Purely automated attacks on PassPoints-style graphical passwords

IEEE Transactions on Information Forensics and Security

Volumn 5, Issue 3, 2010, Pages 393-405

  Van Oorschot, Paul C ^a   Salehi Abari, Amirali ^a   Thorpe, Julie ^b  

^a CARLETON UNIVERSITY   (Canada)

^b UNIVERSITY OF ONTARIO INSTITUTE OF TECHNOLOGY   (Canada)

Author keywords

Algorithms; computer security; graphical user interfaces; human factors; image processing; machine vision

Indexed keywords

AUTOMATED ATTACKS; COMPUTATIONAL MODEL; COMPUTER SECURITY; DATA SETS; FOCUS OF ATTENTION; GRAPH-BASED ALGORITHMS; GRAPHICAL PASSWORD; HUMAN FACTORS; MACHINE VISION; MULTIPLE IMAGE; PASS POINT; VISUAL ATTENTION;

ALGORITHMS; AUTOMATION; COMPUTER VISION; GRAPHICAL USER INTERFACES; HUMAN ENGINEERING; IMAGING SYSTEMS; INTERFACES (COMPUTER); SECURITY SYSTEMS;

SECURITY OF DATA;

EID: 77955677817     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2010.2053706     Document Type: Article

References (38)

1. G. Blonder, "Graphical Passwords," U.S. Patent 5559961, 1996.
2. S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot, "Influencing users towards better passwords: Persuasive cued click-points," in Proc. HCI, British Computer Society, Liverpool, U.K., 2008.
3. S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot, "User interface design affects security: Patterns in click-based graphical passwords," Int. J. Inf. Security, vol.8, no.6, pp. 387-398, 2009.
4. S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, "Multiple password interference in text passwords and click-based graphical passwords," in 16th ACM Conf. Computer and Communications Security (CCS), Chicago, IL, 2009.
5. S. Chiasson, P. C. van Oorschot, and R. Biddle, "A second look at the usability of click-based graphical passwords," in Proc. 3rd Symp. Usable Privacy and Security (SOUPS), Pittsburgh, PA, 2007.
6. S. Chiasson, P. C. van Oorschot, and R. Biddle, "Graphical password authentication using cued click points," in Proc. Eur. Symp. Research in Computer Security (ESORICS), Dresden, Germany, 2007.
7. D. Comaniciu and P. Meer, "Mean shift: A robust approach toward feature space analysis," IEEE Trans. Patten Analy. Mach. Intell., vol.24, no.5, pp. 603-619, May 2002.
8. N. Cowan, "The magical number 4 in short-term memory: A reconsideration of mental storage capacity," Behavioral Brain Sci., vol.24, pp. 87-185, 2000.
9. D. Davis, F. Monrose, and M. K. Reiter, "On user choice in graphical password schemes," in Proc. 13th USENIX Security Symp., San Diego, CA, 2004.
10. A. Dirik, N. Memon, and J.-C. Birget, "Modeling user choice in the PassPoints graphical password scheme," in 3rd Symp. Usable Privacy and Security (SOUPS), Pittsburgh, PA, 2007.
11. K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno, "A comprehensive study of frequency, interference, and training of multiple graphical passwords," in Proc. 27th Int. Conf. Human Factors in Computing Systems (CHI'09), Boston, MA, 2009.
12. R. C. Gonzalez and R. E. Woods, Digital Image Processing, 3rd ed. Upper Saddle River, NJ: Prentice-Hall, 2006.
13. C. G. Harris and M. J. Stephens, "A combined corner and edge detector," in Proc. Fourth Alvey Vision Conf., 1988, pp. 147-151.
14. Ian Britton (Reproduced by Permission of). Image Ref: 21-35-43 [Online]. Available: http://www.freefoto.com
15. L. Itti and C. Koch, "Computational modeling of visual attention," Nature Rev. Neurosci., vol.2, no.3, pp. 194-203, Mar. 2001.
16. L. Itti, C.Koch, and E. Niebur, "A model of saliency-based visual attention for rapid scene analysis," IEEE Trans. Pattern Anal. Mach. Intell., vol.20, no.11, pp. 1254-1259, Nov. 1998.
17. W. Jansen, S. Gavrilla, V. Korolev, R. Ayers, and R. Swanstrom, Picture Password: A Visual Login Technique for Mobile Devices NIST Report-NISTIR7030, 2003.
18. P. D. Kovesi, MATLAB and octave functions for computer vision and image processing School of Computer Science & Software Engineering, The University of Western Australia [Online]. Available: http://www.csse.uwa.edu.au/~pk/ research/matlabfns/
19. S. Madigan, "Picture Memory," in Imagery, Memory and Cognition, J. C. Yuille, Ed. NJ: Lawrence Erlbaum Assoc., 1983, pp. 65-89.
20. W. Moncur and G. Leplâtre, "Pictures at the ATM: Exploring the usability of multiple graphical passwords," in Proc. SIGCHI Conf. Human Factors in Computing Systems (CHI'07), New York, 2007, pp. 887-894, ACM Press.
21. F. Monrose and M. K. Reiter, "Graphical Passwords," in Security and Usability, L. Cranor and S. Garfinkel, Eds. Cambridge, MA: O'Reilly, 2005, ch. 9, pp. 147-164.
22. V. Navalpakkam and L. Itti, "Modeling the influence of task on attention," Vison Res., vol.45, pp. 205-231, 2005.
23. A. Oliva, A. Torralba, M. Castelhano, and J. Henderson, "Top down control of visual attention in object detection," J. Vision, vol.3, no.9, pp. 253-256, 2003.
24. N. Ouerhani, R. von Wartburg, H. Hugli, and R. Muri, "Empirical validation of the saliency-based model of visual attention," Electron. Lett. Comput. Vision Image Anal., vol.3, no.1, pp. 13-24, 2004.
25. Passlogix Feb. 2, 2007 [Online]. Available: http://www.passlogix.com
26. K. Renaud, "Guidelines for designing graphical authentication mechanism interfaces.," Int. J. Inf. Comput. Security, vol.3, no.1, pp. 60-85, 2009.
27. K. H. Rosen, Discrete Mathematics and Its Applications. New York: McGraw-Hill, 2002.
28. A. Salehi-Abari, J. Thorpe, and P. C. van Oorschot, "On purely automated attacks and click-based graphical passwords," in Proc. 24th Annu. Computer Security Applications Conf. (ACSAC), Anaheim, CA, 2008.
29. X. Suo, Y. Zhu, and G. S. Owen, "Graphical passwords: A survey," in Proc. 21st Annu. Computer Security Applications Conf. (ACSAC), Tucson, AZ, 2005.
30. J. Thorpe, "On the Predictability and Security of User Choice in Passwords," Ph.D. thesis, Carleton Univ., Ottawa, Canada, 2008.
31. J. Thorpe and P. C. van Oorschot, "Human-seeded attacks and exploiting hot spots in graphical passwords," in Proc. 16th USENIX Security Symp., Boston, MA, 2007.
32. P. C. van Oorschot and J. Thorpe, On predicting and exploiting hotspots in click-based graphical passwords School of Computer Science, Carleton Univ., Tech. Rep. TR-08-21, 2008.
33. P. C. van Oorschot and J. Thorpe, "On predictive models and userdrawn graphical passwords," ACM Trans. Inf. Syst. Security, vol.10, no.4, pp. 1-33, Jan. 2008.
34. D. Walther and C. Koch, 2006 Special Issue on Modeling Attention to Salient Proto-Objects, Neural Netw., vol.19, no.9, pp. 1395-1407, 2006.
35. S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, "Authentication using graphical passwords: Basic results," in Proc. Human-Computer Interaction Int. (HCII), Las Vegas, NV, 2005.
36. S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, "Authentication using graphical passwords: Effects of tolerance and image choice," in Proc. 1st Symp. Usable Privacy and Security (SOUPS), Pittsburgh, PA, 2005.
37. S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, "PassPoints: Design and longitudinal evaluation of a graphical password system," Special Issue on HCI Research in Privacy and Security, Int. J. Human-Comput. Studies, vol.63, pp. 102-127, 2005.
38. J. M. Wolfe, "Guided search 2.0: A revised model of visual search," Psychonomic Bull. Rev., vol.1, no.2, pp. 202-238, 1994.