1. Measuring the revised guessability of graphical passwords
- Author
-
Ron Poet and Rosanne English
- Subjects
QA75 ,Password ,Scheme (programming language) ,Theoretical computer science ,Computer science ,business.industry ,Construct (python library) ,Machine learning ,computer.software_genre ,Term (time) ,Computer graphics ,Set (abstract data type) ,Artificial intelligence ,Predictability ,business ,computer ,Selection algorithm ,computer.programming_language - Abstract
There is no widely accepted way of measuringthe level of security of a recognition-based graphical password against guessing attacks. We aim to address this by examining the\ud influence of predictability of user choice on the guessability and proposing a new measure of guessability. Davis et al. showed that these biases exist for schemes using faces and stories, we support this result and show these biases exist in other recognition-based schemes. In addition, we construct an attack exploiting predictability, which we term “Semantic Ordered Guessing Attack” (SOGA). We then apply this attack to two schemes (the Doodles scheme and a standard recognition-based scheme using photographic images) and report the results. The results show that predictability when users select graphical passwords\ud influence the level of security to a varying degree (dependent on the distractor selection algorithm). The standard passimages scheme show an increase on guessability of up to 18 times more likely than the usual reported guessability, with a similar set up of nine images per screen and four screens, the doodles scheme shows a successful guessing attack is 3.3 times more likely than a\ud random guess. Finally, we present a method of calculating a more accurate guessability value, which we call the revised guessability of a recognition-based scheme. Our conclusion is that to maximise the security of a recognition-based graphical password scheme, we recommend disallowing user choice of images.
- Published
- 2011
- Full Text
- View/download PDF