Purely Automated Attacks on PassPoints-Style Graphical Passwords

We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a l...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on information forensics and security 2010-09, Vol.5 (3), p.393-405
Main Authors: van Oorschot, P C, Salehi-Abari, A, Thorpe, J
Format: Article
Language:English
Subjects:
Algorithms
Automated
Automation
Computational modeling
Computer information security
Computer security
Dictionaries
Focusing
Graphical user interfaces
Heuristic
Human factors
Image processing
Machine vision
Mathematical models
Passwords
Permission
Proposals
Visual
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a line). Some of our methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7%-16% of passwords for two representative images using dictionaries of approximately 2 26 entries (where the full password space is 2 43 ). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 2 35 entries, allowing attacks that guessed 48%-54% of passwords (compared to previous results of 1% and 9% on the same dataset for two images with 2 35 guesses). These latter attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, require serious consideration when deploying basic PassPoints-style graphical passwords.
ISSN:1556-6013
1556-6021
1558-6021
DOI:10.1109/TIFS.2010.2053706