Abstract
Text passwords are ubiquitous in authentication. Despite this ubiquity, they have been the target of much criticism. One alternative to the pure recall text passwords are graphical authentication schemes. The different proposed schemes harness the vast visual memory of the human brain and exploit cued-recall as well as recognition in addition to pure recall. While graphical authentication in general is promising, basic research is required to better understand which schemes are most appropriate for which scenario (incl. security model and frequency of usage). This paper presents a comparative study in which all schemes are configured to the same effective password space (as used by large Internet companies). The experiment includes both, cued-recall-based and recognition-based schemes. The results demonstrate that recognition-based schemes have the upper hand in terms of effectiveness and cued-recall-based schemes in terms of efficiency. Thus, depending on the scenario one or the other approach is more appropriate. Both types of schemes have lower reset rates than text passwords which might be of interest in scenarios with limited support capacities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Biddle, R., Chiasson, S., van Oorschot, P.C.: Graphical passwords: Learning from the first twelve years. CSUR 44(4) (August 2012)
Bonneau, J.: The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In: Proc. IEEE S&P, pp. 538–552 (2012)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: Proc. WEIS 2010 (June 2010)
Chiasson, S., Stobert, E., Forget, A., Biddle, R., van Oorschot, P.C.: Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Trans. on Dep. and Sec. Comp. 9(2), 222–235 (2012)
Chiasson, S., Forget, A., Biddle, R., van Oorschot, P.C.: Influencing users towards better passwords: persuasive cued click-points. In: Proc. BCS-HCI 2008 (September 2008)
Chiasson, S., Forget, A., Stobert, E., van Oorschot, P.C., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proc. CCS 2009, pp. 500–511. ACM (November 2009)
Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: Proc. USENIX 2004, pp. 151–164 (2004)
Dhamija, R., Perrig, A.: Deja Vu: A user study using images for authentication. In: Proc. SSYM 2000, pp. 45–58 (2000)
Dirik, A.E., Memon, N., Birget, J.C.: Modeling user choice in the PassPoints graphical password scheme. In: Proc. SOUPS 2007, pp. 20–28 (2007)
Dunphy, P., Yan, J.: Is FacePIN secure and usable? In: Proc. SOUPS 2007 (July 2007)
Ellis, H.D.: Recognizing Faces. Brit. J. of Psychology 66(4), 409–426 (2011)
Erceg-Hurn, D.M., Mirosevich, V.M.: Modern robust statistical methods: An easy way to maximize the accuracy and power of your research. American Psychologist 63(7), 591–601 (2008)
Everitt, K.M., Bragin, T., Fogarty, J., Kohno, T.: A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: Proc. CHI 2009, pp. 889–898 (2009)
Fahl, S., Harbach, M., Acar, Y., Smith, M.: On the ecological validity of a password study. In: Proc. SOUPS 2013, pp. 13:1–13:13 (2013)
Field, A., Miles, J., Field, Z.: Discovering Statistics Using R. SAGE Publications Limited (March 2012)
Florêncio, D., Herley, C.: A large-scale study of web password habits. In: Proc. WWW 2007, pp. 657–666 (2007)
Florêncio, D., Herley, C.: Where do security policies come from? In: Proc. SOUPS 2010 (2010)
Hlywa, M., Biddle, R., Patrick, A.S.: Facing the facts about image type in recognition-based graphical passwords. In: Proc. ACSAC 2011, pp. 149–158 (2011)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Comm. of the ACM 47(4), 75–78 (2004)
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proc. SSYM 1999 (1999)
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In: Proc. IEEE S&P, pp. 523–537 (2012)
Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of Passwords and People: Measuring the Effect of Password-Composition Policies. In: Proc. CHI 2011, pp. 2595–2604 (2011)
Mulhall, E.F.: Experimental Studies in Recall and Recognition. Am. J. of Psych. 26(2), 217–228 (1915)
Nali, D., Thorpe, J.: Analyzing user choice in graphical passwords. School of Comp. Sci. (2004)
Noguchi, K., Gel, Y.R., Brunner, E.: nparLD: An R Software Package for the Nonparametric Analysis of Longitudinal Data in Factorial Experiments. J. of Statistical Software 50(12) (September 2012)
Real User Corporation: The Science Behind Passfaces (July 2004)
Schaub, F., Walch, M., Könings, B., Weber, M.: Exploring The Design Space of Graphical Passwords on Smartphones. In: Proc. SOUPS 2013. ACM (July 2013)
Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering Stronger Password Requirements: User Attitudes and Behaviors. In: Proc. SOUPS 2010 (July 2010)
Stobert, E., Biddle, R.: Memory retrieval and graphical passwords. In: Proc. SOUPS 2013. ACM Press, New York (2013)
Stobert, E., Forget, A., Chiasson, S., van Oorschot, P.C., Biddle, R.: Exploring Usability Effects of Increasing Security in Click-based Graphical Passwords. In: Proc. ACSAC 2010, pp. 79–88 (2010)
Suo, X., Zhu, Y., Owen, G.S.: Graphical Passwords: A Survey. In: Proc. ACSAC 2005 (2005)
Weinshall, D., Kirkpatrick, S.: Passwords you’ll never forget, but can’t recall. In: CHI EA 2004, pp. 1399–1402 (2004)
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In: Proc. CCS 2010, pp. 162–175 (2010)
Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In: Proc. SOUPS 2005, pp. 1–12. ACM (2005)
Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: PassPoints: Design and longitudinal evaluation of a graphical password system. Int. J. of Hum.-Comp. Studies 63(1-2), 102–127 (2005)
Wilcox, R.R.: Introduction to Robust Estimation & Hypothesis Testing, 3rd edn. Elsevier Academic Press (February 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Mayer, P., Volkamer, M., Kauer, M. (2014). Authentication Schemes - Comparison and Effective Password Spaces. In: Prakash, A., Shyamasundar, R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol 8880. Springer, Cham. https://doi.org/10.1007/978-3-319-13841-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-13841-1_12
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13840-4
Online ISBN: 978-3-319-13841-1
eBook Packages: Computer ScienceComputer Science (R0)