research-article

Graphical passwords: Learning from the first twelve years

Authors:

Sonia Chiasson,

P.C. Van OorschotAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 44, Issue 4

Article No.: 19, Pages 1 - 41

https://doi.org/10.1145/2333112.2333114

Published: 07 September 2012 Publication History

Abstract

Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects as well as system evaluation. The article first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.

References

[1]

Adams, A., Sasse, M. A., and Lunt, P. 1997. Making passwords secure and usable. In Proceedings of the HCI on People and Computers. 1--9.

Digital Library

[2]

Alsulaiman, F. and El Saddik, A. 2006. A novel 3D graphical password schema. In Proceedings of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces and Measurement Systems.

[3]

Amazon. 2010. Amazon mechanical turk. http://www.mturk.com/.

[4]

Anderson, J. and Bower, G. 1972. Recognition and retrieval processes in free recall. Psychol. Rev. 79, 2, 97--123.

[5]

Anderson, M. and Neely, J. 1996. Memory. Handbook of Perception and Cognition 2nd Ed. Academic Press, New York, NY. Chapter 8, 237--313.

[6]

Andrews, D., Nonnecke, B., and Preece, J. 2003. Electronic survey methodology: A case study in reaching hard-to-involve Internet users. Int. J. Human-Comput. Interac. 16, 2, 185--210.

[7]

Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the USENIX 4th Workshop on Offensive Technologies.

Digital Library

[8]

Backes, M., Durmuth, M., and Unruh, D. 2008. Compromising reflections—or—how to read LCD monitors around the corner. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[9]

Bellovin, S. M. and Merritt, M. 1992. Encrypted key exchange: Password based protocols secure against dictionary attacks. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[10]

Bentley, J. and Mallows, C. 2005. How much assurance does a PIN provide&quest; In Human Interactive Proofs (HIP), H. S. Baird and D. P. Lopresti, Eds., Lecture Notes in Computer Science, vol. 3517, Springer-Verlag, Berlin, 111--126.

Digital Library

[11]

Bergadano, F., Crispo, B., and Ruffo, G. 1998. High dictionary compression for proactive password checking. ACM Trans. Inf. Syst. Secur. 1, 1, 3--25.

Digital Library

[12]

Berger, Y., Wool, A., and Yeredor, A. 2006. Dictionary attacks using key acoustic emanations. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[13]

Bicakci, K. 2008. Optimal discretization for high-entropy graphical passwords. In Proceedings of the 23rd International Symposium on Computer and Information Sciences (ISCIS'08).

[14]

Bicakci, K., Atalay, N. B., Yuceel, M., Gurbaslar, H., and Erdeniz, B. 2009a. Towards usable solutions to graphical password hotspot problem. In Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference.

Digital Library

[15]

Bicakci, K., Yuceel, M., Erdeniz, B., Gurbaslar, H., and Atalay, N. B. 2009b. Graphical passwords as browser extension: Implementation and usability study. In Proceedings of the 3rd IFIP WG 11.11 International Conference on Trust Management.

[16]

Biddle, R., Mannan, M., van Oorschot, P. C., and Whalen, T. 2011. User study, analysis, and usable security of passwords based on digital objects. IEEE Trans. Info. Forensics and Secur. 6, 3, 970--979.

Digital Library

[17]

Birget, J., Hong, D., and Memon, N. 2006. Graphical passwords based on robust discretization. IEEE Trans. Inf. Forensics Secur. 1, 3, 395--399.

Digital Library

[18]

Blonder, G. 1996. Graphical password. U.S. patent 5,559,961, field August 30, 1995, and issued September 24, 1996.

[19]

Bond, M. 2008. Comments on grIDsure authentication. http://www.cl.cam.ac.uk/~mkb23/research/GridsureComments.pdf.

[20]

Brostoff, S., Inglesant, P., and Sasse, M. A. 2010. Evaluating the usability and security of a graphical one-time PIN system. In Proceedings of the BCS Conference on Human Computer Interaction (HCI).

Digital Library

[21]

Brostoff, S. and Sasse, M. 2000. Are Passfaces more usable than passwords&quest; A field trial investigation. In Proceedings of the BCS Conference on Human Computer Interaction (HCI).

[22]

Chiasson, S. 2008. Usable authentication and click-based graphical passwords. Ph.D. dissertation, School of Computer Science, Carleton University, Ottawa.

Digital Library

[23]

Chiasson, S., Biddle, R., and van Oorschot, P. C. 2007a. A second look at the usability of click-based graphical passwords. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[24]

Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2008a. Influencing users towards better passwords: Persuasive Cued Click-Points. In Proceedings of the BCS Conference on Human Computer Interaction (HCI).

Digital Library

[25]

Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P. C. 2009a. User interface design affects security: Patterns in click-based graphical passwords. Int. J. Inf. Secur. 8, 6, 387--398.

Digital Library

[26]

Chiasson, S., Forget, A., Stobert, E., van Oorschot, P. C., and Biddle, R. 2009b. Multiple password interference in text and click-based graphical passwords. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[27]

Chiasson, S., Srinivasan, J., Biddle, R., and van Oorschot, P. C. 2008b. Centered discretization with application to graphical passwords. In Proceedings of the USENIX Usability, Psychology, and Security Workshop (UPSEC).

Digital Library

[28]

Chiasson, S., van Oorschot, P. C., and Biddle, R. 2006. A usability study and critique of two password managers. In Proceedings of the 15th USENIX Security Symposium.

Digital Library

[29]

Chiasson, S., van Oorschot, P. C., and Biddle, R. 2007b. Graphical password authentication using Cued Click Points. In Proceedings of the European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science, vol. 4734, Springer, Berlin, 359--374.

Digital Library

[30]

Coskun, B. and Herley, C. 2008. Can “something you know” be saved&quest; In Proceedings of the Information Security Conference (ISC). Lecture Notes in Computer Science, vol. 5222. Springer-Verlag, Berlin, 421--440.

Digital Library

[31]

Craik, F. and McDowd, J. 1987. Age differences in recall and recognition. J. Exp. Psychol. Learn. Memory Cogn. 13, 3, 474--479.

[32]

Davis, D., Monrose, F., and Reiter, M. 2004. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium.

Digital Library

[33]

De Angeli, A., Coventry, L., Johnson, G., and Renaud, K. 2005. Is a picture really worth a thousand words&quest; Exploring the feasibility of graphical authentication systems. Int. J. Human Comput. Stud. 63, 1-2, 128--152.

Digital Library

[34]

Dhamija, R. and Perrig, A. 2000. Déjà Vu: A user study using images for authentication. In Proceedings of the 9th USENIX Security Symposium.

Digital Library

[35]

Dhamija, R., Tygar, J., and Hearst, M. 2006. Why phishing works. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI).

Digital Library

[36]

Diggle, P. 1983. Statistical Analysis of Spatial Point Patterns. Academic Press, New York, NY.

[37]

Dirik, A., Menon, N., and Birget, J. 2007. Modeling user choice in the Passpoints graphical password scheme. In Proceedings of the 3rd ACM Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[38]

Dunphy, P., Fitch, A., and Olivier, P. 2008a. Gaze-contingent passwords at the ATM. In Proceedings of the 4th Conference on Communication by Gaze Interaction (COGAIN).

[39]

Dunphy, P., Heiner, A. P., and Asokan, N. 2010. A closer look at recognition-based graphical passwords on mobile devices. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[40]

Dunphy, P., Nicholson, J., and Olivier, P. 2008b. Securing Passfaces for description. In Proceedings of the 4th ACM Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[41]

Dunphy, P. and Yan, J. 2007. Do background images improve “Draw a Secret” graphical passwords&quest; In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[42]

Everitt, K., Bragin, T., Fogarty, J., and Kohno, T. 2009. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI).

Digital Library

[43]

Faulkner, L. 2003. Beyond the five-user assumption: Benefits of increased sample sizes in usability testing. Behav. Res. Methods Instrum. Comput. 35, 3, 379--383.

[44]

Feldmeier, D. and Karn, P. 1989. UNIX password security—Ten years later. In Proceedings of the International Cryptology Conference (CRYPTO'89).

Digital Library

[45]

Florencio, D. and Herley, C. 2007. A large-scale study of WWW password habits. In Proceedings of the 16th ACM International World Wide Web Conference (WWW).

Digital Library

[46]

Florencio, D. and Herley, C. 2010. Where do security policies come from&quest; In Proceedings of the Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[47]

Gao, H., Guo, X., Chen, X., Wang, L., and Liu, X. 2008. Yagp: Yet another graphical password strategy. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[48]

Goldberg, J., Hagman, J., and Sazawal, V. 2002. Doodling our way to better authentication (student poster). In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI).

Digital Library

[49]

Golle, P. and Wagner, D. 2007. Cryptanalysis of a cognitive authentication scheme (extended abstract). In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[50]

Golofit, K. 2007. Click passwords under investigation. In Proceedings of the 12th European Symposium on Research in Computer Security (ESORICS). Lecture Notes in Computer Science, vol. 4734, Springer-Verlag, Berlin.

Digital Library

[51]

Gong, L., Lomas, M., Needham, R., and Saltzer, J. 1993. Protecting poorly chosen secrets from guessing attacks. IEEE J. Select. Areas Commun. 11, 5, 648--656.

Digital Library

[52]

Govindarajulu, N. and Madhvanath, S. 2007. Password management using doodles. In Proceedings of the 9th International Conference on Multimodal Interfaces (ICMI).

Digital Library

[53]

GrIDsure. 2009. GrIDsure corporate website. http://www.gridsure.com.

[54]

Hafiz, M. D., Abdullah, A. H., Ithnin, N., and Mammi, H. K. 2008. Towards identifying usability and security features of graphical password in knowledge based authentication technique. In Proceedings of the 2nd IEEE Asia International Conference on Modelling & Simulation. 396--403.

Digital Library

[55]

Hayashi, E., Christin, N., Dhamija, R., and Perrig, A. 2008. Use Your Illusion: Secure authentication usable anywhere. In Proceedings of the 4th ACM Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[56]

Herley, C., van Oorschot, P., and Patrick, A. 2009. Passwords: If we're so smart, why are we still using them&quest; In Financial Cryptography and Data Security. Lecture Notes in Computer Science, vol. 5628, Springer-Verlag, Berlin.

Digital Library

[57]

Hollingworth, A. and Henderson, J. 2002. Accurate visual memory for previously attended objects in natural scenes. J. Exp. Psychol. Human Percept. Perform. 28, 1, 113--136.

[58]

ICANN Security and Stability Advisory Committee. 2005. Domain name hijacking: Incidents, threats, risks, and remedial actions. http://www.icann.org/en/announcements/hijacking-report-12jul05.pdf.

[59]

Jermyn, I., Mayer, A., Monrose, F., Reiter, M., and Rubin, A. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium.

Digital Library

[60]

Kelley, P., Cesca, L., Bresee, J., and Cranor., L. 2010. Standardizing privacy notices: An online study of the nutrition label approach. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (CHI'10). 1573--1582.

Digital Library

[61]

Kim, D., Dunphy, P., Briggs, P., Hook, J., Nicholson, J., Nicholson, J., and Olivier, P. 2010. Multi-touch authentication on tabletops. In Proceedings of the 28th ACM Conference on Human Factors in Computing Systems (CHI). 1093--1102.

Digital Library

[62]

Kintsch, W. 1970. Models for free recall and recognition. In Models of Human Memory, D. Norman, Ed. Academic Press, New York, NY.

[63]

Kirkpatrick, B. 1894. An experimental study of memory. Psychol. Rev. 1, 602--609.

[64]

Kirovski, D., Jojie, N., and Roberts, P. 2006. Click passwords. In Proceedings of the IFIP TC-11 21st International Information Security Conference on Security and Privacy in Dynamic Environments (SEC 2006). Vol. 201, 351--363.

[65]

Kittur, A., Chi, E., and Suh, B. 2008. Crowdsourcing user studies with mechanical turk. In Proceedings of the 26th Annual SIGCHI Conference on Human Factors in Computing Systems (CHI'08).

Digital Library

[66]

Klein, D. 1990. Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Security Workshop.

[67]

Komanduri, S. and Hutchings, D. 2008. Order and entropy in Picture Passwords. In Proceedings of the Graphics Interface Conference (GI).

Digital Library

[68]

Laxton, B., Wang, K., and Savage, S. 2008. Reconsidering physical key secrecy: Teleduplication via optical decoding. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[69]

Madigan, S. 1983. Picture memory. In Imagery, Memory, and Cognition: Essays in Honor of Allan Paivio, J. Yuille, Ed. Lawrence Erlbaum Associates, Mahwah, NJ, Chapter 3, 65--89.

[70]

Mitnick, K. and Simon, W. 2002. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, New York, NY.

Digital Library

[71]

Moncur, W. and Leplatre, G. 2007. Pictures at the ATM: Exploring the usability of multiple graphical passwords. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI).

Digital Library

[72]

Monrose, F. and Reiter, M. 2005. Graphical passwords. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, CA, Chapter 9, 157--174.

[73]

Morris, R. and Thompson, K. 1979. Password security: A case history. Commun. ACM 22, 11, 594--597.

Digital Library

[74]

Muffett, A. 2004. Crack password cracker. http://ciac.llnl.gov/ciac/ToolsUnixAuth.html.

[75]

Nali, D. and Thorpe, J. 2004. Analyzing user choice in graphical passwords. Tech. rep. TR-04-01, School of Computer Science, Carleton University. Ottawa.

[76]

Narayanan, A. and Shmatikov, V. 2005. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[77]

Nelson, D., Reed, V., and Walling, J. 1976. Pictorial superiority effect. J. Exp. Psychol. Human Learn. Memory 2, 5, 523--528.

[78]

Nielsen, J. 1993. Usability Engineering. AP Professional, Boston, MA.

Digital Library

[79]

Nielsen, J. and Mack, R. 1994. Usability Inspection Methods. John Wiley & Sons, New York, NY.

Digital Library

[80]

Oechslin, P. 2003. Making a faster cryptanalytic time-memory trade-off. In Proceedings of the International Cryptology Conference (CRYPTO'03).

[81]

Orozco, M., Malek, B., Eid, M., and El Saddik, A. 2006. Haptic-based sensible graphical password. In Proceedings of the Virtual Concept Conference.

[82]

Paivio, A. 2006. Mind and Its Evolution: A Dual Coding Theoretical Approach. Lawrence Erlbaum, Mahwah, NJ.

[83]

Paivio, A., Rogers, T., and Smythe, P. C. 1968. Why are pictures easier to recall than words&quest; Psychonomic Sci. 11, 4, 137--138.

[84]

Passfaces Corporation. 2009. The science behind Passfaces. White paper. http://www.passfaces.com/enterprise/resources/white_papers.htm.

[85]

Perfetti, C. and Landesman, L. 2001. Eight is not enough. User Interface Engineering. http.//www.ulle.com/articles/eight_is_not_enough.

[86]

Pering, T., Sundar, M., Light, J., and Want, R. 2003. Photographic authentication through untrusted terminals. Pervasive Comput. 30--36.

Digital Library

[87]

Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[88]

Por, L. Y., Lim, X. T., Su, M. T., and Kianoush, F. 2008. The design and implementation of background Pass-Go scheme towards security threats. WSEAS Trans. Inf. Sci. Appl. 5, 6, 943--952.

Digital Library

[89]

Provos, N., Mavrommatis, P., Abu Rajab, M., and Monrose, F. 2008. All your iFrames point to us. In Proceedings of the 17th USENIX Security Symposium.

Digital Library

[90]

Raaijmakers, J. G. W. and Shiffrin, R. M. 1992. Models for recall and recognition. Ann. Rev. Psych. 43, 205--234.

[91]

Ramsbrock, D., Berthier, R., and Cukier, M. 2007. Profiling attacker behavior following SSH compromises. In Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

Digital Library

[92]

Renaud, K. 2005a. Evaluating authentication mechanisms. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, C.A, Chapter 6, 103--128.

[93]

Renaud, K. 2005b. A visuo-biometric authentication mechanism for older users. In Proceedings of the BCS Conference on Human Computer Interaction (HCI). 167--182.

[94]

Renaud, K. 2009a. Guidelines for designing graphical authentication mechanism interfaces. Int. J. Inf. Comput. Secur. 3, 1, 60--85.

Digital Library

[95]

Renaud, K. 2009b. On user involvement in production of images used in visual authentication. J. Visual Lang. Comput. 20, 1, 1--15.

Digital Library

[96]

Renaud, K. and Angeli, A. D. 2004. My password is here! An investigation into visio-spatial authentication mechanisms. Interact. Comput. 16, 4, 1017--1041.

[97]

Renaud, K. and Smith, E. 2001. Jiminy: Helping user to remember their passwords. Tech. Rep., School of Computing, University of South Africa.

[98]

Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. 2005. Stronger password authentication using browser extensions. In Proceedings of the 14th USENIX Security Symposium.

Digital Library

[99]

Roth, V., Richter, K., and Freidinger, R. 2004. A PIN-entry method resiliant against shoulder surfing. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[100]

Salehi-Abari, A., Thorpe, J., and van Oorschot, P. 2008. On purely automated attacks and click-based graphical passwords. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[101]

Sasse, M. A., Brostoff, S., and Weirich, D. 2001. Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Tech. J. 19, 3, 122--131.

Digital Library

[102]

Schechter, S. and Brush, A. B. 2009. It's no secret: Measuring the security and reliability of authentication via ‘secret’ questions. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[103]

Seifert, C. 2006. Analyzing malicious SSH login attempts. http://www.securityfocus.com/infocus/1876.

[104]

Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L., and Downs, J. 2010. Who falls for phish&quest; A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (CHI'10). 373--382.

Digital Library

[105]

Shepard, R. 1967. Recognition memory for words, sentences, and pictures. J. Verbal Learn. Verbal Behav. 6, 156--163.

[106]

Shuanglei, Z. 2005. Project RainbowCrack. http://www.antsight.com/zsl/rainbowcrack.

[107]

Spool, J. and Schroeder, W. 2001. Testing websites: Five users is nowhere near enough. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI).

Digital Library

[108]

Standing, L., Conezio, J., and Haber, R. 1970. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Sci. 19, 2.

[109]

Stobert, E., Forget, A., Chiasson, S., van Oorschot, P., and Biddle, R. 2010. Exploring usability effects of increasing security in click-based graphical passwords. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[110]

Stubblefield, A. and Simon, D. 2004. Inkblot authentication, Tech. rep., MSR-TR-2004-85. Microsoft Research.

[111]

Suo, X. 2006. A design and analysis of graphical password. M.S. thesis, College of Arts and Science, Georgia State University.

[112]

Suo, X., Zhu, Y., and Owen, G. 2005. Graphical passwords: A survey. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[113]

Tafasa. 2010. Patternlock. http://www.tafasa.com/patternlock.html.

[114]

Tao, H. 2006. Pass-Go, a new graphical password scheme. M.S. thesis, School of Information Technology and Engineering, University of Ottawa.

[115]

Tao, H. and Adams, C. 2008. Pass-Go: A proposal to improve the usability of graphical passwords. Int. J. Net. Secur. 7, 2, 273--292.

[116]

Tari, F., Ozok, A., and Holden, S. 2006. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the 2nd ACM Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[117]

Thames, J., Abler, R., and Keeling, D. 2008. A distributed active response architecture for preventing SSH dictionary attacks. In Proceedings of the IEEE SoutheastCon.

Digital Library

[118]

Thorpe, J. 2008. On the predictability and security of user choice in passwords. Ph.D. dissertation, School of Computer Science, Carleton University, Ottawa.

Digital Library

[119]

Thorpe, J. and van Oorschot, P. C. 2004. Graphical dictionaries and the memorable space of graphical passwords. In Proceedings of the 13th USENIX Security Symposium.

Digital Library

[120]

Thorpe, J. and van Oorschot, P. C. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of the 16th USENIX Security Symposium.

Digital Library

[121]

Tulving, E. and Pearlstone, Z. 1966. Availability versus accessibility of information in memory for words. J. Verbal Lean. Verbal Behav. 5, 381--391.

[122]

Tulving, E. and Watkins, M. 1973. Continuity between recall and recognition. Am. J. Psych. 86, 4, 739--748.

[123]

Valentine, T. 1999. An evaluation of the Passface personal authentication system. Tech. rep., Goldsmiths College University of London.

[124]

van Oorschot, P. C., Salehi-Abari, A., and Thorpe, J. 2010. Purely automated attacks on PassPoints-style graphical passwords. IEEE Trans. Inf. Forensics Secur. 5, 3, 393--405.

Digital Library

[125]

van Oorschot, P. C. and Thorpe, J. 2008. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Syst. Secur. 10, 4, 1--33.

Digital Library

[126]

van Oorschot, P. C. and Thorpe, J. 2011. Exploiting predictability in click-based graphical passwords. J. Comput. Secur. 19, 4, 669--702.

Digital Library

[127]

van Oorschot, P. C. and Wan, T. 2009. TwoStep: An authentication method combining text and graphical passwords. In Proceedings of the 4th International MCETECH Conference on eTechnologies.

[128]

Varenhorst, C. 2004. Passdoodles: A lightweight authentication method. MIT Research Science Institute.

[129]

Virzi, R. 1992. Refining the test phase of usability evaluation: How many subjects is enough&quest; Human Factors 34, 457--468.

Digital Library

[130]

Vu, K.-P. L., Proctor, R., Bhargav-Spantzel, A., Tai, B.-L., Cook, J., and Schultz, E. 2007. Improving password security and memorability to protect personal and organizational information. Int. J. Human Comput. Stud. 65, 744--757.

Digital Library

[131]

Weber, R. 2006. The statistical security of GrIDsure. Tech. rep., University of Cambridge.

[132]

Weinshall, D. 2006. Cognitive authentication schemes safe against spyware (short paper). In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[133]

Weiss, R. and De Luca, A. 2008. PassShapes—utilizing stroke based authentication to increase password memorability. In Proceedings of the Nordic Conference on Human-Computer Interactions (NordiCHI). 383--392.

Digital Library

[134]

Wharton, C., Bradford, J., Jeffries, R., and Franzke, M. 1992. Applying cognitive walkthroughs to more complex user interfaces: Experiences, issues, and recommendations. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI).

Digital Library

[135]

Whitten, A. and Tygar, J. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium.

Digital Library

[136]

Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005a. Authentication using graphical passwords: Basic results. In Proceedings of the 11th International Conference on Human-Computer Interaction (HC11).

[137]

Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005b. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the 1st Symposium on Usable Privacy and Security (SOUPS).

Digital Library

[138]

Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. 2005c. PassPoints: Design and longitudinal evaluation of a graphical password system. Int. J. Human Comput. Stud. 63, 1-2, 102--127.

Digital Library

[139]

Wiedenbeck, S., Waters, J., Sobrado, L., and Birget, J. 2006. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the International Working Conference on Advanced Visual Interfaces (AVI).

Digital Library

[140]

Workman, M. 2007. Gaining access with social engineering: An empirical study of the threat. Inf. Syst. Secur. 16, 6, 315--331.

Digital Library

[141]

Wu, T. 1998. The secure remote password protocol. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[142]

Wu, T. 1999. A real-world analysis of Kerberos password security. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[143]

Yan, J., Blackwell, A., Anderson, R., and Grant, A. 2004. Password memorability and security: Empirical results. IEEE Secur. Privacy Mag. 2, 5, 25--31.

Digital Library

[144]

Yan, J., Blackwell, A., Anderson, R., and Grant, A. 2005. The memorability and security of passwords. In Security and Usability: Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, Stebastopol, CA, Chapter 7, 129--142.

Cited By

Hasan SGhani ADaud AAkbar HKhan M(2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025
https://doi.org/10.3390/s25030700
Simon JWatson Svan Sintemaartensdijk I(2025)Response-efficacy messages produce stronger passwords than self-efficacy messages … for now: A longitudinal experimental study of the efficacy of coping message types on password creation behaviourComputers in Human Behavior Reports10.1016/j.chbr.2025.10061517(100615)Online publication date: Mar-2025
https://doi.org/10.1016/j.chbr.2025.100615
Meng W(2025)Graphical AuthenticationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1581(1028-1031)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1581
Show More Cited By

Index Terms

Graphical passwords: Learning from the first twelve years

Recommendations

Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

The underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
A second look at the usability of click-based graphical passwords
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

Click-based graphical passwords, which involve clicking a set of user-selected points, have been proposed as a usable alternative to text passwords. We conducted two user studies: an initial lab study to revisit these usability claims, explore for the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 44, Issue 4

August 2012

318 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/2333112

Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 September 2012

Accepted: 01 March 2011

Revised: 01 September 2010

Received: 01 April 2010

Published in CSUR Volume 44, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

351
Total Citations
View Citations
5,377
Total Downloads

Downloads (Last 12 months)133
Downloads (Last 6 weeks)16

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hasan SGhani ADaud AAkbar HKhan M(2025)A Review on Secure Authentication Mechanisms for Mobile SecuritySensors10.3390/s2503070025:3(700)Online publication date: 24-Jan-2025
https://doi.org/10.3390/s25030700
Simon JWatson Svan Sintemaartensdijk I(2025)Response-efficacy messages produce stronger passwords than self-efficacy messages … for now: A longitudinal experimental study of the efficacy of coping message types on password creation behaviourComputers in Human Behavior Reports10.1016/j.chbr.2025.10061517(100615)Online publication date: Mar-2025
https://doi.org/10.1016/j.chbr.2025.100615
Meng W(2025)Graphical AuthenticationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1581(1028-1031)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1581
Deshmukh RRajesh Petewar PM. Rathod SDineshrao Bijwe SDilip Pawar VSuresh Bondre T(2024)Review on Proposal of a Password Manager, satisfying security and Usability through “Key-Master”International Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24NOV975(585-590)Online publication date: 23-Nov-2024
https://doi.org/10.38124/ijisrt/IJISRT24NOV975
Priyanka Shingate Shruti Taware Pratik Deshpande Tanaya Deshmukh Anshu Thakur (2024)A Research on Graphical Password Strategy AuthenticationInternational Journal of Scientific Research in Science, Engineering and Technology10.32628/IJSRSET2411312011:3(237-248)Online publication date: 28-May-2024
https://doi.org/10.32628/IJSRSET24113120
Corbett MDavid-John BShang JJi B(2024)ShouldAR: Detecting Shoulder Surfing Attacks Using Multimodal Eye Tracking and Augmented RealityProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36785738:3(1-23)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3678573
Lewis BKirupaharan PRanalli TVenkatasubramanian K(2024)A3C: An Image-Association-Based Computing Device Authentication Framework for People with Upper Extremity ImpairmentsACM Transactions on Accessible Computing10.1145/365252217:2(1-37)Online publication date: 28-May-2024
https://dl.acm.org/doi/10.1145/3652522
S ASingh K J(2024)Enhancing User Authentication with a Secure Human-Computable Password Scheme2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493581(1-6)Online publication date: 22-Feb-2024
https://doi.org/10.1109/ic-ETITE58242.2024.10493581
Han JWong DFu ZKang B(2024)AuthZit: Personalized Visual-Spatial and Loci-Tagging Fallback Authentication2024 IEEE 29th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC63035.2024.00025(120-130)Online publication date: 13-Nov-2024
https://doi.org/10.1109/PRDC63035.2024.00025
V JN S RV S R(2024)AI-Powered Dynamic Images: A New Frontier in Graphical Password Authentication2024 International Conference on Emerging Research in Computational Science (ICERCS)10.1109/ICERCS63125.2024.10894909(1-8)Online publication date: 12-Dec-2024
https://doi.org/10.1109/ICERCS63125.2024.10894909
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents