Human-seeded attacks and exploiting hot-spots in graphical passwords

16th USENIX Security Symposium

Volumn , Issue , 2007, Pages 103-118

  Thorpe, Julie ^a   van Oorschot, P C ^a  

^a CARLETON UNIVERSITY   (Canada)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; BEHAVIORAL RESEARCH;

AUTOMATED ATTACKS; BACKGROUND IMAGE; BOTTOM UP MODELS; GRAPHICAL PASSWORD; IMAGE PROCESSING TECHNIQUE; LONG-TERM USER STUDIES; USABILITY AND SECURITY; VISUAL ATTENTION;

IMAGE PROCESSING;

EID: 85049042638     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (48)

1. L. Ballard, F. Monrose, and D. Lopresti. Biometric Authentication Revisited: Understanding the Impact of Wolves in Sheep’s Clothing. In 15th Annual USENIX Security Symposium, pages 29–41, 2006.
2. F. Bergadano, B. Crispo, and G. Ruffo. High Dictionary Compression for Proactive Password Checking. ACM Trans. Inf. Syst. Secur., 1(1):3–25, 1998.
3. J.C. Birget, D. Hong, and N. Memon. Robust Discretization, with an Application to Graphical Passwords. IEEE Transactions on Information Forensics and Security, 1:395–399, 2006.
4. G. Blonder. Graphical Passwords. United States Patent 5,559,961, 1996.
5. Ian Britton. http://www.freefoto.com, accessed Feb. 2, 2007.
6. S. Chiasson, R. Biddle, and P.C. van Oorschot. A Second Look at the Usability of Click-based Graphical Passwords. In Symposium on Usable Privacy and Security (SOUPS), 2007.
7. C. Davies and R. Ganesan. BApasswd: A New Proactive Password Checker. In 16th National Computer Security Conference, pages 1–15, 1993.
8. D. Davis, F. Monrose, and M.K. Reiter. On User Choice in Graphical Password Schemes. In 13th USENIX Security Symposium, 2004.
9. J.L. Devore. Probability and Statistics for Engineering and the Sciences. Brooks/Cole Publishing, Pacific Grove, CA, USA, 4th edition, 1995.
10. R. Dhamija and A. Perrig. Déjà Vu: A User Study Using Images for Authentication. In 9th USENIX Security Symposium, 2000.
11. P.F. Felzenszwalb and D.P. Huttenlocher. Efficient Graph-Based Image Segmentation. Int. J. Computer Vision, 59(2), 2004. Code available from: http://people.cs.uchicago.edu/~pff/segment/.
12. FreeImages.com. http://www.freeimages. com, accessed Feb. 2, 2007.
13. Freeimages.co.uk. http://www.freeimages.co.uk, accessed Feb. 2, 2007.
14. P. Golle and D. Wagner. Cryptanalysis of a Cognitive Authentication Scheme. Cryptology ePrint Archive, Report 2006/258, 2006. http://eprint.iacr.org/.
15. J. A. Halderman, B. Waters, and E. W. Felten. A Convenient Method for Securely Managing Passwords. In Proceedings of the 14th International World Wide Web Conference, pages 471–479. ACM Press, 2005.
16. C.G. Harris and M.J. Stephens. A Combined Corner and Edge Detector. In Proceedings Fourth Alvey Vision Conference, pages 147–151, 1988.
17. L. Itti, C. Koch, and E. Niebur. A Model of Saliency-Based Visual Attention for Rapid Scene Analysis. IEEE Trans. on Pattern Analysis and Machine Intelligence, 20(11):1254–1259, 1998.
18. W. Jansen, S. Gavrilla, V. Korolev, R. Ayers, and Swanstrom R. Picture Password: A Visual Login Technique for Mobile Devices. NIST Report: NIS-TIR 7030, 2003.
19. I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The Design and Analysis of Graphical Passwords. In 8th USENIX Security Symposium, 1999.
20. S. Jeyaraman and U. Topkara. Have the Cake and Eat it too - Infusing Usability into Text-Password Based Authentication Systems. In 21st ACSAC, pages 473–482, 2005.
21. D. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. In The 2nd USENIX Security Workshop, pages 5–14, 1990.
22. P. D. Kovesi. MATLAB and Octave Functions for Computer Vision and Image Processing. Univ. Western Australia. Available from: http://www.csse.uwa.edu.au/~pk/research/matlabfns/.
23. C. Kuo, S. Romanosky, and L.F. Cranor. Human Selection of Mnemonic Phrase-based Passwords. In 2nd Symp. Usable Privacy and Security (SOUPS), pages 67–78, New York, NY, 2006. ACM Press.
24. Daniel P. Lopresti and Jarret D. Raim. The Effectiveness of Generative Attacks on an Online Handwriting Biometric. In AVBPA, pages 1090–1099, 2005.
25. S. Madigan. Picture Memory. In John C. Yuille, editor, Imagery, Memory and Cognition, pages 65–89. Lawrence Erlbaum Associates, N.J., U.S.A., 1983.
26. J.L. Massey. Guessing and Entropy. In ISIT: Proceedings IEEE International Symposium on Information Theory, page 204, 1994.
27. F. Monrose and M. K. Reiter. Graphical Passwords. In L. Cranor and S. Garfinkel, editors, Security and Usability, ch. 9, pages 147–164. O’Reilly, 2005.
28. A. Muffett. Crack password cracker, 2006. http://www.crypticide.com/users/alecm/security/c50-faq.html, accessed Nov. 9, 2006.
29. Arvind Narayanan and Vitaly Shmatikov. Fast Dictionary Attacks on Passwords Using Time-space Tradeoff. In CCS’05: Proceedings of the 12th ACM Conference on Computer and Communications Security, pages 364–372, 2005.
30. Openwall Project. John the Ripper password cracker, 2006. http://www.openwall.com/john/, accessed Nov. 9, 2006.
31. Passlogix. http://www.passlogix.com, accessed Feb. 2, 2007.
32. A. Perrig and D. Song. Hash Visualization: A New Technique to Improve Real-World Security. In International Workshop on Cryptographic Techniques and E-Commerce, pages 131–138, 1999.
33. M. Peters, B. Laeng, K. Latham, M. Jackson, R. Zaiyouna, and C. Richardson. A Redrawn Vandenberg and Kuse Mental Rotations Test: Different Versions and Factors That Affect Performance. Brain and Cognition, 28:39–58, 1995.
34. N. Provos and D. Mazieres. A Future-Adaptable Password Scheme. In Proceedings of the USENIX Annual Technical Conference, 1999.
35. Real User Corporation. About Passfaces, 2006. http://www.realuser.com/about/aboutpassfaces.htm, accessed Nov. 9, 2006.
36. Shannon Riley. What Users Know and What They Actually Do. Usability News, 8(1), February 2006. http://psychology.wichita.edu/surl/usabilitynews/81/Passwords. htm, accessed March 10, 2007.
37. SFR IT-Engineering. The Grafical Login Solution For your Pocket PC - visKey. http://www.sfr-software.de/cms/EN/pocketpc/viskey/index.html, accessed March 18, 2007.
38. E.H. Spafford. OPUS: Preventing Weak Password Choices. Comput. Secur., 11(3):273–278, 1992.
39. X. Suo, Y. Zhu, and G.S. Owen. Graphical Passwords: A Survey. In 21st Annual Computer Security Applications Conference (ACSAC), 2005.
40. H. Tao. Pass-Go, a New Graphical Password Scheme. Master’s thesis, University of Ottawa, 2006.
41. J. Thorpe and P.C. van Oorschot. Graphical Dictionaries and the Memorable Space of Graphical Passwords. In 13th USENIX Security Symposium, 2004.
42. J. Thorpe and P.C. van Oorschot. Towards Secure Design Choices for Implementing Graphical Passwords. In 20th Annual Computer Security Applications Conference (ACSAC 2004). IEEE, 2004.
43. J. Thorpe and P.C. van Oorschot. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords. Technical Report TR-05-07, School of Computer Science, Carleton University, Feb. 20, 2007.
44. D. Weinshall. Cognitive Authentication Schemes Safe Against Spyware (short paper). In IEEE Symp. on Security and Privacy, pages 295–300, 2006.
45. S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: Basic results. In Human-Computer Interaction International (HCII 2005), 2005.
46. S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, and N. Memon. Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In Symp. Usable Priv. & Security (SOUPS), 2005.
47. S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, and N. Memon. PassPoints: Design and Longitudinal Evaluation of a Graphical Password System. International J. of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security), 63:102–127, 2005.
48. J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security and Privacy, 2(5):25–31, 2004.