A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

ACM International Conference Proceeding Series

Volumn 149, Issue , 2006, Pages 56-66

  Tari, Furkan ^a   Ozok, A Ant ^a   Holden, Stephen H ^a  

^a UNIVERSITY OF MARYLAND BALTIMORE COUNTY   (United States)

Author keywords

Authentication; Graphical passwords; Human factors; Password security; Shoulder surfing; Social engineering; Usable security

Indexed keywords

GRAPHICAL PASSWORDS; HUMAN FACTORS; PASSWORD SECURITY; SHOULDER SURFING; SOCIAL ENGINEERING; USABLE SECURITY;

COMPUTER GRAPHICS; DATA ACQUISITION; DIGITAL LIBRARIES; RISK ANALYSIS; SENSORY PERCEPTION; STORAGE ALLOCATION (COMPUTER); USER INTERFACES;

SECURITY OF DATA;

EID: 34250782167     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1143120.1143128     Document Type: Conference Paper

References (27)

1. A. Adams and M. A. Sasse, "Users are not the Enemy: Why Users Compromise Computer Security Mechanisms and how to Take Remedial Measures," Communications of the ACM, vol. 42, pp. 41-46, 1999.
2. R. J. Anderson, "Why Cryptosystems Fail," Communications of the ACM, vol. 37, pp. 32-40, 1994.
3. C. T. Beardsley, "Is Your Computer Insecure?," IEEE Spectrum, vol. 9, pp. 67-78, 1972.
4. V. A. Brennen, "Cryptography Dictionary," vol. 2005, 1.0.0 ed, 2004.
5. S. Brostoff and A. Sasse, "Are Passfaces More Usable Than Passwords? A Field Trial Investigation," presented at People and Computers XIV - Usability or Else! Proceedings of HCI 2000, Sunderland University, 2000.
6. R. Chellappa, C. L. Wilson, and S. Sirohey, "Human and Machine Recognition of Faces: A Survey," Proceedings of the IEEE, vol. 83, pp. 705-741, 1995.
7. L. F. Cranor and S. Garfinkel, "Secure or Usable?," IEEE Privacy & Security, vol. 2, pp. 16-18, 2004.
8. L. F. Cranor and S. Garfinkel, "Security and Usability: Designing Secure Systems that People Can Use." Sebastopol, CA: O' Reilly Media, Inc.. 2005.
9. D. Davis, F. Monrose, and M. Reiter, "On User Choice in Graphical Password Schemes," presented at 13th Usenix Security Symposium, San Diego, CA, 2004.
10. A. De Angeli, M. Coutts, L. Coventry, D. Cameron, G. I. Johnson, and M. Fischer, "VIP: A Visual Approach to User Authentication," presented at Working Conference on Advanced Visual Interfaces: AVI2002, Trento, Italy, 2002.
11. Department of Defense Computer Security Center, "Department of Defense Password Management Guideline," Department of Defense, Washington, DC CSC-STD-002-85, April 12 1985.
12. R. Dhamija and A. Perrig, "Deja Vu: A User Study. Using Images for Authentication," presented at 9th USENDC Security Symposium, 2000.
13. P. Doyle and S. Hanna, "Analysis of June 2003 Survey on Obstacles to PKI Deployment and Usage," Organization for the Advancement of Structured Information Standards, Billerica, MA August 8 2003.
14. S. M. Furnell, I. Papadopoulos, and P. S. Dowland, "A long-term trial of alternative user authentication technologies," Information Management and Computer Security, vol. 12, pp. 178-190, 2004.
15. S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," vol. 2006: SecurityFocus, 2001.
16. B. Ives, K. R. Walsh, and H. Schneider, "The Domino Effect of Password Reuse," Communications of the ACM, vol. 47, pp. 75-78, 2004.
17. I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, "The Design and Analysis of Graphical Passwords," presented at 8th USENDC Security Symposium, Washington, DC, 1999.
18. J. Liddell, K. Renaud, and A. De Angeli, "Using a Combination of Sound and Images to Authenticate Web Users," presented at 17th Annual Human Computer Interaction Conference: Designing for Society, Bath England, 2003.
19. S. Man, D. Hong, B. Hayes, and M. Matthews, "A password scheme strongly resistant to spyware," presented at Int. Conf. on Security and Management, Las Vegas, NV, 2004.
20. S. Man, D. Hong, M. Matthews, and J. C. Birget, "A shoulder-surfing resistant graphical password scheme," 2006.
21. G. A. Miller, "The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information," The Psychological Review, vol. 63, pp. 81-97, 1956.
22. K. D. Mitnick and W. L. Simon, The Art of Deception: Controlling the Human Element of Security. New York: John Wiley & Sons, 2002.
23. National Research Council, Who Goes There? Authentication Through the Lens of Privacy. Washington, DC: National Academy Press, 2003.
24. J. Nolan and M. Levesque, "Hacking human: data-archaeology and surveillance in social networks," ACM SIGGROUP Bulliten, vol. 25, pp. 33-37.
25. L. O'Gorman, "Comparing Passwords, Tokens, and Biometrics for User Authentication," Proceedings of the IEEE, vol. 91, pp. 2021-2039, 2003.
26. G. Orgill, G. W. Romney, and P. M. Orgill, "The Urgency for Effective User Privacy Education to Counter Social Engineering Attacks on Secure Computer Systems," presented at 5th Coneference on Information Technology Education (SIGITE '04), Salt Lake City, Utah, 2004.
27. A. A. Ozok and S. H. Holden, "Alphanumeric and Graphical Authentication Solutions: A Comparative