Abstract or Summary:
In this paper we explore heuristic attacks against graphical password generators. A new trend is emerging to use user clickable pictures to generate passwords. This technique of authentication can be successfully used for - for example - operating system authentication.

We report on the development of a generic tool for password generation using such a graphical click-driven interface. This stand-alone tool can be used for generating passwords on the fly. We describe the approach and the usability of such a project. The project is available as an open-source project.

Next we investigate heuristic attacks against such generated passwords. By using a classifier methodology it is possible to develop specific attack-scenarios based on the category. Specific heuristic attacks are used to reduce the key-space such that brute-force cracking approaches become feasible. We report on these heuristic attacks and their success.

Lastly we give criteria for images that should be used in such password generation applications to avoid these types of heuristic attacks.