Towards secure design choices for implementing graphical passwords

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2004, Pages 50-60

  Thorpe, Julie ^a   Van Oorschot, P C ^a  

^a CARLETON UNIVERSITY   (Canada)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; BRUTE-FORCE GUESSING ATTACKS; DRAW-A-SECRET (DAS); PASSWORDS;

COMPUTATIONAL COMPLEXITY; ERROR ANALYSIS; GRAPHIC METHODS; PROBABILITY; UNIX; VISUALIZATION;

SECURITY OF DATA;

EID: 21644474142     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSAC.2004.44     Document Type: Conference Paper

References (29)

1. F. Attneave. Complexity of Patterns. American Journal of Psychology, 68:209-222, 1955.
2. J.-C. Birget, D. Hong, and N. Memon. Robust Discretization, With an Application to Graphical Passwords. Cryptology ePrint Archive, Report 2003/168, 2003. http://eprint.iacr.org/, site accessed Jan. 12, 2004.
3. D. Davis, F. Monrose, and M. Reiter. On User Choice in Graphical Password Schemes. In 13th USENIX Security Symposium, 2004.
4. R. Dhamija and A. Perrig. Déjà Vu: A User Study Using Images for Authentication. In 9th USENIX Security Symposium, 2000.
5. R.-S. French. Identification of Dot Patterns From Memory as a Function of Complexity. Journal of Experimental Psychology, 47:22-26, 1954.
6. J. Goldberg, J. Hagman, and V. Sazawal. Doodling Our Way to Better Authentication, 2002. CHI '02 extended abstracts on Human Factors in Computer Systems.
7. S.-I. Ichikawa. Measurement of Visual Memory Span by Means of the Recall of Dot-in-Matrix Patterns. Behavior Research Methods and Instrumentation, 14(3):309-313, 1982.
8. J. Nakajima and M. Matsui. Performance Analysis and Parallel Implementation of Dedicated Hash Functions. In Advances in Cryptology - Proceedings of EUROCRYPT 2002, pages 165-180, 2002.
9. I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The Design and Analysis of Graphical Passwords. 8th USENIX Security Symposium, 1999.
10. D. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. In The 2nd USENIX Security Workshop, pages 5-14, 1990.
11. S. Madigan. Picture Memory. In J. C. Yuille, editor, Imagery, Memory and Cognition, pages 65-89. Lawrence Erlbaum Associates Inc., N.J., U.S.A., 1983.
12. J. Massey. Guessing and Entropy. In ISIT: Proceedings IEEE International Symposium on Information Theory, page 204, 1994.
13. R. McEliece. The Theory of Information and Coding, volume 3 of Encyclopedia of Mathematics and its Applications, chapter Entropy and Mutual Information, pages 15-46. Addison-Wesley Publishing Company, 1977.
14. Microsoft. Microsoft XP Tablet PC Edition. http://www. microsoft.com/windowsxp/tabletpc, site accessed May 14, 2004.
15. F. Monrose. Towards Stronger User Authentication. PhD thesis, NY University, 1999.
16. A. Muffett. Crack password cracker, http://ciac.llnl.gov/ciac/ToolsUnixAuth.html, site accessed Jan. 12, 2004.
17. D. Nali and J. Thorpe. Analyzing User Choice in Graphical Passwords. Tech. Report TR-04-01, School of Computer Science, Carleton University, Canada, 2004.
18. Openwall Project. John the Ripper password cracker, http://www.openwall.com/john/, site accessed Jan.7, 2004.
19. Openwall Project. Wordlists. http://www.openwall.com/passwords/wordlists/, site accessed Jan.7 2004.
20. A. Perrig and D. Song. Hash Visualization: a New Technique to Improve Real-World Security. In International Workshop on Cryptographic Techniques and E-Commerce, pages 131-138, 1999.
21. B. Pinkas and T. Sander. Securing Passwords Against Dictionary Attacks. In 9th ACM Conference on Computer and Communications Security, pages 161-170. ACM Press, 2002.
22. Real User Corporation. About Passfaces. http://www.realuser.com, site accessed May 24, 2004.
23. C. Shannon. A Mathematical Theory of Communication. The Bell System Technical Journal, 27:379-423, 1948.
24. E. Spafford. Crisis and Aftermath (The Internet Worm). Comm. of the ACM, 32(6):678-687, 1989.
25. S. Stubblebine and P. van Oorschot. Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. In Financial Cryptography'04. Springer-Verlag LNCS (to appear), 2004.
26. J. Thorpe and P. van Oorschot. Graphical Dictionaries and the Memorable Space of Graphical Passwords. In 13th USENIX Security Symposium, 2004.
27. J. Thorpe and P. van Oorschot. Towards Secure Design Choices for Implementing Graphical Passwords (Extended Version), http://www.scs.carleton.ca/~jthorpe, 2004.
28. J. Yan. A Note on Proactive Password Checking. ACM New Security Paradigms Workshop, New Mexico, USA, 2001. http://citeseer.nj.nec.com/yan01note.html, site accessed Jan. 12, 2004.
29. J. Yan, A. Blackwell, R. Anderson, and A. Grant. The Memorability and Security of Passwords - Some Empirical Results. Technical Report No. 500,Computer Laboratory,University of Cambridge, 2000. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf, site accessed September 6, 2004.