Measuring the revised guessability of graphical passwords

Rosanne English, Ron Poet

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

12 Citations (Scopus)


There is no widely accepted way of measuring the level of security of a recognition-based graphical password against guessing attacks. We aim to address this by examining the influence of predictability of user choice on the guessability and proposing a new measure of guessability. Davis et al. showed that these biases exist for schemes using faces and stories, we support this result and show these biases exist in other recognition-based schemes. In addition, we construct an attack exploiting predictability, which we term "Semantic Ordered Guessing Attack" (SOGA). We then apply this attack to two schemes (the Doodles scheme and a standard recognition-based scheme using photographic images) and report the results. The results show that predictability when users select graphical passwords influence the level of security to a varying degree (dependent on the distractor selection algorithm). The standard passimages scheme show an increase on guessability of up to 18 times more likely than the usual reported guessability, with a similar set up of nine images per screen and four screens, the doodles scheme shows a successful guessing attack is 3.3 times more likely than a random guess. Finally, we present a method of calculating a more accurate guessability value, which we call the revised guessability of a recognition-based scheme. Our conclusion is that to maximise the security of a recognition-based graphical password scheme, we recommend disallowing user choice of images.

Original languageEnglish
Title of host publication2011 5th International Conference on Network and System Security
EditorsPierangela Samarati, Sara Foresti, Jiankun Hu, Giovanni Livraga
Place of PublicationPiscataway
Number of pages5
ISBN (Print)9781457704598
Publication statusPublished - 27 Oct 2011
Externally publishedYes
Event2011 5th International Conference on Network and System Security, NSS 2011 - Milan, Italy
Duration: 6 Sept 20118 Sept 2011


Conference2011 5th International Conference on Network and System Security, NSS 2011


  • predictability of user choice
  • recognition-based graphical password
  • security
  • semantic ordered guessing attack
  • guessing attack


Dive into the research topics of 'Measuring the revised guessability of graphical passwords'. Together they form a unique fingerprint.

Cite this