research-article

Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes

Authors:

Stefan Schneegass,

Alireza Sahami Shirazi,

Andreas BullingAuthors Info & Claims

MobileHCI '15: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services

Pages 316 - 322

https://doi.org/10.1145/2785830.2785882

Published: 24 August 2015 Publication History

Abstract

Common user authentication methods on smartphones, such as lock patterns, PINs, or passwords, impose a trade-off between security and password memorability. Image-based passwords were proposed as a secure and usable alternative. As of today, however, it remains unclear how such schemes are used in the wild. We present the first study to investigate how image-based passwords are used over long periods of time in the real world. Our analyses are based on data from 2318 unique devices collected over more than one year using a custom application released in the Android Play store. We present an in-depth analysis of what kind of images users select, how they define their passwords, and how secure these passwords are. Our findings provide valuable insights into real-world use of image-based passwords and inform the design of future graphical authentication schemes.

References

[1]

Andriotis, P., Tryfonas, T., Oikonomou, G., and Yildiz, C. A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec '13, ACM (New York, NY, USA, 2013), 1--6.

Digital Library

[2]

Biddle, R., Chiasson, S., and Van Oorschot, P. Graphical passwords: Learning from the first twelve years. ACM Comput. Surv. 44, 4 (Sept. 2012), 19:1--19:41.

Digital Library

[3]

Bulling, A., Alt, F., and Schmidt, A. Increasing the security of gaze-based cued-recall graphical passwords using saliency masks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '12, ACM (New York, NY, USA, 2012), 3011--3020.

Digital Library

[4]

De Angeli, A., Coventry, L., Johnson, G., and Renaud, K. Is a picture really worth a thousand words? exploring the feasibility of graphical authentication systems. Int. J. Hum.-Comput. Stud. 63, 1--2 (July 2005), 128--152.

Digital Library

[5]

Everitt, K. M., Bragin, T., Fogarty, J., and Kohno, T. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '09, ACM (New York, NY, USA, 2009), 889--898.

Digital Library

[6]

Harbach, M., von Zezschwitz, E., Fichtner, A., Luca, A. D., and Smith, M. It's a hard lock life: A field study of smartphone (un)locking behavior and risk perception. In Symposium On Usable Privacy and Security (SOUPS 2014), USENIX Association (Menlo Park, CA, July 2014), 213--230.

Digital Library

[7]

Harel, J. Graph-Based Visual Saliency Toolbox for MATLAB, 2006. http://www.vision.caltech.edu/~harel/share/gbvs.php, last accessed: June 4, 2015.

[8]

Harel, J., Koch, C., and Perona, P. Graph-based visual saliency. In Proceedings of the 20th International Conference on Neural Information Processing Systems (2006), 545--552.

[9]

Henze, N., and Pielot, M. App stores: External validity for mobile hci. Interactions 20, 2 (Mar. 2013), 33--38.

Digital Library

[10]

Henze, N., Rukzio, E., and Boll, S. 100,000,000 taps: Analysis and improvement of touch performance in the large. In Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services, MobileHCI '11, ACM (New York, NY, USA, 2011), 133--142.

Digital Library

[11]

Itti, L., Koch, C., and Niebur, E. A model of saliency-based visual attention for rapid scene analysis. IEEE Transactions on Pattern Analysis and Machine Intelligence 20, 11 (1998), 1254--1259.

Digital Library

[12]

Microsoft. Personalize your PC. http://windows.microsoft.com/en-us/windows-8/picture-passwords, last accessed: June 4, 2015.

[13]

Moncur, W., and Leplâtre, G. Pictures at the atm: Exploring the usability of multiple graphical passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '07, ACM (New York, NY, USA, 2007), 887--894.

Digital Library

[14]

Sahami Shirazi, A., Henze, N., Dingler, T., Pielot, M., Weber, D., and Schmidt, A. Large-scale assessment of mobile notifications. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '14, ACM (New York, NY, USA, 2014), 3055--3064.

Digital Library

[15]

Schaub, F., Walch, M., Könings, B., and Weber, M. Exploring the design space of graphical passwords on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS '13, ACM (New York, NY, USA, 2013), 11:1--11:14.

Digital Library

[16]

Schneegass, S., Steimle, F., Bulling, A., Alt, F., and Schmidt, A. Smudgesafe: Geometric image transformations for smudge-resistant user authentication. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp '14, ACM (New York, NY, USA, 2014), 775--786.

Digital Library

[17]

Suo, X., Zhu, Y., and Owen, G. S. Graphical passwords: A survey. In Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC '05, IEEE Computer Society (Washington, DC, USA, 2005), 463--472.

Digital Library

[18]

Tapellini, D. Smart phone thefts rose to 3.1 million last year. ConsumerReports.org (May 2014). http://www.consumerreports.org/cro/news/2014/04/smartphone-thefts-rose-to-3-1-million-last-year/index.htm, last accessed June 4, 2015.

[19]

Thorpe, J., and van Oorschot, P. C. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS'07, USENIX Association (Berkeley, CA, USA, 2007), 8:1--8:16.

Digital Library

[20]

von Zezschwitz, E., De Luca, A., Janssen, P., and Hussmann, H. Easy to draw, but hard to trace?: On the observability of grid-based (un)lock patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, CHI '15, ACM (New York, NY, USA, 2015), 2339--2342.

Digital Library

[21]

von Zezschwitz, E., Dunphy, P., and De Luca, A. Patterns in the wild: A field study of the usability of pattern and pin-based authentication on mobile devices. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services, MobileHCI '13, ACM (New York, NY, USA, 2013), 261--270.

Digital Library

[22]

Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., and Memon, N. Passpoints: Design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63, 1--2 (July 2005), 102--127.

Digital Library

Cited By

Constantinides ABelk MFidas CBeumers RVidal DHuang WBowles JWebber TSilvina APitsillides A(2023)Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare OrganizationsACM Transactions on Computing for Healthcare10.1145/35646104:1(1-40)Online publication date: 27-Feb-2023
https://dl.acm.org/doi/10.1145/3564610
Kanta ACoisel IScanlon M(2022)A Novel Dictionary Generation Methodology for Contextual-Based Password CrackingIEEE Access10.1109/ACCESS.2022.317970110(59178-59188)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3179701
Mayrhofer RSigg S(2021)Adversary Models for Mobile Device AuthenticationACM Computing Surveys10.1145/347760154:9(1-35)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1145/3477601
Show More Cited By

Index Terms

Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Authentication using graphical passwords: effects of tolerance and image choice
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called PassPoints, and evaluated it with human users. ...
Revisiting graphical passwords for augmenting, not replacing, text passwords
ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Users generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and ...
A Password Manager that Doesn't Remember Passwords
NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

The problems with passwords are well-known: secure passwords are difficult to remember, users have too many passwords, and users have difficulty matching their passwords to accounts. Password managers and cued graphical passwords are two password ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MobileHCI '15: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services

August 2015

611 pages

ISBN:9781450336529

DOI:10.1145/2785830

General Chairs:
Sebastian Boring
University of Copenhagen, Denmark
,
Enrico Rukzio
University of Ulm, Germany
,
Program Chairs:
Hans Gellersen
Lancaster University, UK
,
Ken Hinckley
Microsoft Research Redmond, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 August 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

MobileHCI '15

Sponsor:

SIGCHI

MobileHCI '15: 17th International Conference on Human-Computer Interaction with Mobile Devices and Services

August 24 - 27, 2015

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 202 of 906 submissions, 22%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
611
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)1

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Constantinides ABelk MFidas CBeumers RVidal DHuang WBowles JWebber TSilvina APitsillides A(2023)Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare OrganizationsACM Transactions on Computing for Healthcare10.1145/35646104:1(1-40)Online publication date: 27-Feb-2023
https://dl.acm.org/doi/10.1145/3564610
Kanta ACoisel IScanlon M(2022)A Novel Dictionary Generation Methodology for Contextual-Based Password CrackingIEEE Access10.1109/ACCESS.2022.317970110(59178-59188)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3179701
Mayrhofer RSigg S(2021)Adversary Models for Mobile Device AuthenticationACM Computing Surveys10.1145/347760154:9(1-35)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1145/3477601
Radiah RMäkelä VPrange SRodriguez SPiening RZhou YKöhle KPfeuffer KAbdelrahman YHoppe MSchmidt AAlt F(2021)Remote VR Studies: A Framework for Running Virtual Reality Studies Remotely Via Participant-Owned HMDsACM Transactions on Computer-Human Interaction10.1145/347261728:6(1-36)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1145/3472617
Sturdee MThornton LWimalasiri BPatil SSas CMaiden N(2021)A Visual Exploration of Cybersecurity ConceptsProceedings of the 13th Conference on Creativity and Cognition10.1145/3450741.3465252(1-10)Online publication date: 22-Jun-2021
https://dl.acm.org/doi/10.1145/3450741.3465252
Constantinides CConstantinides ABelk MFidas CPitsillides A(2021)A Comparative Study among Different Computer Vision Algorithms for Assisting Users in Picture Password CompositionAdjunct Proceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3450614.3464474(357-362)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1145/3450614.3464474
Katsini CRaptis GCen AGamagedara Arachchilage NNacke L(2021)Eye-GUAna: Higher Gaze-Based Entropy and Increased Password Space in Graphical User Authentication Through GamificationACM Symposium on Eye Tracking Research and Applications10.1145/3448018.3458615(1-7)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1145/3448018.3458615
Awan KUd Din IAlmogren AKumar NAlmogren A(2021)A Taxonomy of Multimedia-based Graphical User Authentication for Green Internet of ThingsACM Transactions on Internet Technology10.1145/343354422:2(1-28)Online publication date: 22-Oct-2021
https://dl.acm.org/doi/10.1145/3433544
Raptis GKatsini CCen AArachchilage NNacke LKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)Better, Funner, Stronger: A Gameful Approach to Nudge People into Making Less Predictable Graphical Password ChoicesProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445658(1-17)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445658
Constantinides ABelk MFidas CPitsillides A(2021)Understanding Insider Attacks in Personalized Picture Password SchemesHuman-Computer Interaction – INTERACT 202110.1007/978-3-030-85610-6_42(722-731)Online publication date: 26-Aug-2021
https://doi.org/10.1007/978-3-030-85610-6_42
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents