NYU Tandon | Nasir Memon

Visual Passwords

January 28, 2019

Graphical passwords are an authentication mechanism for computer systems. The difference between a VP and the currently dominant alphanumeric password is that with a VP, a user’s password is represented by where that user clicks on an image. Thus, an application using graphical passwords for authentication would show a picture to the user. The user would then click in a number of places on the picture, and the coordinates of the clicks would be stored by an application. During authentication, the user has to click on the established points. (The system, of course, allows for configurable error tolerance, since it is not realistic to expect a person to click on exactly the same point each time.)

Graphical passwords attempt to deal with the same problem as do the usual alphanumeric passwords. However, graphical passwords also try to address some drawbacks that are inherent in alphanumeric passwords–hopefully without introducing any drawbacks of their own.

There are some basic requirements that are built into authentication systems based on “what you know.” The password should be easy to remember by the legitimate user, but should be hard to guess by everybody else. Unfortunately, those requirements are in conflict. If the password is easy for a user to remember, very likely it is made up of some word and/or some significant number for that user. The word can be either some significant name of a person or place, which can either be found in a dictionary or from basic knowledge about the person, and the same can be said about dates. To summarize, alphanumeric passwords are generally easy to guess. Also, harder passwords or the ones for many different systems are usually written on stickie notes, which makes them less secure.

A graphical password offers a much larger key-space than an alphanumeric one, which is limited to roughly 64 ASCII characters. For example, if we have a 600-by-800 image and an error tolerance of 10 pixels, it would result in 4,800 possibilities. Also, the graphical password is much harder to write down or even tell to some other person. Last but not least, another benefit of graphical passwords is the cued-recall, which helps users to remember a password based on the picture displayed, and not just on memory alone.

From a usability point of view, we conduct experiments to see whether graphical passwords are at least as easy for people to use as alphanumeric passwords. We address both the technical security, which involves the transmission and storage of the password in a secure manner, as well as the user security, which involves an analysis of whether people use the system in a secure or insecure way. The latter is an analysis of how people choose the graphical passwords, and whether they are vulnerable to guessing or dictionary attack.

Participants: Nasir Memon, Aleksandr Brodskiy

Resources:Graphical Password Homepage

A. E. Dirik, N. Memon, and J.C. Birget, Modeling user choice in the PassPoints graphical password scheme ,Symposium On Usable Privacy and Security, SOUPS, 2007. [BibTex]
J.C. Birget, Dawei Hong, Nasir Memon, Graphical passwords based on robust discretization, IEEE Transactions on Information Forensics and Security, 1(3) (Sept. 2006) 395-399.
S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, PassPoints: Design and longitudinal evaluation of a graphical password system, International J. of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security), 63 (2005) 102-127.
S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, Authentication using graphical passwords: Effects of tolerance and image choice, Symposium on Usable Privacy and Security (SOUPS), 6-8 July 2005, at Carnegie-Mellon Univ., Pittsburgh.
S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, Authentication using graphical passwords: Basic results, Human-Computer Interaction International (HCII 2005), Las Vegas, July 25-27, 2005.
J.C. Birget, Dawei Hong, Nasir Memon, Robust discretization, with an application to graphical passwords, Aug. 2003. (Cryptology ePrint archive, http://eprint.iacr.org/2003/168)