Abstract
There is no widely accepted way of measuring the level of security of a recognition-based graphical password against guessing attacks. We aim to address this by examining the influence of predictability of user choice on the guessability and proposing a new measure of guessability. Davis et al. showed that these biases exist for schemes using faces and stories, we support this result and show these biases exist in other recognition-based schemes. In addition, we construct an attack exploiting predictability, which we term "Semantic Ordered Guessing Attack" (SOGA). We then apply this attack to two schemes (the Doodles scheme and a standard recognition-based scheme using photographic images) and report the results. The results show that predictability when users select graphical passwords influence the level of security to a varying degree (dependent on the distractor selection algorithm). The standard passimages scheme show an increase on guessability of up to 18 times more likely than the usual reported guessability, with a similar set up of nine images per screen and four screens, the doodles scheme shows a successful guessing attack is 3.3 times more likely than a random guess. Finally, we present a method of calculating a more accurate guessability value, which we call the revised guessability of a recognition-based scheme. Our conclusion is that to maximise the security of a recognition-based graphical password scheme, we recommend disallowing user choice of images.
Original language | English |
---|---|
Title of host publication | 2011 5th International Conference on Network and System Security |
Editors | Pierangela Samarati, Sara Foresti, Jiankun Hu, Giovanni Livraga |
Place of Publication | Piscataway |
Publisher | IEEE |
Pages | 364-368 |
Number of pages | 5 |
ISBN (Print) | 9781457704598 |
DOIs | |
Publication status | Published - 27 Oct 2011 |
Externally published | Yes |
Event | 2011 5th International Conference on Network and System Security, NSS 2011 - Milan, Italy Duration: 6 Sept 2011 → 8 Sept 2011 |
Conference
Conference | 2011 5th International Conference on Network and System Security, NSS 2011 |
---|---|
Country/Territory | Italy |
City | Milan |
Period | 6/09/11 → 8/09/11 |
Keywords
- predictability of user choice
- recognition-based graphical password
- security
- semantic ordered guessing attack
- guessing attack