research-article

Graphical passwords: Learning from the first twelve years

Authors:
Robert Biddle

Carleton University

Carleton University
View Profile

,
Sonia Chiasson

Carleton University

Carleton University
View Profile

,
P.C. Van Oorschot

Carleton University

Carleton University
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 44 Issue 4Article No.: 19pp 1–41https://doi.org/10.1145/2333112.2333114

Published:07 September 2012Publication History

ACM Computing Surveys

Abstract

Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects as well as system evaluation. The article first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.

References

Adams, A., Sasse, M. A., and Lunt, P. 1997. Making passwords secure and usable. In Proceedings of the HCI on People and Computers. 1--9. Google ScholarDigital Library
Alsulaiman, F. and El Saddik, A. 2006. A novel 3D graphical password schema. In Proceedings of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces and Measurement Systems.Google Scholar
Amazon. 2010. Amazon mechanical turk. http://www.mturk.com/.Google Scholar
Anderson, J. and Bower, G. 1972. Recognition and retrieval processes in free recall. Psychol. Rev. 79, 2, 97--123.Google ScholarCross Ref
Anderson, M. and Neely, J. 1996. Memory. Handbook of Perception and Cognition 2nd Ed. Academic Press, New York, NY. Chapter 8, 237--313.Google Scholar
Andrews, D., Nonnecke, B., and Preece, J. 2003. Electronic survey methodology: A case study in reaching hard-to-involve Internet users. Int. J. Human-Comput. Interac. 16, 2, 185--210.Google ScholarCross Ref
Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the USENIX 4th Workshop on Offensive Technologies. Google ScholarDigital Library
Backes, M., Durmuth, M., and Unruh, D. 2008. Compromising reflections—or—how to read LCD monitors around the corner. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Bellovin, S. M. and Merritt, M. 1992. Encrypted key exchange: Password based protocols secure against dictionary attacks. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Bentley, J. and Mallows, C. 2005. How much assurance does a PIN provide&quest; In Human Interactive Proofs (HIP), H. S. Baird and D. P. Lopresti, Eds., Lecture Notes in Computer Science, vol. 3517, Springer-Verlag, Berlin, 111--126. Google ScholarDigital Library
Bergadano, F., Crispo, B., and Ruffo, G. 1998. High dictionary compression for proactive password checking. ACM Trans. Inf. Syst. Secur. 1, 1, 3--25. Google ScholarDigital Library
Berger, Y., Wool, A., and Yeredor, A. 2006. Dictionary attacks using key acoustic emanations. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
Bicakci, K. 2008. Optimal discretization for high-entropy graphical passwords. In Proceedings of the 23rd International Symposium on Computer and Information Sciences (ISCIS'08).Google ScholarCross Ref
Bicakci, K., Atalay, N. B., Yuceel, M., Gurbaslar, H., and Erdeniz, B. 2009a. Towards usable solutions to graphical password hotspot problem. In Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference. Google ScholarDigital Library
Bicakci, K., Yuceel, M., Erdeniz, B., Gurbaslar, H., and Atalay, N. B. 2009b. Graphical passwords as browser extension: Implementation and usability study. In Proceedings of the 3rd IFIP WG 11.11 International Conference on Trust Management.Google Scholar
Biddle, R., Mannan, M., van Oorschot, P. C., and Whalen, T. 2011. User study, analysis, and usable security of passwords based on digital objects. IEEE Trans. Info. Forensics and Secur. 6, 3, 970--979. Google ScholarDigital Library
Birget, J., Hong, D., and Memon, N. 2006. Graphical passwords based on robust discretization. IEEE Trans. Inf. Forensics Secur. 1, 3, 395--399. Google ScholarDigital Library
Blonder, G. 1996. Graphical password. U.S. patent 5,559,961, field August 30, 1995, and issued September 24, 1996.Google Scholar
Bond, M. 2008. Comments on grIDsure authentication. http://www.cl.cam.ac.uk/~mkb23/research/GridsureComments.pdf.Google Scholar
Brostoff, S., Inglesant, P., and Sasse, M. A. 2010. Evaluating the usability and security of a graphical one-time PIN system. In Proceedings of the BCS Conference on Human Computer Interaction (HCI). Google ScholarDigital Library
Brostoff, S. and Sasse, M. 2000. Are Passfaces more usable than passwords&quest; A field trial investigation. In Proceedings of the BCS Conference on Human Computer Interaction (HCI).Google Scholar
Chiasson, S. 2008. Usable authentication and click-based graphical passwords. Ph.D. dissertation, School of Computer Science, Carleton University, Ottawa. Google ScholarDigital Library
Chiasson, S., Biddle, R., and van Oorschot, P. C. 2007a. A second look at the usability of click-based graphical passwords. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2008a. Influencing users towards better passwords: Persuasive Cued Click-Points. In Proceedings of the BCS Conference on Human Computer Interaction (HCI). Google ScholarDigital Library
Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2009a. User interface design affects security: Patterns in click-based graphical passwords. Int. J. Inf. Secur. 8, 6, 387--398. Google ScholarDigital Library
Chiasson, S., Forget, A., Stobert, E., van Oorschot, P. C., and Biddle, R. 2009b. Multiple password interference in text and click-based graphical passwords. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
Chiasson, S., Srinivasan, J., Biddle, R., and van Oorschot, P. C. 2008b. Centered discretization with application to graphical passwords. In Proceedings of the USENIX Usability, Psychology, and Security Workshop (UPSEC). Google ScholarDigital Library
Chiasson, S., van Oorschot, P. C., and Biddle, R. 2006. A usability study and critique of two password managers. In Proceedings of the 15th USENIX Security Symposium. Google ScholarDigital Library
Chiasson, S., van Oorschot, P. C., and Biddle, R. 2007b. Graphical password authentication using Cued Click Points. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science, vol. 4734, Springer, Berlin, 359--374. Google ScholarDigital Library
Coskun, B. and Herley, C. 2008. Can “something you know” be saved&quest; In Proceedings of the Information Security Conference (ISC). Lecture Notes in Computer Science, vol. 5222. Springer-Verlag, Berlin, 421--440. Google ScholarDigital Library
Craik, F. and McDowd, J. 1987. Age differences in recall and recognition. J. Exp. Psychol. Learn. Memory Cogn. 13, 3, 474--479.Google ScholarCross Ref
Davis, D., Monrose, F., and Reiter, M. 2004. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
De Angeli, A., Coventry, L., Johnson, G., and Renaud, K. 2005. Is a picture really worth a thousand words&quest; Exploring the feasibility of graphical authentication systems. Int. J. Human Comput. Stud. 63, 1-2, 128--152. Google ScholarDigital Library
Dhamija, R. and Perrig, A. 2000. Déjà Vu: A user study using images for authentication. In Proceedings of the 9th USENIX Security Symposium. Google ScholarDigital Library
Dhamija, R., Tygar, J., and Hearst, M. 2006. Why phishing works. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
Diggle, P. 1983. Statistical Analysis of Spatial Point Patterns. Academic Press, New York, NY.Google Scholar
Dirik, A., Menon, N., and Birget, J. 2007. Modeling user choice in the Passpoints graphical password scheme. In Proceedings of the 3rd ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Dunphy, P., Fitch, A., and Olivier, P. 2008a. Gaze-contingent passwords at the ATM. In Proceedings of the 4th Conference on Communication by Gaze Interaction (COGAIN).Google Scholar
Dunphy, P., Heiner, A. P., and Asokan, N. 2010. A closer look at recognition-based graphical passwords on mobile devices. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Dunphy, P., Nicholson, J., and Olivier, P. 2008b. Securing Passfaces for description. In Proceedings of the 4th ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Dunphy, P. and Yan, J. 2007. Do background images improve “Draw a Secret” graphical passwords&quest; In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
Everitt, K., Bragin, T., Fogarty, J., and Kohno, T. 2009. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
Faulkner, L. 2003. Beyond the five-user assumption: Benefits of increased sample sizes in usability testing. Behav. Res. Methods Instrum. Comput. 35, 3, 379--383.Google ScholarCross Ref
Feldmeier, D. and Karn, P. 1989. UNIX password security—Ten years later. In Proceedings of the International Cryptology Conference (CRYPTO'89). Google ScholarDigital Library
Florencio, D. and Herley, C. 2007. A large-scale study of WWW password habits. In Proceedings of the 16th ACM International World Wide Web Conference (WWW). Google ScholarDigital Library
Florencio, D. and Herley, C. 2010. Where do security policies come from&quest; In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Gao, H., Guo, X., Chen, X., Wang, L., and Liu, X. 2008. Yagp: Yet another graphical password strategy. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
Goldberg, J., Hagman, J., and Sazawal, V. 2002. Doodling our way to better authentication (student poster). In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
Golle, P. and Wagner, D. 2007. Cryptanalysis of a cognitive authentication scheme (extended abstract). In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Golofit, K. 2007. Click passwords under investigation. In Proceedings of the 12th European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science, vol. 4734, Springer-Verlag, Berlin. Google ScholarDigital Library
Gong, L., Lomas, M., Needham, R., and Saltzer, J. 1993. Protecting poorly chosen secrets from guessing attacks. IEEE J. Select. Areas Commun. 11, 5, 648--656. Google ScholarDigital Library
Govindarajulu, N. and Madhvanath, S. 2007. Password management using doodles. In Proceedings of the 9th International Conference on Multimodal Interfaces (ICMI). Google ScholarDigital Library
GrIDsure. 2009. GrIDsure corporate website. http://www.gridsure.com.Google Scholar
Hafiz, M. D., Abdullah, A. H., Ithnin, N., and Mammi, H. K. 2008. Towards identifying usability and security features of graphical password in knowledge based authentication technique. In Proceedings of the 2nd IEEE Asia International Conference on Modelling & Simulation. 396--403. Google ScholarDigital Library
Hayashi, E., Christin, N., Dhamija, R., and Perrig, A. 2008. Use Your Illusion: Secure authentication usable anywhere. In Proceedings of the 4th ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Herley, C., van Oorschot, P., and Patrick, A. 2009. Passwords: If we're so smart, why are we still using them&quest; In Financial Cryptography and Data Security. Lecture Notes in Computer Science, vol. 5628, Springer-Verlag, Berlin. Google ScholarDigital Library
Hollingworth, A. and Henderson, J. 2002. Accurate visual memory for previously attended objects in natural scenes. J. Exp. Psychol. Human Percept. Perform. 28, 1, 113--136.Google ScholarCross Ref
ICANN Security and Stability Advisory Committee. 2005. Domain name hijacking: Incidents, threats, risks, and remedial actions. http://www.icann.org/en/announcements/hijacking-report-12jul05.pdf.Google Scholar
Jermyn, I., Mayer, A., Monrose, F., Reiter, M., and Rubin, A. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium. Google ScholarDigital Library
Kelley, P., Cesca, L., Bresee, J., and Cranor., L. 2010. Standardizing privacy notices: An online study of the nutrition label approach. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (CHI'10). 1573--1582. Google ScholarDigital Library
Kim, D., Dunphy, P., Briggs, P., Hook, J., Nicholson, J., Nicholson, J., and Olivier, P. 2010. Multi-touch authentication on tabletops. In Proceedings of the 28th ACM Conference on Human Factors in Computing Systems (CHI). 1093--1102. Google ScholarDigital Library
Kintsch, W. 1970. Models for free recall and recognition. In Models of Human Memory, D. Norman, Ed. Academic Press, New York, NY.Google Scholar
Kirkpatrick, B. 1894. An experimental study of memory. Psychol. Rev. 1, 602--609.Google ScholarCross Ref
Kirovski, D., Jojie, N., and Roberts, P. 2006. Click passwords. In Proceedings of the IFIP TC-11 21st International Information Security Conference on Security and Privacy in Dynamic Environments (SEC 2006). Vol. 201, 351--363.Google Scholar
Kittur, A., Chi, E., and Suh, B. 2008. Crowdsourcing user studies with mechanical turk. In Proceedings of the 26th Annual SIGCHI Conference on Human Factors in Computing Systems (CHI'08). Google ScholarDigital Library
Klein, D. 1990. Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Security Workshop.Google Scholar
Komanduri, S. and Hutchings, D. 2008. Order and entropy in Picture Passwords. In Proceedings of the Graphics Interface Conference (GI). Google ScholarDigital Library
Laxton, B., Wang, K., and Savage, S. 2008. Reconsidering physical key secrecy: Teleduplication via optical decoding. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
Madigan, S. 1983. Picture memory. In Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio, J. Yuille, Ed. Lawrence Erlbaum Associates, Mahwah, NJ, Chapter 3, 65--89.Google Scholar
Mitnick, K. and Simon, W. 2002. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, New York, NY. Google ScholarDigital Library
Moncur, W. and Leplatre, G. 2007. Pictures at the ATM: Exploring the usability of multiple graphical passwords. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
Monrose, F. and Reiter, M. 2005. Graphical passwords. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, CA, Chapter 9, 157--174.Google Scholar
Morris, R. and Thompson, K. 1979. Password security: A case history. Commun. ACM 22, 11, 594--597. Google ScholarDigital Library
Muffett, A. 2004. Crack password cracker. http://ciac.llnl.gov/ciac/ToolsUnixAuth.html.Google Scholar
Nali, D. and Thorpe, J. 2004. Analyzing user choice in graphical passwords. Tech. rep. TR-04-01, School of Computer Science, Carleton University. Ottawa.Google Scholar
Narayanan, A. and Shmatikov, V. 2005. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
Nelson, D., Reed, V., and Walling, J. 1976. Pictorial superiority effect. J. Exp. Psychol. Human Learn. Memory 2, 5, 523--528.Google ScholarCross Ref
Nielsen, J. 1993. Usability Engineering. AP Professional, Boston, MA. Google ScholarDigital Library
Nielsen, J. and Mack, R. 1994. Usability Inspection Methods. John Wiley & Sons, New York, NY. Google ScholarDigital Library
Oechslin, P. 2003. Making a faster cryptanalytic time-memory trade-off. In Proceedings of the International Cryptology Conference (CRYPTO'03).Google ScholarCross Ref
Orozco, M., Malek, B., Eid, M., and El Saddik, A. 2006. Haptic-based sensible graphical password. In Proceedings of the Virtual Concept Conference.Google Scholar
Paivio, A. 2006. Mind and Its Evolution: A Dual Coding Theoretical Approach. Lawrence Erlbaum, Mahwah, NJ.Google Scholar
Paivio, A., Rogers, T., and Smythe, P. C. 1968. Why are pictures easier to recall than words&quest; Psychonomic Sci. 11, 4, 137--138.Google Scholar
Passfaces Corporation. 2009. The science behind Passfaces. White paper. http://www.passfaces.com/enterprise/resources/white_papers.htm.Google Scholar
Perfetti, C. and Landesman, L. 2001. Eight is not enough. User Interface Engineering. http.//www.ulle.com/articles/eight_is_not_enough.Google Scholar
Pering, T., Sundar, M., Light, J., and Want, R. 2003. Photographic authentication through untrusted terminals. Pervasive Comput. 30--36. Google ScholarDigital Library
Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
Por, L. Y., Lim, X. T., Su, M. T., and Kianoush, F. 2008. The design and implementation of background Pass-Go scheme towards security threats. WSEAS Trans. Inf. Sci. Appl. 5, 6, 943--952. Google ScholarDigital Library
Provos, N., Mavrommatis, P., Abu Rajab, M., and Monrose, F. 2008. All your iFrames point to us. In Proceedings of the 17th USENIX Security Symposium. Google ScholarDigital Library
Raaijmakers, J. G. W. and Shiffrin, R. M. 1992. Models for recall and recognition. Ann. Rev. Psych. 43, 205--234.Google ScholarCross Ref
Ramsbrock, D., Berthier, R., and Cukier, M. 2007. Profiling attacker behavior following SSH compromises. In Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Google ScholarDigital Library
Renaud, K. 2005a. Evaluating authentication mechanisms. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, C.A, Chapter 6, 103--128.Google Scholar
Renaud, K. 2005b. A visuo-biometric authentication mechanism for older users. In Proceedings of the BCS Conference on Human Computer Interaction (HCI). 167--182.Google Scholar
Renaud, K. 2009a. Guidelines for designing graphical authentication mechanism interfaces. Int. J. Inf. Comput. Secur. 3, 1, 60--85. Google ScholarDigital Library
Renaud, K. 2009b. On user involvement in production of images used in visual authentication. J. Visual Lang. Comput. 20, 1, 1--15. Google ScholarDigital Library
Renaud, K. and Angeli, A. D. 2004. My password is here! An investigation into visio-spatial authentication mechanisms. Interact. Comput. 16, 4, 1017--1041.Google ScholarCross Ref
Renaud, K. and Smith, E. 2001. Jiminy: Helping user to remember their passwords. Tech. Rep., School of Computing, University of South Africa.Google Scholar
Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. 2005. Stronger password authentication using browser extensions. In Proceedings of the 14th USENIX Security Symposium. Google ScholarDigital Library
Roth, V., Richter, K., and Freidinger, R. 2004. A PIN-entry method resiliant against shoulder surfing. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
Salehi-Abari, A., Thorpe, J., and van Oorschot, P. 2008. On purely automated attacks and click-based graphical passwords. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
Sasse, M. A., Brostoff, S., and Weirich, D. 2001. Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Tech. J. 19, 3, 122--131. Google ScholarDigital Library
Schechter, S. and Brush, A. B. 2009. It's no secret: Measuring the security and reliability of authentication via ‘secret’ questions. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Seifert, C. 2006. Analyzing malicious SSH login attempts. http://www.securityfocus.com/infocus/1876.Google Scholar
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L., and Downs, J. 2010. Who falls for phish&quest; A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (CHI'10). 373--382. Google ScholarDigital Library
Shepard, R. 1967. Recognition memory for words, sentences, and pictures. J. Verbal Learn. Verbal Behav. 6, 156--163.Google ScholarCross Ref
Shuanglei, Z. 2005. Project RainbowCrack. http://www.antsight.com/zsl/rainbowcrack.Google Scholar
Spool, J. and Schroeder, W. 2001. Testing websites: Five users is nowhere near enough. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
Standing, L., Conezio, J., and Haber, R. 1970. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Sci. 19, 2.Google ScholarCross Ref
Stobert, E., Forget, A., Chiasson, S., van Oorschot, P., and Biddle, R. 2010. Exploring usability effects of increasing security in click-based graphical passwords. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
Stubblefield, A. and Simon, D. 2004. Inkblot authentication, Tech. rep., MSR-TR-2004-85. Microsoft Research.Google Scholar
Suo, X. 2006. A design and analysis of graphical password. M.S. thesis, College of Arts and Science, Georgia State University.Google Scholar
Suo, X., Zhu, Y., and Owen, G. 2005. Graphical passwords: A survey. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
Tafasa. 2010. Patternlock. http://www.tafasa.com/patternlock.html.Google Scholar
Tao, H. 2006. Pass-Go, a new graphical password scheme. M.S. thesis, School of Information Technology and Engineering, University of Ottawa.Google Scholar
Tao, H. and Adams, C. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. Int. J. Net. Secur. 7, 2, 273--292.Google Scholar
Tari, F., Ozok, A., and Holden, S. 2006. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the 2nd ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Thames, J., Abler, R., and Keeling, D. 2008. A distributed active response architecture for preventing SSH dictionary attacks. In Proceedings of the IEEE SoutheastCon. Google ScholarDigital Library
Thorpe, J. 2008. On the predictability and security of user choice in passwords. Ph.D. dissertation, School of Computer Science, Carleton University, Ottawa. Google ScholarDigital Library
Thorpe, J. and van Oorschot, P. C. 2004. Graphical dictionaries and the memorable space of graphical passwords. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
Thorpe, J. and van Oorschot, P. C. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of the 16th USENIX Security Symposium. Google ScholarDigital Library
Tulving, E. and Pearlstone, Z. 1966. Availability versus accessibility of information in memory for words. J. Verbal Lean. Verbal Behav. 5, 381--391.Google ScholarCross Ref
Tulving, E. and Watkins, M. 1973. Continuity between recall and recognition. Am. J. Psych. 86, 4, 739--748.Google ScholarCross Ref
Valentine, T. 1999. An evaluation of the Passface personal authentication system. Tech. rep., Goldsmiths College University of London.Google Scholar
van Oorschot, P. C., Salehi-Abari, A., and Thorpe, J. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Trans. Inf. Forensics Secur. 5, 3, 393--405. Google ScholarDigital Library
van Oorschot, P. C. and Thorpe, J. 2008. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. 10, 4, 1--33. Google ScholarDigital Library
van Oorschot, P. C. and Thorpe, J. 2011. Exploiting predictability in click-based graphical passwords. J. Comput. Secur. 19, 4, 669--702. Google ScholarDigital Library
van Oorschot, P. C. and Wan, T. 2009. TwoStep: An authentication method combining text and graphical passwords. In Proceedings of the 4th International MCETECH Conference on eTechnologies.Google Scholar
Varenhorst, C. 2004. Passdoodles: A lightweight authentication method. MIT Research Science Institute.Google Scholar
Virzi, R. 1992. Refining the test phase of usability evaluation: How many subjects is enough&quest; Human Factors 34, 457--468. Google ScholarDigital Library
Vu, K.-P. L., Proctor, R., Bhargav-Spantzel, A., Tai, B.-L., Cook, J., and Schultz, E. 2007. Improving password security and memorability to protect personal and organizational information. Int. J. Human Comput. Stud. 65, 744--757. Google ScholarDigital Library
Weber, R. 2006. The statistical security of GrIDsure. Tech. rep., University of Cambridge.Google Scholar
Weinshall, D. 2006. Cognitive authentication schemes safe against spyware (short paper). In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Weiss, R. and De Luca, A. 2008. PassShapes—utilizing stroke based authentication to increase password memorability. In Proceedings of the Nordic Conference on Human-Computer Interactions (NordiCHI). 383--392. Google ScholarDigital Library
Wharton, C., Bradford, J., Jeffries, R., and Franzke, M. 1992. Applying cognitive walkthroughs to more complex user interfaces: Experiences, issues, and recommendations. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
Whitten, A. and Tygar, J. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium. Google ScholarDigital Library
Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005a. Authentication using graphical passwords: Basic results. In Proceedings of the 11th International Conference on Human-Computer Interaction (HC11).Google Scholar
Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005b. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the 1st Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005c. PassPoints: Design and longitudinal evaluation of a graphical password system. Int. J. Human Comput. Stud. 63, 1-2, 102--127. Google ScholarDigital Library
Wiedenbeck, S., Waters, J., Sobrado, L., and Birget, J. 2006. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the International Working Conference on Advanced Visual Interfaces (AVI). Google ScholarDigital Library
Workman, M. 2007. Gaining access with social engineering: An empirical study of the threat. Inf. Syst. Secur. 16, 6, 315--331. Google ScholarDigital Library
Wu, T. 1998. The secure remote password protocol. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
Wu, T. 1999. A real-world analysis of Kerberos password security. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
Yan, J., Blackwell, A., Anderson, R., and Grant, A. 2004. Password memorability and security: Empirical results. IEEE Secur. Privacy Mag. 2, 5, 25--31. Google ScholarDigital Library
Yan, J., Blackwell, A., Anderson, R., and Grant, A. 2005. The memorability and security of passwords. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, CA, Chapter 7, 129--142.Google Scholar

Index Terms

Graphical passwords: Learning from the first twelve years

Recommendations

Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

The underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Read More
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
Read More
A second look at the usability of click-based graphical passwords
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

Click-based graphical passwords, which involve clicking a set of user-selected points, have been proposed as a usable alternative to text passwords. We conducted two user studies: an initial lab study to revisit these usability claims, explore for the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Computing Surveys Volume 44, Issue 4
August 2012
318 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2333112
Issue’s Table of Contents

Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 September 2012
- Accepted: 1 March 2011
- Revised: 1 September 2010
- Received: 1 April 2010
Published in csur Volume 44, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Authentication
graphical passwords
usable security
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 339
  Total Citations
  View Citations
- 5,270
  Total Downloads
- Downloads (Last 12 months)159
- Downloads (Last 6 weeks)16
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Graphical passwords: Learning from the first twelve years

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Multiple password interference in text passwords and click-based graphical passwords

Authentication using graphical passwords: effects of tolerance and image choice

A second look at the usability of click-based graphical passwords

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Graphical passwords: Learning from the first twelve years

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Multiple password interference in text passwords and click-based graphical passwords

Authentication using graphical passwords: effects of tolerance and image choice

A second look at the usability of click-based graphical passwords

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media