Purely Automated Attacks on PassPoints-Style Graphical Passwords
Authors: P.C. van Oorschot, Amirali Salehi-Abari, Julie Thorpe

Date: September 2010
Publication: IEEE Transactions on Information Forensics and Security, Volume 5, Number 3
Page(s): 393 - 405
Publisher: IEEE
Source 1: http://thorpe.hrl.uoit.ca/documents/IEEE_Attacks_PassPoints_Graphical_Passwords.pdf
Source 2: http://people.scs.carleton.ca/~paulv/papers/tifs-purely-automated.pdf?q=~paulv/papers/tifs-purely-automated.pdf
Source 3: http://dx.doi.org/10.1109/TIFS.2010.2053706 - Subscription or payment required

Abstract or Summary:
We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a line). Some of our methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7%-16% of passwords for two representative images using dictionaries of approximately 226 entries (where the full password space is 243). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 235 entries, allowing attacks that guessed 48%-54% of passwords (compared to previous results of 1% and 9% on the same dataset for two images with 235 guesses). These latter attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, require serious consideration when deploying basic PassPoints-style graphical passwords.

PasswordResearch.com Note: Extends on paper On Purely Automated Attacks for Click-Based Graphical Passwords, 2008

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com