ABSTRACT
The problems with passwords are well-known: secure passwords are difficult to remember, users have too many passwords, and users have difficulty matching their passwords to accounts. Password managers and cued graphical passwords are two password solutions that address the issues of memorability and keeping track of of passwords. We have developed Versipass, a password manager that incorporates key elements of password managers and cued graphical passwords to avoid existing problems of password memorability and associating passwords with accounts. Instead of remembering passwords, Versipass remembers image cues for graphical passwords. These cues help users to better remember their passwords and to more easily link passwords with accounts. Versipass also facilitates safe password reuse by allowing users to use the same image cue for multiple accounts.
- R. Biddle, S. Chiasson, and P. C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys, 44(4), 2012. Google ScholarDigital Library
- J. Bonneau, M. Just, and G. Matthews. What's in a Name? In Financial Cryptography and Data Security, pages 98--113. Springer, 2010. Google ScholarDigital Library
- W. Cheswick. Rethinking Passwords. Queue, 10(12), Dec. 2012. Google ScholarDigital Library
- S. Chiasson, C. Deschamps, E. Stobert, M. Hlywa, B. Freitas Machado, A. Forget, N. Wright, G. Chan, and R. Biddle. The MVP Web-based Authentication Framework. In Financial Cryptography and Data Security, pages 1--8, Bonaire, Feb. 2012.Google ScholarCross Ref
- S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle. Multiple password interference in text passwords and click-based graphical passwords. In CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, USA, Nov. 2009. ACM. Google ScholarDigital Library
- S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. van Oorschot. Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Transactions on Dependable and Secure Computing, 9(2):222--235, Oct. 2011. Google ScholarDigital Library
- S. Chiasson, P. van Oorschot, and R. Biddle. A Usability Study and Critique of Two Password Managers. In 15th USENIX Security Symposium, pages 1--16, Vancouver, Canada, 2006. Google ScholarDigital Library
- A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. F. Wang. The Tangled Web of Password Reuse. In NDSS'14: The Network and Distributed System Symposium, San Diego, USA, 2014.Google Scholar
- A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63(1--2):128--152, July 2005. Google ScholarDigital Library
- D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. In International World Wide Web Conference Committee (IW3C2), pages 1--9, Banff, Canada, May 2007. Google ScholarDigital Library
- D. Florêncio, C. Herley, and P. C. van Oorschot. An Administrator's Guide to Internet Password Research. In USENIX LISA, 2014. Google ScholarDigital Library
- D. Florêncio, C. Herley, and P. C. van Oorschot. Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. In 23rd USENIX Security Symposium, San Diego, USA, Aug. 2014. Google ScholarDigital Library
- S. Gaw and E. W. Felten. Password Management Strategies for Online Accounts. In SOUPS'06: Proceedings of the 2nd Symposium on Usable Privacy and Security, Pittsburgh, USA, July 2006. ACM. Google ScholarDigital Library
- Hacker News. I'm the Chrome browser security tech lead, so it might help if I explain our rea... | Hacker News, 2013. https://news.ycombinator.com/item?id=6166731.Google Scholar
- E. Hayashi and J. Hong. A diary study of password usage in daily life. In CHI'11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Vancouver, Canada, May 2011. ACM. Google ScholarDigital Library
- M. Just. Designing and evaluating challenge-question systems. IEEE Security & Privacy, 2(5):32--39, 2004. Google ScholarDigital Library
- D. A. Norman. When security gets in the way. ACM SIGCSE Bulletin, 16(6):60, Nov. 2009.Google Scholar
- A. Paivio. Imagery and Verbal Processes. Holt, Rinehart, and Winston, 1971.Google Scholar
- A. Paivio, T. B. Rogers, and P. C. Smythe. Why are pictures easier to recall than words? Psychonomic Science, 11(4):137--138, 1968.Google ScholarCross Ref
- A. Pashalidis and C. J. Mitchell. A Taxonomy of Single Sign-On Systems. In Information Security and Privacy, pages 249--264, Berlin, Heidelberg, June 2003. Springer. Google ScholarDigital Library
- K. Renaud and M. Just. Pictures or questions?: examining user responses to association-based authentication. In BCS'10: Proceedings of the 24th BCS Interaction Specialist Group Conference, pages 98--107, Dundee, UK, 2010. BCS. Google ScholarDigital Library
- B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger Password Authentication Using Browser Extensions. In 14th USENIX Security Symposium, Baltimore, USA, Aug. 2005. Google ScholarDigital Library
- S. Schechter, A. J. B. Brush, and S. Egelman. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions. IEEE Symposium on Security and Privacy, pages 375--390, 2009. Google ScholarDigital Library
- B. Schneier. Write Down Your Password, June 2005. http://www.schneier.com/blog/archives/2005/06/write_down_your.html.Google Scholar
- E. Stobert and R. Biddle. Memory retrieval and graphical passwords. In SOUPS'13: Proceedings of the 9th Symposium on Usable Privacy and Security, Newcastle, UK, 2013. ACM. Google ScholarDigital Library
- S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. A billion keys, but few locks. In NSPW'10: The New Security Paradigms Workshop, pages 61--72, USA, 2010. ACM. Google ScholarDigital Library
- S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov. What Makes Users Refuse Web Single Sign-On?: An Empirical Investigation of OpenID. In SOUPS'11: Proceedings of the 7th Symposium on Usable Privacy and Security, Washington DC, USA, 2011. ACM. Google ScholarDigital Library
- E. Tulving and D. Thomson. Encoding Specificity and Retrieval Processes in Episodic Memory. Psychological Review, 80(5):352--373, Dec. 1973.Google Scholar
- P. C. van Oorschot and J. Thorpe. Exploiting Predictability in Click-based Graphical Passwords. Journal of Computer Security, 19(4):669--702, 2011. Google ScholarDigital Library
- C. Wharton, J. Rieman, C. Lewis, and P. Polson. The cognitive walkthrough method: A practitioner's guide. In J. Nielsen and R. L. Mack, editors, Usability Inspection Methods, pages 105--140. John Wiley & Sons, Inc., New York, NY, USA, 1994. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, 63(1--2):102--127, July 2005. Google ScholarDigital Library
Index Terms
- A Password Manager that Doesn't Remember Passwords
Recommendations
Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityThe underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Security implications of password discretization for click-based graphical passwords
WWW '13: Proceedings of the 22nd international conference on World Wide WebDiscretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Comments