scheme was increased over those created using the original scheme by more than 10 bits. Moreover, a positive effect was observed with respect to the memorability of the more complex passwords encouraged by the background images.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	G. Blonder. Graphical passwords. US Patent 5559961, 1996.
	2	S. Brostoff and M. A. Sasse. Are Passfaces™ more usable than passwords? A field trial investigation. Proc. of HCI, 2000, pp 405--424
	3	Sonia Chiasson , Robert Biddle , P. C. van Oorschot, A second look at the usability of click-based graphical passwords, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania  [doi>10.1145/1280680.1280682]
	4	Darren Davis , Fabian Monrose , Michael K. Reiter, On user choice in graphical password schemes, Proceedings of the 13th conference on USENIX Security Symposium, p.11-11, August 09-13, 2004, San Diego, CA
	5	Ahmet Emir Dirik , Nasir Memon , Jean-Camille Birget, Modeling user choice in the PassPoints graphical password scheme, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania  [doi>10.1145/1280680.1280684]
	6	Joseph Goldberg , Jennifer Hagman , Vibha Sazawal, Doodling our way to better authentication, CHI '02 extended abstracts on Human factors in computing systems, April 20-25, 2002, Minneapolis, Minnesota, USA  [doi>10.1145/506443.506639]
	7	Ian Jermyn , Alain Mayer , Fabian Monrose , Michael K. Reiter , Aviel D. Rubin, The design and analysis of graphical passwords, Proceedings of the 8th conference on USENIX Security Symposium, p.1-1, August 23-26, 1999, Washington, D.C.
	8	D. Nali and J. Thorpe. Analyzing User Choice in Graphical Passwords, Technical Report TR-04-01, School of Computer Science, Carleton University, 2004.
	9	Donald A. Norman, Things that make us smart: defending human attributes in the age of the machine, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1993
	10	Real User Corporation. The Science Behind Passfaces. Revision 2, Sept. 2001. Available at http://www.realuser.com/published/ScienceBehindPassfaces.pdf.
	11	Xiaoyuan Suo , Ying Zhu , G. Scott. Owen, Graphical Passwords: A Survey, Proceedings of the 21st Annual Computer Security Applications Conference, p.463-472, December 05-09, 2005  [doi>10.1109/CSAC.2005.27]
	12	Julie Thorpe , P. C. van Oorschot, Graphical dictionaries and the memorable space of graphical passwords, Proceedings of the 13th conference on USENIX Security Symposium, p.10-10, August 09-13, 2004, San Diego, CA
	13	Julie Thorpe , P. C. van Oorschot, Towards Secure Design Choices for Implementing Graphical Passwords, Proceedings of the 20th Annual Computer Security Applications Conference, p.50-60, December 06-10, 2004  [doi>10.1109/CSAC.2004.44]
	14	Julie Thorpe , P. C. van Oorschot, Human-seeded attacks and exploiting hot-spots in graphical passwords, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	15	Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, PassPoints: design and longitudinal evaluation of a graphical password system, International Journal of Human-Computer Studies, v.63 n.1-2, p.102-127, July 2005  [doi>10.1016/j.ijhcs.2005.04.010]
	16	Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, Authentication using graphical passwords: effects of tolerance and image choice, Proceedings of the 2005 symposium on Usable privacy and security, p.1-12, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073002]
	17	Jeff Yan , Alan Blackwell , Ross Anderson , Alasdair Grant, Password Memorability and Security: Empirical Results, IEEE Security and Privacy, v.2 n.5, p.25-31, September 2004  [doi>10.1109/MSP.2004.81]
	18	Jianxin Jeff Yan, A note on proactive password checking, Proceedings of the 2001 workshop on New security paradigms, September 10-13, 2001, Cloudcroft, New Mexico  [doi>10.1145/508171.508194]
	19	VisKey, http://www.sfr-software.de/cms/EN/pocketpc/viskey/index.html, last accessed in Feb, 2007.
	20	V-GO, http://www.passlogix.com/, last accessed in Feb, 2007