21 research outputs found
Measuring the revised guessability of graphical passwords
There is no widely accepted way of measuringthe level of security of a recognition-based graphical password against guessing attacks. We aim to address this by examining the
influence of predictability of user choice on the guessability and proposing a new measure of guessability. Davis et al. showed that these biases exist for schemes using faces and stories, we support this result and show these biases exist in other recognition-based schemes. In addition, we construct an attack exploiting predictability, which we term âSemantic Ordered Guessing Attackâ (SOGA). We then apply this attack to two schemes (the Doodles scheme and a standard recognition-based scheme using photographic images) and report the results. The results show that predictability when users select graphical passwords
influence the level of security to a varying degree (dependent on the distractor selection algorithm). The standard passimages scheme show an increase on guessability of up to 18 times more likely than the usual reported guessability, with a similar set up of nine images per screen and four screens, the doodles scheme shows a successful guessing attack is 3.3 times more likely than a
random guess. Finally, we present a method of calculating a more accurate guessability value, which we call the revised guessability of a recognition-based scheme. Our conclusion is that to maximise the security of a recognition-based graphical password scheme, we recommend disallowing user choice of images
Benutzbare Sicherheit: Usability, Safety und Security bei Passwörtern
Obwohl Usability und Sicherheit beides relevante Anforderungen fĂŒr Anwendungssysteme sind, stehen sie in einem Spannungsfeld. Sicherheit kann als Schutz vor Angriffen von auĂen (Security), aber auch fĂŒr das sichere Funktionieren (Safety) dieser Anwendungssysteme verstanden werden. Durch die immer gröĂere Vernetzung klassischer Safety-DomĂ€nen, wie dem Katastrophenschutz, gewinnen Security-Aspekte dort ebenfalls an Bedeutung. Die ĂŒbertragung von kritischen und vertraulichen Informationen auf mobile EndgerĂ€te muss zugleich passwortgeschĂŒtzt als auch schnell verfĂŒgbar sein; zeitintensive Authentifizierungsmechanismen können hier stören. In dieser Studie werden die Nutzung von Passwörtern vor dem Hintergrund der AbwĂ€gung von Sicherheit und Usability exploriert und Hypothesen zum Umgang mit Passwörtern aufgestellt, die im Kontext der Digitalisierung in der zivilen Sicherheit sowie mobilen und ubiquitĂ€ren GerĂ€te im Katastrophenschutz an enormer Bedeutung gewinnen
ClickPattern: A Pattern Lock System Resilient to Smudge and Side-channel Attacks
Pattern lock is a very popular mechanism to secure authenticated access to mobile terminals; this is mainly due to its ease of use and the fact that muscle memory endows it with an extreme memorability. Nonetheless, pattern lock is also very vulnerable to smudge and side channels attacks, thus its actual level of security has been often considered insufficient. In this paper we describe a mechanism that enhances pattern lock security with resilience to smudge and side channel attacks, maintains a comparable level of memorability and provides ease of use that is still comparable with Pattern Lock while outperforming other schemes proposed in the literature. To prove our claim, we have performed a usability test with 51 volunteers and we have compared our results with the other schemes
Identification and Authentication: Technology and Implementation Issues
Computer-based information systems in general, and Internet e-commerce and e-business systems in particular, employ many types of resources that need to be protected against access by unauthorized users. Three main components of access control are used in most information systems: identification, authentication, and authorization. In this paper we focus on authentication, which is the most problematic component. The three main approaches to user authentication are: knowledge-based, possession-based, and biometric-based. We review and compare the various authentication mechanisms of these approaches and the technology and implementation issues they involve. Our conclusion is that there is no silver bullet solution to user authentication problems. Authentication practices need improvement. Further research should lead to a better understanding of user behavior and the applied psychology aspects of computer security
Quantifying the Security of Recognition Passwords: Gestures and Signatures
Gesture and signature passwords are two-dimensional figures created by
drawing on the surface of a touchscreen with one or more fingers. Prior results
about their security have used resilience to either shoulder surfing, a human
observation attack, or dictionary attacks. These evaluations restrict
generalizability since the results are: non-comparable to other password
systems (e.g. PINs), harder to reproduce, and attacker-dependent. Strong
statements about the security of a password system use an analysis of the
statistical distribution of the password space, which models a best-case
attacker who guesses passwords in order of most likely to least likely.
Estimating the distribution of recognition passwords is challenging because
many different trials need to map to one password. In this paper, we solve this
difficult problem by: (1) representing a recognition password of continuous
data as a discrete alphabet set, and (2) estimating the password distribution
through modeling the unseen passwords. We use Symbolic Aggregate approXimation
(SAX) to represent time series data as symbols and develop Markov chains to
model recognition passwords. We use a partial guessing metric, which
demonstrates how many guesses an attacker needs to crack a percentage of the
entire space, to compare the security of the distributions for gestures,
signatures, and Android unlock patterns. We found the lower bounds of the
partial guessing metric of gestures and signatures are much higher than the
upper bound of the partial guessing metric of Android unlock patterns
A Design and Analysis of Graphical Password
The most common computer authentication method is to use alphanumerical usernames and passwords. This method has been shown to have significant drawbacks. For example, users tend to pick passwords that can be easily guessed. On the other hand, if a password is hard to guess, then it is often hard to remember. To address this problem, some researchers have developed authentication methods that use pictures as passwords. In this paper, I conduct a comprehensive survey of the existing graphical password techniques. I classify these techniques into two categories: recognition-based and recall-based approaches. I discuss the strengths and limitations of each method and point out the future research directions in this area. I also developed three new techniques against the common problem exists in the present graphical password techniques. In this thesis, the scheme of each new technique will be proposed; the advantages of each technique will be discussed; and the future work will be anticipated