Graphical Dictionaries and the Memorable Space of Graphical Passwords
Author(s): Julie Thorpe, P.C. van Oorschot

Date: August 11 2004
Publication: Proceedings of the 13th USENIX Security Symposium, Security '04
Page(s): 135 - 150
Publisher: USENIX
Source 1: https://www.usenix.org/legacy/events/sec04/tech/full_papers/thorpe/thorpe.pdf
Source 2: http://thorpe.hrl.uoit.ca/documents/DAS_Graphical_usenix04.pdf
Source 3: http://thorpe.hrl.uoit.ca/documents/extendedStrokes.pdf

Abstract or Summary:
In commonplace textual password schemes, users choose passwords that are easy to recall. Since memorable passwords typically exhibit patterns, they are exploitable by brute-force password crackers using attack dictionaries. This leads us to ask what classes of graphical passwords users find memorable. We postulate one such class supported by a collection of cognitive studies on visual recall, which can be characterized as mirror symmetric (reflective) passwords. We assume that an attacker would put this class in an attack dictionary for graphical passwords and propose how an attacker might order such a dictionary. We extend the existing analysis of graphical passwords by analyzing the size of the mirror symmetric password space relative to the full password space of the graphical password scheme of Jermyn et al. (1999), and show it to be exponentially smaller (assuming appropriate axes of reflection). This reduction in size can be compensated for by longer passwords: the size of the space of mirror symmetric passwords of length about L+5 exceeds that of the full password space for corresponding length L = 14 on a 5 ~ 5 grid. This work could be used to help in formulating password rules for graphical password users and in creating proactive graphical password checkers.



Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com