Security implications of password discretization for click-based graphical passwords

Bin B. Zhu; Dongchen Wei; Maowei Yang; Jeff Yan

doi:10.1145/2488388.2488526

Security implications of password discretization for click-based graphical passwords

Bin B. Zhu, Dongchen Wei, Maowei Yang, Jeff Yan

Computer And Information Sciences

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution book

6 Citations (Scopus)

Abstract

Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 2³⁵ entries, whereas the full password space was of 2⁴³ entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 2³⁰ entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points - both have been extensively studied in the research communities. Copyright is held by the International World Wide Web Conference Committee (IW3C2).

Original language	English
Title of host publication	WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web
Publisher	Association for Computing Machinery
Pages	1581-1591
Number of pages	11
ISBN (Print)	9781450320351
DOIs	https://doi.org/10.1145/2488388.2488526
Publication status	Published - 13 May 2013
Event	22nd International Conference on World Wide Web, WWW 2013 - Rio de Janeiro, Brazil Duration: 13 May 2013 → 17 May 2013

Publication series

Name	WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web

Conference

Conference	22nd International Conference on World Wide Web, WWW 2013
Country/Territory	Brazil
City	Rio de Janeiro
Period	13/05/13 → 17/05/13

Keywords

authentication
dictionary attack
discretization
graphical passwords
click-based graphical passwords

Access to Document

10.1145/2488388.2488526

Cite this

Zhu, B. B., Wei, D., Yang, M., & Yan, J. (2013). Security implications of password discretization for click-based graphical passwords. In WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web (pp. 1581-1591). (WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web). Association for Computing Machinery. https://doi.org/10.1145/2488388.2488526

@inproceedings{757991ed706b435085e76441b315b4ac,

title = "Security implications of password discretization for click-based graphical passwords",

abstract = "Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2\% of the passwords when Centered Discretization was used to implement PCCP, and 39.4\% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50\% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points - both have been extensively studied in the research communities. Copyright is held by the International World Wide Web Conference Committee (IW3C2).",

keywords = "authentication, dictionary attack, discretization, graphical passwords, click-based graphical passwords",

author = "Zhu, \{Bin B.\} and Dongchen Wei and Maowei Yang and Jeff Yan",

year = "2013",

month = may,

day = "13",

doi = "10.1145/2488388.2488526",

language = "English",

isbn = "9781450320351",

series = "WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web",

publisher = "Association for Computing Machinery",

pages = "1581--1591",

booktitle = "WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web",

address = "United States",

note = "22nd International Conference on World Wide Web, WWW 2013 ; Conference date: 13-05-2013 Through 17-05-2013",

}

Zhu, BB, Wei, D, Yang, M & Yan, J 2013, Security implications of password discretization for click-based graphical passwords. in WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web. WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web, Association for Computing Machinery, pp. 1581-1591, 22nd International Conference on World Wide Web, WWW 2013, Rio de Janeiro, Brazil, 13/05/13. https://doi.org/10.1145/2488388.2488526

Security implications of password discretization for click-based graphical passwords. / Zhu, Bin B.; Wei, Dongchen; Yang, Maowei et al.
WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web. Association for Computing Machinery, 2013. p. 1581-1591 (WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution book

TY - GEN

T1 - Security implications of password discretization for click-based graphical passwords

AU - Zhu, Bin B.

AU - Wei, Dongchen

AU - Yang, Maowei

AU - Yan, Jeff

PY - 2013/5/13

Y1 - 2013/5/13

N2 - Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points - both have been extensively studied in the research communities. Copyright is held by the International World Wide Web Conference Committee (IW3C2).

AB - Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative discretization schemes leak a significant amount of password information, undermining the security of such graphical passwords. We exploit such information leakage for successful dictionary attacks on Persuasive Cued Click Points (PCCP), which is to date the most secure click-based graphical password scheme and was considered to be resistant to such attacks. In our experiments, our purely automated attack successfully guessed 69.2% of the passwords when Centered Discretization was used to implement PCCP, and 39.4% of the passwords when Robust Discretization was used. Each attack dictionary we used was of approximately 235 entries, whereas the full password space was of 243 entries. For Centered Discretization, our attack still successfully guessed 50% of the passwords when the dictionary size was reduced to approximately 230 entries. Our attack is also applicable to common implementations of other click-based graphical password systems such as PassPoints and Cued Click Points - both have been extensively studied in the research communities. Copyright is held by the International World Wide Web Conference Committee (IW3C2).

KW - authentication

KW - dictionary attack

KW - discretization

KW - graphical passwords

KW - click-based graphical passwords

UR - https://www.scopus.com/pages/publications/84893091793

U2 - 10.1145/2488388.2488526

DO - 10.1145/2488388.2488526

M3 - Conference contribution book

AN - SCOPUS:84893091793

SN - 9781450320351

T3 - WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web

SP - 1581

EP - 1591

BT - WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web

PB - Association for Computing Machinery

T2 - 22nd International Conference on World Wide Web, WWW 2013

Y2 - 13 May 2013 through 17 May 2013

ER -

Security implications of password discretization for click-based graphical passwords

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this