ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Order and entropy in picture passwords
Full text PdfPdf (388 KB)
Source
GI; Vol. 322 archive
Proceedings of graphics interface 2008 table of contents
Windsor, Ontario, Canada
SESSION: Evaluation table of contents
Pages 115-122  
Year of Publication: 2008
ISBN ~ ISSN:0713-5424 , 978-1-56881-423-0
Authors
Saranga Komanduri  Bowling Green State University
Dugald R. Hutchings  Bowling Green State University
Sponsor
: The Canadian Human-Computer Communications Society / Société Canadienne du Dialogue Humaine Machine (CHCCS/SCDHM)
Publisher
Canadian Information Processing Society  Toronto, Ont., Canada, Canada
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 153,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  

ABSTRACT

Previous efforts involving picture-based passwords have not focused on maintaining a measurably high level of entropy. Since password systems usually allow user selection of passwords, their true entropy remains unknown. A 23-participant study was performed in which picture and character-based passwords of equal strength were randomly assigned. Memorability was tested with up to one week between sessions. The study found that both character and picture passwords of very high entropy were easily forgotten. However, when password inputs were analyzed to determine the source of input errors, serial ordering was found to be the main cause of failure. This supports a hypothesis stating that picture-password systems which do not require ordered input may produce memorable, high-entropy passwords. Input analysis produced another interesting result, that incorrect inputs by users are often duplicated. This reduces the number of distinct guesses users can make when authentication systems lock out users after a number of failed logins. A protocol for ignoring duplicate inputs is presented here. A shoulder-surfing resistant input method was also evaluated, with six out of 15 users performing an insecure behavior.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
J. Anderson and M. Matessa. A production system theory of serial memory. Psychological Review, 104(4):728--748, 1997.
 
2
G. Blonder. Graphical password, Sept. 24 1996. US Patent 5,559,961.
 
3
S. Brostoff and M. Sasse. Are Passfaces more usable than passwords? A field trial investigation. In People and Computers XIV-Usability or Else!, pages 405--424, 2000.
 
4
W. E. Burr, D. F. Dodson, and W. T. Polk. Nist special publication 800--63. Electronic Authentication Guideline,? Version, 1, 2004.
 
5
Darren Davis , Fabian Monrose , Michael K. Reiter, On user choice in graphical password schemes, Proceedings of the 13th conference on USENIX Security Symposium, p.11-11, August 09-13, 2004, San Diego, CA
 
6
Antonella De Angeli , Lynne Coventry , Graham Johnson , Karen Renaud, Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems, International Journal of Human-Computer Studies, v.63 n.1-2, p.128-152, July 2005  [doi>10.1016/j.ijhcs.2005.04.020]
 
7
J. Deregowski and G. Jahoda. Efficacy of Objects, Pictures and Words in a Simple Learning Task. International Journal of Psychology, 10(1):19--25, 1975.
 
8
Rachna Dhamija , Adrian Perrig, Déjà Vu: a user study using images for authentication, Proceedings of the 9th conference on USENIX Security Symposium, p.4-4, August 14-17, 2000, Denver, Colorado
9
Ahmet Emir Dirik , Nasir Memon , Jean-Camille Birget, Modeling user choice in the PassPoints graphical password scheme, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania  [doi>10.1145/1280680.1280684]
 
10
G. Johnson. A distinctiveness model of serial learning. Psychological Review, 98(2):204--217, 1991.
 
11
H. Kinjo and J. Snodgrass. Is there a picture superiority effect in perceptual implicit tasks? European Journal of Cognitive Psychology, 12(2):145--164, 2000.
 
12
S. Man, D. Hong, and M. Mathews. A shoulder-surfing resistant graphical password scheme. In Proceedings of International conference on security and management, volume I, pages 101--111, 2003.
 
13
J. Massey. Guessing and entropy. In Proceedings of the IEEE International Symposium on Information Theory, 1994.
 
14
Microsoft Corporation. Cached domain logon information. http://support.microsoft.com/kb/172931 (accessed October 2007), 2007.
 
15
D. Nelson. Learning to Order Pictures and Words: A Model of Sensory and Semantic Encoding. Journal of Experimental Psychology: Human Learning and Memory, 3(5):485--497, 1977.
 
16
B. Rossion and G. Pourtois. Revisiting Snodgrass and Vanderwart's object pictorial set: The role of surface detail in basic-level object recognition. Perception, 33(2):217--236, 2004.
 
17
B. Rossion and G. Pourtois. Snodgrass and Vanderwart Like Objects. http://alpha.cog.brown.edu:8200/stimuli/objects/svlo.zip/view (accessed Sept. 2007), 2004.
18
Volker Roth , Kai Richter , Rene Freidinger, A PIN-entry method resilient against shoulder surfing, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030116]
 
19
M. A. Sasse , S. Brostoff , D. Weirich, Transforming the 'Weakest Link' — a Human/Computer Interaction Approach to Usable and Effective Security, BT Technology Journal, v.19 n.3, p.122-131, July 2001  [doi>10.1023/A:1011902718709]
 
20
B. Schneier. Schneier on security: Real-world passwords. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html (accessed December 2007), 14 Dec. 2006.
 
21
C. E. Shannon. A mathematical theory of communication. Bell Systems Technical Journal, 27:379--423, 1948.
 
22
R. Shepard. Recognition memory for words, sentences, and pictures. Journal of Verbal Learning and Verbal Behavior, 6(1):156--163, 1967.
 
23
J. Snodgrass and B. McCullough. The role of visual similarity in picture categorization. Journal of Experimental Psychology: Learning, Memory, and Cognition, 12(1):147--154, 1986.
 
24
J. Snodgrass and M. Vanderwart. A standardized set of 260 pictures: norms for name agreement, image agreement, familiarity, and visual complexity. Journal of Experimental Psychology: Learning, Memory, and Cognition, 6(2):174--215, 1980.
 
25
L. Standing. Learning 10000 pictures. The Quarterly Journal of Experimental Psychology, 25(2):207--222, 1973.
 
26
G. Stenberg, K. Radeborg, and L. Hedman. The picture superiority effect in a cross-modality recognition task. Memory and Cognition, 23(4):425--441, 1995.
 
27
Desney S. Tan , Pedram Keyani , Mary Czerwinski, Spy-resistant keyboard: more secure password entry on public touch screen displays, Proceedings of the 17th Australia conference on Computer-Human Interaction: Citizens Online: Considerations for Today and the Future, November 21-25, 2005, Canberra, Australia
28
Furkan Tari , A. Ant Ozok , Stephen H. Holden, A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143128]
 
29
Julie Thorpe , P. C. van Oorschot, Human-seeded attacks and exploiting hot-spots in graphical passwords, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
30
Daphna Weinshall , Scott Kirkpatrick, Passwords you'll never forget, but can't recall, CHI '04 extended abstracts on Human factors in computing systems, April 24-29, 2004, Vienna, Austria  [doi>10.1145/985921.986074]
 
31
S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Basic results. In Human-Computer Interaction International 2005, 2005.
32
Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, Authentication using graphical passwords: effects of tolerance and image choice, Proceedings of the 2005 symposium on Usable privacy and security, p.1-12, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073002]
33
Susan Wiedenbeck , Jim Waters , Leonardo Sobrado , Jean-Camille Birget, Design and evaluation of a shoulder-surfing resistant graphical password scheme, Proceedings of the working conference on Advanced visual interfaces, May 23-26, 2006, Venezia, Italy  [doi>10.1145/1133265.1133303]
 
34
J. Wixted. The psychology and neuroscience of forgetting. Annual Review of Psychology, 55:235--269, 2004.

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Authentication

Additional Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)


Keywords:
graphical authentication, picture superiority, shoulder surfing

Collaborative Colleagues:
Saranga Komanduri: colleagues
Dugald R. Hutchings: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player