Abstract
Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects as well as system evaluation. The article first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.
- Adams, A., Sasse, M. A., and Lunt, P. 1997. Making passwords secure and usable. In Proceedings of the HCI on People and Computers. 1--9. Google ScholarDigital Library
- Alsulaiman, F. and El Saddik, A. 2006. A novel 3D graphical password schema. In Proceedings of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces and Measurement Systems.Google Scholar
- Amazon. 2010. Amazon mechanical turk. http://www.mturk.com/.Google Scholar
- Anderson, J. and Bower, G. 1972. Recognition and retrieval processes in free recall. Psychol. Rev. 79, 2, 97--123.Google ScholarCross Ref
- Anderson, M. and Neely, J. 1996. Memory. Handbook of Perception and Cognition 2nd Ed. Academic Press, New York, NY. Chapter 8, 237--313.Google Scholar
- Andrews, D., Nonnecke, B., and Preece, J. 2003. Electronic survey methodology: A case study in reaching hard-to-involve Internet users. Int. J. Human-Comput. Interac. 16, 2, 185--210.Google ScholarCross Ref
- Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the USENIX 4th Workshop on Offensive Technologies. Google ScholarDigital Library
- Backes, M., Durmuth, M., and Unruh, D. 2008. Compromising reflections—or—how to read LCD monitors around the corner. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Bellovin, S. M. and Merritt, M. 1992. Encrypted key exchange: Password based protocols secure against dictionary attacks. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Bentley, J. and Mallows, C. 2005. How much assurance does a PIN provide? In Human Interactive Proofs (HIP), H. S. Baird and D. P. Lopresti, Eds., Lecture Notes in Computer Science, vol. 3517, Springer-Verlag, Berlin, 111--126. Google ScholarDigital Library
- Bergadano, F., Crispo, B., and Ruffo, G. 1998. High dictionary compression for proactive password checking. ACM Trans. Inf. Syst. Secur. 1, 1, 3--25. Google ScholarDigital Library
- Berger, Y., Wool, A., and Yeredor, A. 2006. Dictionary attacks using key acoustic emanations. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Bicakci, K. 2008. Optimal discretization for high-entropy graphical passwords. In Proceedings of the 23rd International Symposium on Computer and Information Sciences (ISCIS'08).Google ScholarCross Ref
- Bicakci, K., Atalay, N. B., Yuceel, M., Gurbaslar, H., and Erdeniz, B. 2009a. Towards usable solutions to graphical password hotspot problem. In Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference. Google ScholarDigital Library
- Bicakci, K., Yuceel, M., Erdeniz, B., Gurbaslar, H., and Atalay, N. B. 2009b. Graphical passwords as browser extension: Implementation and usability study. In Proceedings of the 3rd IFIP WG 11.11 International Conference on Trust Management.Google Scholar
- Biddle, R., Mannan, M., van Oorschot, P. C., and Whalen, T. 2011. User study, analysis, and usable security of passwords based on digital objects. IEEE Trans. Info. Forensics and Secur. 6, 3, 970--979. Google ScholarDigital Library
- Birget, J., Hong, D., and Memon, N. 2006. Graphical passwords based on robust discretization. IEEE Trans. Inf. Forensics Secur. 1, 3, 395--399. Google ScholarDigital Library
- Blonder, G. 1996. Graphical password. U.S. patent 5,559,961, field August 30, 1995, and issued September 24, 1996.Google Scholar
- Bond, M. 2008. Comments on grIDsure authentication. http://www.cl.cam.ac.uk/~mkb23/research/GridsureComments.pdf.Google Scholar
- Brostoff, S., Inglesant, P., and Sasse, M. A. 2010. Evaluating the usability and security of a graphical one-time PIN system. In Proceedings of the BCS Conference on Human Computer Interaction (HCI). Google ScholarDigital Library
- Brostoff, S. and Sasse, M. 2000. Are Passfaces more usable than passwords? A field trial investigation. In Proceedings of the BCS Conference on Human Computer Interaction (HCI).Google Scholar
- Chiasson, S. 2008. Usable authentication and click-based graphical passwords. Ph.D. dissertation, School of Computer Science, Carleton University, Ottawa. Google ScholarDigital Library
- Chiasson, S., Biddle, R., and van Oorschot, P. C. 2007a. A second look at the usability of click-based graphical passwords. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2008a. Influencing users towards better passwords: Persuasive Cued Click-Points. In Proceedings of the BCS Conference on Human Computer Interaction (HCI). Google ScholarDigital Library
- Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2009a. User interface design affects security: Patterns in click-based graphical passwords. Int. J. Inf. Secur. 8, 6, 387--398. Google ScholarDigital Library
- Chiasson, S., Forget, A., Stobert, E., van Oorschot, P. C., and Biddle, R. 2009b. Multiple password interference in text and click-based graphical passwords. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Chiasson, S., Srinivasan, J., Biddle, R., and van Oorschot, P. C. 2008b. Centered discretization with application to graphical passwords. In Proceedings of the USENIX Usability, Psychology, and Security Workshop (UPSEC). Google ScholarDigital Library
- Chiasson, S., van Oorschot, P. C., and Biddle, R. 2006. A usability study and critique of two password managers. In Proceedings of the 15th USENIX Security Symposium. Google ScholarDigital Library
- Chiasson, S., van Oorschot, P. C., and Biddle, R. 2007b. Graphical password authentication using Cued Click Points. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science, vol. 4734, Springer, Berlin, 359--374. Google ScholarDigital Library
- Coskun, B. and Herley, C. 2008. Can “something you know” be saved? In Proceedings of the Information Security Conference (ISC). Lecture Notes in Computer Science, vol. 5222. Springer-Verlag, Berlin, 421--440. Google ScholarDigital Library
- Craik, F. and McDowd, J. 1987. Age differences in recall and recognition. J. Exp. Psychol. Learn. Memory Cogn. 13, 3, 474--479.Google ScholarCross Ref
- Davis, D., Monrose, F., and Reiter, M. 2004. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
- De Angeli, A., Coventry, L., Johnson, G., and Renaud, K. 2005. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. Int. J. Human Comput. Stud. 63, 1-2, 128--152. Google ScholarDigital Library
- Dhamija, R. and Perrig, A. 2000. Déjà Vu: A user study using images for authentication. In Proceedings of the 9th USENIX Security Symposium. Google ScholarDigital Library
- Dhamija, R., Tygar, J., and Hearst, M. 2006. Why phishing works. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
- Diggle, P. 1983. Statistical Analysis of Spatial Point Patterns. Academic Press, New York, NY.Google Scholar
- Dirik, A., Menon, N., and Birget, J. 2007. Modeling user choice in the Passpoints graphical password scheme. In Proceedings of the 3rd ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Dunphy, P., Fitch, A., and Olivier, P. 2008a. Gaze-contingent passwords at the ATM. In Proceedings of the 4th Conference on Communication by Gaze Interaction (COGAIN).Google Scholar
- Dunphy, P., Heiner, A. P., and Asokan, N. 2010. A closer look at recognition-based graphical passwords on mobile devices. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Dunphy, P., Nicholson, J., and Olivier, P. 2008b. Securing Passfaces for description. In Proceedings of the 4th ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Dunphy, P. and Yan, J. 2007. Do background images improve “Draw a Secret” graphical passwords? In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Everitt, K., Bragin, T., Fogarty, J., and Kohno, T. 2009. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
- Faulkner, L. 2003. Beyond the five-user assumption: Benefits of increased sample sizes in usability testing. Behav. Res. Methods Instrum. Comput. 35, 3, 379--383.Google ScholarCross Ref
- Feldmeier, D. and Karn, P. 1989. UNIX password security—Ten years later. In Proceedings of the International Cryptology Conference (CRYPTO'89). Google ScholarDigital Library
- Florencio, D. and Herley, C. 2007. A large-scale study of WWW password habits. In Proceedings of the 16th ACM International World Wide Web Conference (WWW). Google ScholarDigital Library
- Florencio, D. and Herley, C. 2010. Where do security policies come from? In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Gao, H., Guo, X., Chen, X., Wang, L., and Liu, X. 2008. Yagp: Yet another graphical password strategy. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
- Goldberg, J., Hagman, J., and Sazawal, V. 2002. Doodling our way to better authentication (student poster). In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
- Golle, P. and Wagner, D. 2007. Cryptanalysis of a cognitive authentication scheme (extended abstract). In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Golofit, K. 2007. Click passwords under investigation. In Proceedings of the 12th European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science, vol. 4734, Springer-Verlag, Berlin. Google ScholarDigital Library
- Gong, L., Lomas, M., Needham, R., and Saltzer, J. 1993. Protecting poorly chosen secrets from guessing attacks. IEEE J. Select. Areas Commun. 11, 5, 648--656. Google ScholarDigital Library
- Govindarajulu, N. and Madhvanath, S. 2007. Password management using doodles. In Proceedings of the 9th International Conference on Multimodal Interfaces (ICMI). Google ScholarDigital Library
- GrIDsure. 2009. GrIDsure corporate website. http://www.gridsure.com.Google Scholar
- Hafiz, M. D., Abdullah, A. H., Ithnin, N., and Mammi, H. K. 2008. Towards identifying usability and security features of graphical password in knowledge based authentication technique. In Proceedings of the 2nd IEEE Asia International Conference on Modelling & Simulation. 396--403. Google ScholarDigital Library
- Hayashi, E., Christin, N., Dhamija, R., and Perrig, A. 2008. Use Your Illusion: Secure authentication usable anywhere. In Proceedings of the 4th ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Herley, C., van Oorschot, P., and Patrick, A. 2009. Passwords: If we're so smart, why are we still using them? In Financial Cryptography and Data Security. Lecture Notes in Computer Science, vol. 5628, Springer-Verlag, Berlin. Google ScholarDigital Library
- Hollingworth, A. and Henderson, J. 2002. Accurate visual memory for previously attended objects in natural scenes. J. Exp. Psychol. Human Percept. Perform. 28, 1, 113--136.Google ScholarCross Ref
- ICANN Security and Stability Advisory Committee. 2005. Domain name hijacking: Incidents, threats, risks, and remedial actions. http://www.icann.org/en/announcements/hijacking-report-12jul05.pdf.Google Scholar
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M., and Rubin, A. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium. Google ScholarDigital Library
- Kelley, P., Cesca, L., Bresee, J., and Cranor., L. 2010. Standardizing privacy notices: An online study of the nutrition label approach. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (CHI'10). 1573--1582. Google ScholarDigital Library
- Kim, D., Dunphy, P., Briggs, P., Hook, J., Nicholson, J., Nicholson, J., and Olivier, P. 2010. Multi-touch authentication on tabletops. In Proceedings of the 28th ACM Conference on Human Factors in Computing Systems (CHI). 1093--1102. Google ScholarDigital Library
- Kintsch, W. 1970. Models for free recall and recognition. In Models of Human Memory, D. Norman, Ed. Academic Press, New York, NY.Google Scholar
- Kirkpatrick, B. 1894. An experimental study of memory. Psychol. Rev. 1, 602--609.Google ScholarCross Ref
- Kirovski, D., Jojie, N., and Roberts, P. 2006. Click passwords. In Proceedings of the IFIP TC-11 21st International Information Security Conference on Security and Privacy in Dynamic Environments (SEC 2006). Vol. 201, 351--363.Google Scholar
- Kittur, A., Chi, E., and Suh, B. 2008. Crowdsourcing user studies with mechanical turk. In Proceedings of the 26th Annual SIGCHI Conference on Human Factors in Computing Systems (CHI'08). Google ScholarDigital Library
- Klein, D. 1990. Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Security Workshop.Google Scholar
- Komanduri, S. and Hutchings, D. 2008. Order and entropy in Picture Passwords. In Proceedings of the Graphics Interface Conference (GI). Google ScholarDigital Library
- Laxton, B., Wang, K., and Savage, S. 2008. Reconsidering physical key secrecy: Teleduplication via optical decoding. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Madigan, S. 1983. Picture memory. In Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio, J. Yuille, Ed. Lawrence Erlbaum Associates, Mahwah, NJ, Chapter 3, 65--89.Google Scholar
- Mitnick, K. and Simon, W. 2002. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, New York, NY. Google ScholarDigital Library
- Moncur, W. and Leplatre, G. 2007. Pictures at the ATM: Exploring the usability of multiple graphical passwords. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
- Monrose, F. and Reiter, M. 2005. Graphical passwords. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, CA, Chapter 9, 157--174.Google Scholar
- Morris, R. and Thompson, K. 1979. Password security: A case history. Commun. ACM 22, 11, 594--597. Google ScholarDigital Library
- Muffett, A. 2004. Crack password cracker. http://ciac.llnl.gov/ciac/ToolsUnixAuth.html.Google Scholar
- Nali, D. and Thorpe, J. 2004. Analyzing user choice in graphical passwords. Tech. rep. TR-04-01, School of Computer Science, Carleton University. Ottawa.Google Scholar
- Narayanan, A. and Shmatikov, V. 2005. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Nelson, D., Reed, V., and Walling, J. 1976. Pictorial superiority effect. J. Exp. Psychol. Human Learn. Memory 2, 5, 523--528.Google ScholarCross Ref
- Nielsen, J. 1993. Usability Engineering. AP Professional, Boston, MA. Google ScholarDigital Library
- Nielsen, J. and Mack, R. 1994. Usability Inspection Methods. John Wiley & Sons, New York, NY. Google ScholarDigital Library
- Oechslin, P. 2003. Making a faster cryptanalytic time-memory trade-off. In Proceedings of the International Cryptology Conference (CRYPTO'03).Google ScholarCross Ref
- Orozco, M., Malek, B., Eid, M., and El Saddik, A. 2006. Haptic-based sensible graphical password. In Proceedings of the Virtual Concept Conference.Google Scholar
- Paivio, A. 2006. Mind and Its Evolution: A Dual Coding Theoretical Approach. Lawrence Erlbaum, Mahwah, NJ.Google Scholar
- Paivio, A., Rogers, T., and Smythe, P. C. 1968. Why are pictures easier to recall than words? Psychonomic Sci. 11, 4, 137--138.Google Scholar
- Passfaces Corporation. 2009. The science behind Passfaces. White paper. http://www.passfaces.com/enterprise/resources/white_papers.htm.Google Scholar
- Perfetti, C. and Landesman, L. 2001. Eight is not enough. User Interface Engineering. http.//www.ulle.com/articles/eight_is_not_enough.Google Scholar
- Pering, T., Sundar, M., Light, J., and Want, R. 2003. Photographic authentication through untrusted terminals. Pervasive Comput. 30--36. Google ScholarDigital Library
- Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Por, L. Y., Lim, X. T., Su, M. T., and Kianoush, F. 2008. The design and implementation of background Pass-Go scheme towards security threats. WSEAS Trans. Inf. Sci. Appl. 5, 6, 943--952. Google ScholarDigital Library
- Provos, N., Mavrommatis, P., Abu Rajab, M., and Monrose, F. 2008. All your iFrames point to us. In Proceedings of the 17th USENIX Security Symposium. Google ScholarDigital Library
- Raaijmakers, J. G. W. and Shiffrin, R. M. 1992. Models for recall and recognition. Ann. Rev. Psych. 43, 205--234.Google ScholarCross Ref
- Ramsbrock, D., Berthier, R., and Cukier, M. 2007. Profiling attacker behavior following SSH compromises. In Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Google ScholarDigital Library
- Renaud, K. 2005a. Evaluating authentication mechanisms. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, C.A, Chapter 6, 103--128.Google Scholar
- Renaud, K. 2005b. A visuo-biometric authentication mechanism for older users. In Proceedings of the BCS Conference on Human Computer Interaction (HCI). 167--182.Google Scholar
- Renaud, K. 2009a. Guidelines for designing graphical authentication mechanism interfaces. Int. J. Inf. Comput. Secur. 3, 1, 60--85. Google ScholarDigital Library
- Renaud, K. 2009b. On user involvement in production of images used in visual authentication. J. Visual Lang. Comput. 20, 1, 1--15. Google ScholarDigital Library
- Renaud, K. and Angeli, A. D. 2004. My password is here! An investigation into visio-spatial authentication mechanisms. Interact. Comput. 16, 4, 1017--1041.Google ScholarCross Ref
- Renaud, K. and Smith, E. 2001. Jiminy: Helping user to remember their passwords. Tech. Rep., School of Computing, University of South Africa.Google Scholar
- Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. 2005. Stronger password authentication using browser extensions. In Proceedings of the 14th USENIX Security Symposium. Google ScholarDigital Library
- Roth, V., Richter, K., and Freidinger, R. 2004. A PIN-entry method resiliant against shoulder surfing. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Salehi-Abari, A., Thorpe, J., and van Oorschot, P. 2008. On purely automated attacks and click-based graphical passwords. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
- Sasse, M. A., Brostoff, S., and Weirich, D. 2001. Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Tech. J. 19, 3, 122--131. Google ScholarDigital Library
- Schechter, S. and Brush, A. B. 2009. It's no secret: Measuring the security and reliability of authentication via ‘secret’ questions. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Seifert, C. 2006. Analyzing malicious SSH login attempts. http://www.securityfocus.com/infocus/1876.Google Scholar
- Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L., and Downs, J. 2010. Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (CHI'10). 373--382. Google ScholarDigital Library
- Shepard, R. 1967. Recognition memory for words, sentences, and pictures. J. Verbal Learn. Verbal Behav. 6, 156--163.Google ScholarCross Ref
- Shuanglei, Z. 2005. Project RainbowCrack. http://www.antsight.com/zsl/rainbowcrack.Google Scholar
- Spool, J. and Schroeder, W. 2001. Testing websites: Five users is nowhere near enough. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
- Standing, L., Conezio, J., and Haber, R. 1970. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Sci. 19, 2.Google ScholarCross Ref
- Stobert, E., Forget, A., Chiasson, S., van Oorschot, P., and Biddle, R. 2010. Exploring usability effects of increasing security in click-based graphical passwords. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
- Stubblefield, A. and Simon, D. 2004. Inkblot authentication, Tech. rep., MSR-TR-2004-85. Microsoft Research.Google Scholar
- Suo, X. 2006. A design and analysis of graphical password. M.S. thesis, College of Arts and Science, Georgia State University.Google Scholar
- Suo, X., Zhu, Y., and Owen, G. 2005. Graphical passwords: A survey. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). Google ScholarDigital Library
- Tafasa. 2010. Patternlock. http://www.tafasa.com/patternlock.html.Google Scholar
- Tao, H. 2006. Pass-Go, a new graphical password scheme. M.S. thesis, School of Information Technology and Engineering, University of Ottawa.Google Scholar
- Tao, H. and Adams, C. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. Int. J. Net. Secur. 7, 2, 273--292.Google Scholar
- Tari, F., Ozok, A., and Holden, S. 2006. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the 2nd ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Thames, J., Abler, R., and Keeling, D. 2008. A distributed active response architecture for preventing SSH dictionary attacks. In Proceedings of the IEEE SoutheastCon. Google ScholarDigital Library
- Thorpe, J. 2008. On the predictability and security of user choice in passwords. Ph.D. dissertation, School of Computer Science, Carleton University, Ottawa. Google ScholarDigital Library
- Thorpe, J. and van Oorschot, P. C. 2004. Graphical dictionaries and the memorable space of graphical passwords. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
- Thorpe, J. and van Oorschot, P. C. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of the 16th USENIX Security Symposium. Google ScholarDigital Library
- Tulving, E. and Pearlstone, Z. 1966. Availability versus accessibility of information in memory for words. J. Verbal Lean. Verbal Behav. 5, 381--391.Google ScholarCross Ref
- Tulving, E. and Watkins, M. 1973. Continuity between recall and recognition. Am. J. Psych. 86, 4, 739--748.Google ScholarCross Ref
- Valentine, T. 1999. An evaluation of the Passface personal authentication system. Tech. rep., Goldsmiths College University of London.Google Scholar
- van Oorschot, P. C., Salehi-Abari, A., and Thorpe, J. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Trans. Inf. Forensics Secur. 5, 3, 393--405. Google ScholarDigital Library
- van Oorschot, P. C. and Thorpe, J. 2008. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. 10, 4, 1--33. Google ScholarDigital Library
- van Oorschot, P. C. and Thorpe, J. 2011. Exploiting predictability in click-based graphical passwords. J. Comput. Secur. 19, 4, 669--702. Google ScholarDigital Library
- van Oorschot, P. C. and Wan, T. 2009. TwoStep: An authentication method combining text and graphical passwords. In Proceedings of the 4th International MCETECH Conference on eTechnologies.Google Scholar
- Varenhorst, C. 2004. Passdoodles: A lightweight authentication method. MIT Research Science Institute.Google Scholar
- Virzi, R. 1992. Refining the test phase of usability evaluation: How many subjects is enough? Human Factors 34, 457--468. Google ScholarDigital Library
- Vu, K.-P. L., Proctor, R., Bhargav-Spantzel, A., Tai, B.-L., Cook, J., and Schultz, E. 2007. Improving password security and memorability to protect personal and organizational information. Int. J. Human Comput. Stud. 65, 744--757. Google ScholarDigital Library
- Weber, R. 2006. The statistical security of GrIDsure. Tech. rep., University of Cambridge.Google Scholar
- Weinshall, D. 2006. Cognitive authentication schemes safe against spyware (short paper). In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Weiss, R. and De Luca, A. 2008. PassShapes—utilizing stroke based authentication to increase password memorability. In Proceedings of the Nordic Conference on Human-Computer Interactions (NordiCHI). 383--392. Google ScholarDigital Library
- Wharton, C., Bradford, J., Jeffries, R., and Franzke, M. 1992. Applying cognitive walkthroughs to more complex user interfaces: Experiences, issues, and recommendations. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). Google ScholarDigital Library
- Whitten, A. and Tygar, J. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium. Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005a. Authentication using graphical passwords: Basic results. In Proceedings of the 11th International Conference on Human-Computer Interaction (HC11).Google Scholar
- Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005b. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the 1st Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005c. PassPoints: Design and longitudinal evaluation of a graphical password system. Int. J. Human Comput. Stud. 63, 1-2, 102--127. Google ScholarDigital Library
- Wiedenbeck, S., Waters, J., Sobrado, L., and Birget, J. 2006. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the International Working Conference on Advanced Visual Interfaces (AVI). Google ScholarDigital Library
- Workman, M. 2007. Gaining access with social engineering: An empirical study of the threat. Inf. Syst. Secur. 16, 6, 315--331. Google ScholarDigital Library
- Wu, T. 1998. The secure remote password protocol. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Wu, T. 1999. A real-world analysis of Kerberos password security. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Yan, J., Blackwell, A., Anderson, R., and Grant, A. 2004. Password memorability and security: Empirical results. IEEE Secur. Privacy Mag. 2, 5, 25--31. Google ScholarDigital Library
- Yan, J., Blackwell, A., Anderson, R., and Grant, A. 2005. The memorability and security of passwords. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, CA, Chapter 7, 129--142.Google Scholar
Index Terms
- Graphical passwords: Learning from the first twelve years
Recommendations
Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityThe underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and securityGraphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
A second look at the usability of click-based graphical passwords
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityClick-based graphical passwords, which involve clicking a set of user-selected points, have been proposed as a usable alternative to text passwords. We conducted two user studies: an initial lab study to revisit these usability claims, explore for the ...
Comments