Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Bu-Dash: A Universal and Dynamic Graphical Password Scheme

  • Conference paper
  • First Online:
HCI for Cybersecurity, Privacy and Trust (HCII 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13333))

Included in the following conference series:

Abstract

Biometric authentication gradually replaces knowledge-based methods on mobile devices. However, Personal Identification Numbers, passcodes, and graphical password schemes such as the Android Pattern Unlock (APU) are often the primary means for authentication, or they constitute an auxiliary (or backup) method to be used in case biometrics fail. Passcodes need to be memorable to be usable, hence users tend to choose easy to guess passwords, compromising security. The APU is a great example of a popular and usable graphical password scheme which can be easily compromised, by exploiting common and predominant human behavioristic traits. Despite its vulnerabilities, the scheme’s popularity has led researchers to propose adjustments and variations that enhance security but maintain its familiar user interface. Nevertheless, prior work demonstrated that improving security while preserving usability remains frequently a hard task. In this paper we propose a novel graphical password scheme built on the foundations of the well-accepted APU method, which is usable, inclusive, universal, and robust against shoulder surfing and smudge attacks. Our scheme, named Bu-Dash, features a dynamic user interface that mutates every time a user swipes the screen. Our pilot studies illustrate that Bu-Dash attracts positive user acceptance rates and maintains acceptable usability levels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.playstation.com/en-gb/legal/copyright-and-trademark-notice/.

  2. 2.

    We utilized Google’s “Material Icons” as the password building blocks in this research work: https://fonts.google.com/icons.

  3. 3.

    We refer to viewers of the popular series “Squid Game”.

References

  1. Andriotis, P., Oikonomou, G., Mylonas, A., Tryfonas, T.: A study on usability and security features of the Android pattern lock screen. Inf. Comput. Secur. 24(1), 53–72 (2016). https://doi.org/10.1108/ICS-01-2015-0001

    Article  Google Scholar 

  2. Andriotis, P., Tryfonas, T., Oikonomou, G.: Complexity metrics and user strength perceptions of the pattern-lock graphical authentication method. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 115–126. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_11

    Chapter  Google Scholar 

  3. Andriotis, P., Tryfonas, T., Oikonomou, G., Yildiz, C.: A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 1–6. ACM, New York (2013). https://doi.org/10.1145/2462096.2462098

  4. Aviv, A.J., Budzitowski, D., Kuber, R.: Is bigger better? Comparing user-generated passwords on \(3 \times 3\) vs. \(4 \times 4\) grid sizes for Android’s pattern unlock. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pp. 301–310. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2818000.2818014

  5. Aviv, A.J., Davin, J.T., Wolf, F., Kuber, R.: Towards baselines for shoulder surfing on mobile authentication. In: Proceedings of the 33rd Annual Computer Security Applications Conference, ACSAC 2017, pp. 486–498. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3134600.3134609

  6. Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT 2010, pp. 1–7. USENIX Association (2010)

    Google Scholar 

  7. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy, pp. 538–552 (2012). https://doi.org/10.1109/SP.2012.49

  8. Chen, Y.L., Ku, W.C., Yeh, Y.C., Liao, D.M.: A simple text-based shoulder surfing resistant graphical password scheme. In: 2013 International Symposium on Next-Generation Electronics, pp. 161–164 (2013). https://doi.org/10.1109/ISNE.2013.6512317

  9. Cho, G., Huh, J.H., Cho, J., Oh, S., Song, Y., Kim, H.: SysPal: system-guided pattern locks for Android. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 338–356 (2017). https://doi.org/10.1109/SP.2017.61

  10. Dai, L., Zhang, K., Zheng, X.S., Martin, R.R., Li, Y., Yu, J.: Visual complexity of shapes: a hierarchical perceptual learning model. Vis. Comput. 38, 419–432 (2021)

    Article  Google Scholar 

  11. De Angeli, A., Coventry, L., Johnson, G., Renaud, K.: Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. Int. J. Hum.-Comput. Stud. 63(1), 128–152 (2005). https://doi.org/10.1016/j.ijhcs.2005.04.020. https://www.sciencedirect.com/science/article/pii/S1071581905000704. HCI research in privacy and security

  12. De Luca, A., et al.: Now you see me, now you don’t: protecting smartphone authentication from shoulder surfers. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2014, pp. 2937–2946. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2556288.2557097

  13. Forman, T., Aviv, A.: Double patterns: a usable solution to increase the security of Android unlock patterns. In: ACSAC 2020, pp. 219–233. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3427228.3427252

  14. Gugenheimer, J., De Luca, A., Hess, H., Karg, S., Wolf, D., Rukzio, E.: ColorSnakes: using colored decoys to secure authentication in sensitive contexts. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, MobileHCI 2015, pp. 274–283. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2785830.2785834

  15. Kabir, M.M., Hasan, N., Tahmid, M.K.H., Ovi, T.A., Rozario, V.S.: Enhancing smartphone lock security using vibration enabled randomly positioned numbers. In: Proceedings of the International Conference on Computing Advancements, ICCA 2020. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3377049.3377099

  16. Khan, H., Hengartner, U., Vogel, D.: Evaluating attack and defense strategies for smartphone PIN shoulder surfing, pp. 1–10. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3173574.3173738

  17. Kim, S.H., Kim, J.W., Kim, S.Y., Cho, H.G.: A new shoulder-surfing resistant password for mobile environments. In: Proceedings of the 5th International Conference on Ubiquitous Information Management and Communication, ICUIMC 2011. Association for Computing Machinery, New York (2011). https://doi.org/10.1145/1968613.1968647

  18. Ku, W.C., Liao, D.M., Chang, C.J., Qiu, P.J.: An enhanced capture attacks resistant text-based graphical password scheme. In: 2014 IEEE/CIC International Conference on Communications in China (ICCC), pp. 204–208 (2014). https://doi.org/10.1109/ICCChina.2014.7008272

  19. Kwon, T., Na, S.: SwitchPIN: securing smartphone pin entry with switchable keypads. In: 2014 IEEE International Conference on Consumer Electronics (ICCE), pp. 23–24 (2014). https://doi.org/10.1109/ICCE.2014.6775892

  20. Kwon, T., Na, S.: TinyLock: affordable defense against smudge attacks on smartphone pattern lock systems. Compute. Secur. 42, 137–150 (2014). https://doi.org/10.1016/j.cose.2013.12.001. https://www.sciencedirect.com/science/article/pii/S0167404813001697

  21. Kwon, T., Na, S.: SteganoPIN: two-faced human-machine interface for practical enforcement of pin entry security. IEEE Trans. Hum.-Mach. Syst. 46(1), 143–150 (2016). https://doi.org/10.1109/THMS.2015.2454498

    Article  Google Scholar 

  22. Lee, M.K.: Security notions and advanced method for human shoulder-surfing resistant pin-entry. IEEE Trans. Inf. Forensics Secur. 9(4), 695–708 (2014). https://doi.org/10.1109/TIFS.2014.2307671

    Article  Google Scholar 

  23. Loge, M., Duermuth, M., Rostad, L.: On user choice for android unlock patterns. In: European Workshop on Usable Security, ser. EuroUSEC, vol. 16 (2016)

    Google Scholar 

  24. Markert, P., Bailey, D.V., Golla, M., Dürmuth, M., Aviv, A.J.: This pin can be easily guessed: analyzing the security of smartphone unlock pins. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 286–303 (2020). https://doi.org/10.1109/SP40000.2020.00100

  25. Munyendo, C.W., Grant, M., Philipp Markert, P., Forman, T.J., Aviv, A.J.: Using a blocklist to improve the security of user selection of Android patterns. In: Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, August 2021. https://www.usenix.org/conference/soups2021/presentation/munyendo

  26. Schneegass, S., Steimle, F., Bulling, A., Alt, F., Schmidt, A.: SmudgeSafe: geometric image transformations for smudge-resistant user authentication. In: Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp 2014, pp. 775–786. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2632048.2636090

  27. Song, Y., Cho, G., Oh, S., Kim, H., Huh, J.H.: On the effectiveness of pattern lock strength meters: measuring the strength of real world pattern locks, pp. 2343–2352. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2702123.2702365

  28. Sun, C., Wang, Y., Zheng, J.: Dissecting pattern unlock: the effect of pattern strength meter on pattern selection. J. Inf. Secur. Appl. 19(4), 308–320 (2014). https://doi.org/10.1016/j.jisa.2014.10.009. https://www.sciencedirect.com/science/article/pii/S2214212614001458

  29. Tupsamudre, H., Banahatti, V., Lodha, S., Vyas, K.: Pass-O: a proposal to improve the security of pattern unlock scheme. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 400–407. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3052973.3053041

  30. Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security of graphical passwords: the case of Android unlock patterns. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 161–172. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2508859.2516700

  31. Vaddepalli, S., Nivas, S., Chettoor Jayakrishnan, G., Sirigireddy, G., Banahatti, V., Lodha, S.: Passo - new circular patter lock scheme evaluation. In: 22nd International Conference on Human-Computer Interaction with Mobile Devices and Services, MobileHCI 2020. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3406324.3417167

  32. Wang, D., Gu, Q., Huang, X., Wang, P.: Understanding human-chosen PINs: characteristics, distribution and security. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 372–385. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3052973.3053031

  33. Ye, G., et al.: A video-based attack for Android pattern lock. ACM Trans. Priv. Secur. 21(4) (2018). https://doi.org/10.1145/3230740

  34. von Zezschwitz, E., De Luca, A., Brunkow, B., Hussmann, H.: SwiPIN: fast and secure PIN-entry on smartphones, pp. 1403–1406. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2702123.2702212

  35. von Zezschwitz, E., et al.: On quantifying the effective password space of grid-based unlock gestures. In: Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia, MUM 2016, pp. 201–212. Association for Computing Machinery, New York (2016). https://doi.org/10.1145/3012709.3012729

  36. Zimmermann, V., Gerber, N.: The password is dead, long live the password – a laboratory study on user perceptions of authentication schemes. Int. J. Hum.-Comput. Stud. 133, 26–44 (2020). https://doi.org/10.1016/j.ijhcs.2019.08.006. https://www.sciencedirect.com/science/article/pii/S1071581919301119

Download references

Acknowledgement

Dr Panagiotis Andriotis was an International Research Fellow of Japan Society for the Promotion of Science (Postdoctoral Fellowships for Research in Japan (Standard)) when this paper was published.

Author information

Authors and Affiliations

  1. University of the West of England, Bristol, BS16 1QY, UK

    Panagiotis Andriotis & Myles Kirby

  2. National Institute of Informatics, Tokyo, 101-8430, Japan

    Panagiotis Andriotis & Atsuhiro Takasu

Authors
  1. Panagiotis Andriotis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Myles Kirby
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Atsuhiro Takasu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Panagiotis Andriotis .

Editor information

Editors and Affiliations

  1. San Jose State University, San Jose, CA, USA

    Abbas Moallem

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Andriotis, P., Kirby, M., Takasu, A. (2022). Bu-Dash: A Universal and Dynamic Graphical Password Scheme. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2022. Lecture Notes in Computer Science, vol 13333. Springer, Cham. https://doi.org/10.1007/978-3-031-05563-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-05563-8_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-05562-1

  • Online ISBN: 978-3-031-05563-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation