Karen Renaud
Antonella De Angeli
Abstract
Introduction
Users of computer systems are accustomed to being asked for passwords -- it is as universal as it is frustrating. In the past there was little tolerance for the problems experienced remembering passwords, and many users still remember, with embarrassment, having to go hat-in-hand to request a password change and being treated with disdain by a lofty administrator. Latterly there is more understanding of the problems experienced by users, especially since the "password conundrum" has reached epidemic proportions for Web users, who are asked for passwords with unrelenting predictability.
The problems with passwords are clear -- users cannot remember numbers of meaningless alphanumeric strings with ease. Hence, they react by choosing simple and predictable words or numbers related to their everyday life, and engaging in insecure practices, such as writing passwords down or sharing them. These practices cause a breach affecting even the most secure and protected network system. Hence the user is often called the weakest link of the security chain, with system administrators despairing of trying to maintain security with the weak link so often reaching breaking point. Users forgetting passwords has serious economical consequences for organizations.
Both academia and industry have been investigating alternatives to passwords, with varying degrees of success. One of the most well-known solutions is the biometric -- measurement of either behavioral or physiological characteristics of the end-user. This is obviously superior to the password because it removes the burden on the user's memory. So why don't we just switch to biometrics and give the poor user a break? There are some valid and hard-to-overcome reasons for the slow uptake of biometrics, but before we can discuss them we need to consider the mechanics of authentication.
- Adams, A. and Sasse, M A. Users are not the enemy. Comm. of the ACM 42, 12, (Dec. 1999), 40--46. Google Scholar
Digital Library
- Davis, D., Monrose, F. Reiter, M K. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, Aug. 2004, San Diego, CA. Google ScholarDigital Library
- De Angeli, A., Coventry, L., Johnson, G., Renaud, K. Is a picture really worth a thousand words? On the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, special issue: HCI research on Privacy and Security, 63, 1--2, (July 2005), 128--152. Google ScholarDigital Library
- Epstein, R. and Kanwisher, N. A cortical representation of the local visual environment. Nature. 1998. 476--84.Google Scholar
- Epstein, R., Graham, K S. and Downing, P E. Viewpoint-specific scene representations in human parahippocampal cortex. Neuron, 37, 5, (Mar. 2003), 865--876.Google ScholarCross Ref
- Henderson, J M. and Hollingworth, A. High-level scene perception. Annual Review of Psychology 50, (1999), 243--71.Google ScholarCross Ref
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D., The design and analysis of graphical passwords. Proceedings of the 8th USENIX Security Symposium, 1994, 1--14. Google ScholarDigital Library
- Madigan, S., Picture memory. Yuille J.C. (Ed.), Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio. Erlbaum, Hillsdale, NJ, 1983, 66--89.Google Scholar
- Renaud, K V. and De Angeli, A. My password is here! Investigating authentication schemes based on visuospatial memory. Interacting with Computers 16, 6, (2004), 1017--1041.Google ScholarCross Ref
- Renaud, K V. and Olsen, E. DynaHand: Observation-resistant recognition-based Web authentication. IEEE Technology and Society. Special Issue on Usable Security and Privacy 26, 2, (2007), 22--31.Google Scholar
- Thorpe, J. and van Oorschot, P. Graphical dictionaries and the memorable space of graphical passwords. In 13th USENIX Security Symposium, 2004. Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A. and Memon, N. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1--2, (2005), 102--127. Google ScholarDigital Library
Index Terms
- Visual passwords: cure-all or snake-oil?
Comments