Exploiting Predictability in Click-Based Graphical Passwords
Authors: P.C. van Oorschot, Julie Thorpe

Date: December 2011
Publication: Journal of Computer Security, Volume 19, Number 4
Page(s): 669 - 702
Source 1: http://thorpe.hrl.uoit.ca/documents/JCS_Exploiting_Click_Based_Graphical_Passwords.pdf
Source 2: http://dx.doi.org/10.3233/JCS-2010-0411 - Subscription or payment required

Abstract or Summary:
We provide an in-depth study of the security of click-based graphical password schemes like PassPoints
(Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict
and exploit them in guessing attacks. We report on both short- and long-term user studies: one labcontrolled,
involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We
provide empirical evidence that hot-spots do exist for many images, some more so than others. We
explore the use of “human-computation” (in this context, harvesting click-points from a small set of
users) to predict these hot-spots. We generate two “human-seeded” attacks based on this method: one
based on a first-order Markov model, another based on an independent probability model. Within 100
guesses, our first-order Markov model-based attack finds 4% of passwords in one image’s data set, and
10% of passwords in a second image’s data set. Our independent model-based attack finds 20% within
233 guesses in one image’s data set and 36% within 2^31 guesses in a second image’s data set. These are
all for a system whose full password space has cardinality 2^43. We also evaluate our first-order Markov
model-based attack with cross-validation of the field study data, which finds an average of 7-10% of user
passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found
improve on our independent model-based attacks. Our results suggest that these graphical password
schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on
systems that implement conservative lock-out policies.

PasswordResearch.com Note: Part of this research previously appeared in the paper Human-Seeded Attacks and Exploiting Hot Spots in Graphical Passwords, 2007

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com