Advertisement

A Pilot Study of Multiple Password Interference Between Text and Map-Based Passwords

  • Weizhi MengEmail author
  • Wenjuan Li
  • Wang Hao Lee
  • Lijun Jiang
  • Jianying Zhou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)

Abstract

Today’s computer users have to remember several passwords for each of their accounts. It is easily noticed that people may have difficulty in remembering multiple passwords, which result in a weak password selection. Previous studies have shown that recall success rates are not statistically dissimilar between textual passwords and graphical passwords. With the advent of map-based graphical passwords, this paper focuses on multiple password interference and presents a pilot study consisting of 60 participants to study the recall of multiple passwords between text passwords and map-based passwords under various account scenarios. Each participant has to create six distinct passwords for different account scenarios. It is found that participants in the map-based graphical password scheme could perform better than the textual password scheme in both short-term (one-hour session) and long term (after two weeks) password memorability tests (i.e., they made higher success rates). Our effort attempts to complement existing studies and stimulate more research on this issue.

Keywords

User authentication Graphical passwords Usable security Multiple password interference HCI 

Notes

Acknowledgments

We would like to thank all participants for their hard work and collaboration in the user studies (e.g., data collection), and thank all anonymous reviewers for their helpful comments. This work was partially supported by SUTD start-up research grant SRG-ISTD-2017-124.

References

  1. 1.
    Alt, F., Schneegass, S., Shirazi, A.S., Hassib, M., Bulling, A.: Graphical passwords in the wild - understanding how users choose pictures and passwords in image-based authentication schemes. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI), pp. 316–322 (2015)Google Scholar
  2. 2.
    Al-Ameen, M.N., Wright, M.: Multiple-password interference in the GeoPass user authentication scheme. In: Proceedings of NDSS Workshop on Usable Security (USEC), pp. 1–6 (2015)Google Scholar
  3. 3.
    Anderson, M.C., Neely, J.H.: Interference and inhibition in memory retrieval. In: Memory. Handbook of Perception and Cognition, chap. 8, 2nd edn, pp. 237–313. Academic Press (1996)Google Scholar
  4. 4.
    Bianchi, A., Oakley, I., Kim, H.: PassBYOP: bring your own picture for securing graphical passwords. IEEE Trans. Hum.-Mach. Syst. 46(3), 380–389 (2015)CrossRefGoogle Scholar
  5. 5.
    Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. 44(4), 19 (2012)CrossRefzbMATHGoogle Scholar
  6. 6.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 538–552 (2012)Google Scholar
  7. 7.
    Chiasson, S., Biddle, R., van Oorschot, P.C.: A second look at the usability of click-based graphical passwords. In: Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS), pp. 1–12 (2007)Google Scholar
  8. 8.
    Chiasson, S., Forget, A., Stobert, E., van Oorschot, P.C., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security (CCS), pp. 500–511 (2009)Google Scholar
  9. 9.
    Chiasson, S., Stobert, E., Forget, A., Biddle, R.: Persuasive cued click-points: design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Trans. Dependable Secure Comput. 9(2), 222–235 (2012)CrossRefGoogle Scholar
  10. 10.
    Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: Proceedings of the 13th Conference on USENIX Security Symposium, pp. 1–11. USENIX Association (2004)Google Scholar
  11. 11.
    Dirik, A.E., Memon, N., Birget, J.C.: Modeling user choice in the PassPoints graphical password scheme. In: Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS), pp. 20–28 (2007)Google Scholar
  12. 12.
    Dunphy, P., Yan, J.: Do background images improve “draw a secret” graphical passwords? In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 36–47 (2007)Google Scholar
  13. 13.
    Everitt, K.M., Bragin, T., Fogarty, J., Kohno, T.: A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems (CHI), pp. 889–898 (2009)Google Scholar
  14. 14.
    Gao, H., Liu, X.: A new graphical password scheme against spyware by using CAPTCHA. In: Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS), Article No. 21 (2009)Google Scholar
  15. 15.
    Georgakakis, E., Komninos, N., Douligeris, C.: NAVI: novel authentication with visual information. In: Proceedings of the 2012 IEEE Symposium on Computers and Communications (ISCC), pp. 588–595 (2012)Google Scholar
  16. 16.
    Gołofit, K.: Click passwords under investigation. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 343–358. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74835-9_23 CrossRefGoogle Scholar
  17. 17.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proceedings of the 8th Conference on USENIX Security Symposium, pp. 1–14. USENIX Association, Berkeley (1999)Google Scholar
  18. 18.
    Liu, C.-L., Tsai, C.-J., Chang, T.-Y., Tsai, W.-J., Zhong, P.-K.: Implementing multiple biometric features for a recall-based graphical keystroke dynamics authentication system on a smart phone. J. Netw. Comput. Appl. 53, 128–139 (2015)CrossRefGoogle Scholar
  19. 19.
    Lopez, N., Rodriguez, M., Fellegi, C., Long, D., Schwarz, T.: Even or odd: a simple graphical authentication system. IEEE Lat. Am. Trans. 13(3), 804–809 (2015)CrossRefGoogle Scholar
  20. 20.
    Meng, Y.: Designing click-draw based graphical password scheme for better authentication. In: Proceedings of the 7th IEEE International Conference on Networking, Architecture, and Storage (NAS), pp. 39–48 (2012)Google Scholar
  21. 21.
    Meng, Y., Li, W.: Evaluating the effect of tolerance on click-draw based graphical password scheme. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 349–356. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34129-8_32 CrossRefGoogle Scholar
  22. 22.
    Meng, W.: RouteMap: a route and map based graphical password scheme for better multiple password memory. Network and System Security. LNCS, vol. 9408, pp. 147–161. Springer, Cham (2015). doi: 10.1007/978-3-319-25645-0_10 CrossRefGoogle Scholar
  23. 23.
    Meng, W., Wong, D.S., Furnell, S., Zhou, J.: Surveying the development of biometric user authentication on mobile phones. IEEE Commun. Surv. Tutor. 17(3), 1268–1293 (2015)CrossRefGoogle Scholar
  24. 24.
    Meng, W., Li, W., Jiang, L., Meng, L.: On multiple password interference of touch screen patterns and text passwords. In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI), pp. 4818–4822 (2016)Google Scholar
  25. 25.
  26. 26.
    Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and communications security (CCS), pp. 161–170 (2002)Google Scholar
  27. 27.
    Shin, J., Kancharlapalli, S., Farcasin, M., Chan-Tin, E.: SmartPass: a smarter geolocation-based authentication scheme. Secur. Commun. Netw. 8(18), 3927–3938 (2015)CrossRefGoogle Scholar
  28. 28.
    Sun, H.-M., Chen, Y.-H., Fang, C.-C., Chang, S.-Y.: PassMap: a map based graphical-password authentication system. In: Proceedings of the 7th ACM Symposium on Information, Compuer and Communications Security (ASIACCS), pp. 99–100 (2012)Google Scholar
  29. 29.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), pp. 463–472 (2005)Google Scholar
  30. 30.
    Tao, H., Adams, C.: Pass-go: a proposal to improve the usability of graphical passwords. Int. J. Netw. Secur. 2(7), 273–292 (2008)Google Scholar
  31. 31.
    Thorpe, J., MacRae, B., Salehi-Abari, A.: Usability and security evaluation of GeoPass: a geographic location-password scheme. In: Proceedings of the 2013 Symposium on Usable Privacy and Security (SOUPS), pp. 1–14 (2013)Google Scholar
  32. 32.
    van Oorschot, P.C., Stubblebine, S.: On countering online dictionary attacks with login histories and humans-in-the-loop. ACM Trans. Inf. Syst. Secur. 9(3), 235–258 (2006)CrossRefGoogle Scholar
  33. 33.
    van Oorschot, P.C., Salehi-Abari, A., Thorpe, J.: Purely automated attacks on passpoints-style graphical passwords. IEEE Trans. Inf. Forensics Secur. 5(3), 393–405 (2010)CrossRefGoogle Scholar
  34. 34.
    Vu, K.P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.-L., Cook, J., Schultz, E.E.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. 65(8), 744–757 (2007)CrossRefGoogle Scholar
  35. 35.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pp. 162–175 (2010)Google Scholar
  36. 36.
    Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 63(1–2), 102–127 (2005)CrossRefGoogle Scholar
  37. 37.
    Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: Proceedings of the 1st Symposium on Usable Privacy and Security (SOUPS) (2005)Google Scholar
  38. 38.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2, 25–31 (2004)CrossRefGoogle Scholar
  39. 39.
    Zhu, B.B., Yan, J., Bao, G., Yang, M., Xu, N.: Captcha as graphical passwords - a new security primitive based on hard AI problems. IEEE Trans. Inf. Forensics Secur. 9(6), 891–904 (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Weizhi Meng
    • 1
    Email author
  • Wenjuan Li
    • 2
  • Wang Hao Lee
    • 3
  • Lijun Jiang
    • 2
  • Jianying Zhou
    • 4
  1. 1.Department of Applied Mathematics and Computer ScienceTechnical University of DenmarkKongens LyngbyDenmark
  2. 2.Department of Computer ScienceCity University of Hong KongKowloon TongHong Kong
  3. 3.Infocomm Security DepartmentInstitute for Infocomm ResearchSingaporeSingapore
  4. 4.Singapore University of Technology and DesignSingaporeSingapore

Personalised recommendations