Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017...

80
Security and Usability of Graphical Passwords Kyle J. Hakala UMN Morris 2017 April 15 Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20

Transcript of Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017...

Page 1: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Security and Usability of Graphical Passwords

Kyle J. Hakala

UMN Morris

2017 April 15

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20

Page 2: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20

Think for a moment...

How many different systems and servicesdo you need to log into every day?

Page 3: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 2 / 20

Think for a moment...

How many different systems and servicesdo you need to log into every day?

week?

Page 4: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 2 / 20

Think for a moment...

How many different systems and servicesdo you need to log into every day?

week?month?

Page 5: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 2 / 20

Think for a moment...

How many different systems and servicesdo you need to log into every day?

week?month?year?

Page 6: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 7: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 8: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 9: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 10: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 11: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 12: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 13: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 14: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 15: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 16: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 17: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

...A lot.

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 3 / 20

Page 18: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Do you have fewer unique passwords thanservices?

This may look familiar:

fluffy2!

fluffy2!!

fluffy2!!!

fluffy2!!!!

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 4 / 20

Page 19: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Do you have fewer unique passwords thanservices?

This may look familiar:

fluffy2!

fluffy2!!

fluffy2!!!

fluffy2!!!!

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 4 / 20

Page 20: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Do you have fewer unique passwords thanservices?

This may look familiar:

fluffy2!

fluffy2!!

fluffy2!!!

fluffy2!!!!

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 4 / 20

Page 21: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Do you have fewer unique passwords thanservices?

This may look familiar:

fluffy2!

fluffy2!!

fluffy2!!!

fluffy2!!!!

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 4 / 20

Page 22: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Do you have fewer unique passwords thanservices?

This may look familiar:

fluffy2!

fluffy2!!

fluffy2!!!

fluffy2!!!!

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 4 / 20

Page 23: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Do you have fewer unique passwords thanservices?

This may look familiar:

fluffy2!

fluffy2!!

fluffy2!!!

fluffy2!!!!

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 4 / 20

Page 24: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

You aren’t alone!

We want a means of authenticating that is:

secure

memorable

practical

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 5 / 20

Page 25: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

You aren’t alone!We want a means of authenticating that is:

secure

memorable

practical

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 5 / 20

Page 26: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

You aren’t alone!We want a means of authenticating that is:

secure

memorable

practical

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 5 / 20

Page 27: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

You aren’t alone!We want a means of authenticating that is:

secure

memorable

practical

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 5 / 20

Page 28: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

You aren’t alone!We want a means of authenticating that is:

secure

memorable

practical

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 5 / 20

Page 29: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

How about graphical passwords?

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 6 / 20

Page 30: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

What are graphical passwords?

Graphical passwords are an alternative method of authentication totraditional text-based passwords.

They...

...provide a more memorable approach to authentication

...can be used as a component of two-factor auth systems

...can be implemented in many varying styles

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 7 / 20

Page 31: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

What are graphical passwords?

Graphical passwords are an alternative method of authentication totraditional text-based passwords.

They...

...provide a more memorable approach to authentication

...can be used as a component of two-factor auth systems

...can be implemented in many varying styles

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 7 / 20

Page 32: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

What are graphical passwords?

Graphical passwords are an alternative method of authentication totraditional text-based passwords.

They...

...provide a more memorable approach to authentication

...can be used as a component of two-factor auth systems

...can be implemented in many varying styles

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 7 / 20

Page 33: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

What are graphical passwords?

Graphical passwords are an alternative method of authentication totraditional text-based passwords.

They...

...provide a more memorable approach to authentication

...can be used as a component of two-factor auth systems

...can be implemented in many varying styles

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 7 / 20

Page 34: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

What are graphical passwords?

Graphical passwords are an alternative method of authentication totraditional text-based passwords.

They...

...provide a more memorable approach to authentication

...can be used as a component of two-factor auth systems

...can be implemented in many varying styles

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 7 / 20

Page 35: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

What are graphical passwords?

Graphical passwords are an alternative method of authentication totraditional text-based passwords.

They...

...provide a more memorable approach to authentication

...can be used as a component of two-factor auth systems

...can be implemented in many varying styles

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 7 / 20

Page 36: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Popular Implementations

Windows 8 and 10; users draw shapes over an image

Figure 1: Windows Picture Password

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 8 / 20

Page 37: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Popular Implementations

Windows 8 and 10; users draw shapes over an image

Android phones; users draw a pattern by connecting a series of points.

Figure 2: Windows Picture Password

Figure 3: Android Pattern-Lock

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 8 / 20

Page 38: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Introduction

Popular Implementations

Windows 8 and 10; users draw shapes over an image

Android phones; users draw a pattern by connecting a series of points.

Figure 2: Windows Picture Password Figure 3: Android Pattern-Lock

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 8 / 20

Page 39: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Introduction

Outline

1 BackgroundComponents

2 AnalysisSecurityUsability

3 Conclusion

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 9 / 20

Page 40: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

A graphical password consists of two main components:

interaction from a user

a point, series of points, or set of pointsa shape, series of shapes, or set of shapes

Figure 4: Set of points, selected in anyorder

Figure 5: Single shape drawn over image

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 10 / 20

Page 41: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

A graphical password consists of two main components:

interaction from a user

a point, series of points, or set of pointsa shape, series of shapes, or set of shapes

Figure 4: Set of points, selected in anyorder

Figure 5: Single shape drawn over image

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 10 / 20

Page 42: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

A graphical password consists of two main components:

interaction from a user

a point, series of points, or set of points

a shape, series of shapes, or set of shapes

Figure 4: Set of points, selected in anyorder

Figure 5: Single shape drawn over image

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 10 / 20

Page 43: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

A graphical password consists of two main components:

interaction from a user

a point, series of points, or set of pointsa shape, series of shapes, or set of shapes

Figure 4: Set of points, selected in anyorder

Figure 5: Single shape drawn over image

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 10 / 20

Page 44: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

A graphical password consists of two main components:

interaction from a user

a point, series of points, or set of pointsa shape, series of shapes, or set of shapes

Figure 4: Set of points, selected in anyorder

Figure 5: Single shape drawn over image

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 10 / 20

Page 45: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

an image upon which a user interacts

can be either user-provided, or system-provideda single image, series of images, or set of images

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 11 / 20

Page 46: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

an image upon which a user interacts

can be either user-provided, or system-provided

a single image, series of images, or set of images

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 11 / 20

Page 47: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

an image upon which a user interacts

can be either user-provided, or system-provideda single image, series of images, or set of images

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 11 / 20

Page 48: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

an image upon which a user interacts

can be either user-provided, or system-provideda single image, series of images, or set of images

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 11 / 20

Page 49: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Background Components

Components

an image upon which a user interacts

can be either user-provided, or system-provideda single image, series of images, or set of images

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 11 / 20

Page 50: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Shoulder Surfing

the practice of spying on the user ofan ATM, computer, or otherelectronic device in order to obtaintheir personal access information

GPs are more visual than text

They are not obscured like text

Must be large enough forinteraction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 12 / 20

Page 51: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Shoulder Surfing

the practice of spying on the user ofan ATM, computer, or otherelectronic device in order to obtaintheir personal access information

GPs are more visual than text

They are not obscured like text

Must be large enough forinteraction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 12 / 20

Page 52: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Shoulder Surfing

the practice of spying on the user ofan ATM, computer, or otherelectronic device in order to obtaintheir personal access information

GPs are more visual than text

They are not obscured like text

Must be large enough forinteraction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 12 / 20

Page 53: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Shoulder Surfing

the practice of spying on the user ofan ATM, computer, or otherelectronic device in order to obtaintheir personal access information

GPs are more visual than text

They are not obscured like text

Must be large enough forinteraction

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 12 / 20

Page 54: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Smudging

residual marks left behind in theshape of a graphical passwordindicating what was entered

Prominence depends uponlength of usage session

Can indicate direction andlocation

Varies between devices

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 13 / 20

Page 55: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Smudging

residual marks left behind in theshape of a graphical passwordindicating what was entered

Prominence depends uponlength of usage session

Can indicate direction andlocation

Varies between devices

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 13 / 20

Page 56: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Smudging

residual marks left behind in theshape of a graphical passwordindicating what was entered

Prominence depends uponlength of usage session

Can indicate direction andlocation

Varies between devices

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 13 / 20

Page 57: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Smudging

residual marks left behind in theshape of a graphical passwordindicating what was entered

Prominence depends uponlength of usage session

Can indicate direction andlocation

Varies between devices

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 13 / 20

Page 58: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Hotspots

a hotspot is a feature of an image that a user is more likely to base a GPcomponent on

Cued Click Points (CCP)

User is presented 5 images inseriesOne point is chosen per imagewith no guidance

Persuasive CCP (PCCP)

User is provided 5 images insuccessionOne point is chosen per imagefrom within viewportViewport is randomly placed,but can be shuffled

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 14 / 20

Page 59: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Hotspots

a hotspot is a feature of an image that a user is more likely to base a GPcomponent on

Cued Click Points (CCP)

User is presented 5 images inseriesOne point is chosen per imagewith no guidance

Persuasive CCP (PCCP)

User is provided 5 images insuccessionOne point is chosen per imagefrom within viewportViewport is randomly placed,but can be shuffled

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 14 / 20

Page 60: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Hotspots

a hotspot is a feature of an image that a user is more likely to base a GPcomponent on

Cued Click Points (CCP)

User is presented 5 images inseriesOne point is chosen per imagewith no guidance

Persuasive CCP (PCCP)

User is provided 5 images insuccessionOne point is chosen per imagefrom within viewportViewport is randomly placed,but can be shuffled

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 14 / 20

Page 61: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Hotspots

a hotspot is a feature of an image that a user is more likely to base a GPcomponent on

Cued Click Points (CCP)

User is presented 5 images inseriesOne point is chosen per imagewith no guidance

Persuasive CCP (PCCP)

User is provided 5 images insuccessionOne point is chosen per imagefrom within viewportViewport is randomly placed,but can be shuffled

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 14 / 20

Page 62: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Let’s use brute force!

S. Widenbeck et al. note in research on PassPoints:

it is easy to obtain larger password spaces with GPs

even considering “cool spots,” GP system key-spaces can compete

Image size Alphabet size* Length Key-space

Alphanum. N/A 64 8 2.8x1014

Alphanum. N/A 72 8 7.2x1014

Graphical 1024x752 3928 5 9.3x1017

Graphical† 1024x752 1964 5 2.9x1016

* Alphabet size for the GP is determined by taking the area of the image(in px) and dividing by the area of (in px) tolerance square; for a textbased password, it is the set of all characters permitted.† GP where half of screen is considered usable space

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 15 / 20

Page 63: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Let’s use brute force!S. Widenbeck et al. note in research on PassPoints:

it is easy to obtain larger password spaces with GPs

even considering “cool spots,” GP system key-spaces can compete

Image size Alphabet size* Length Key-space

Alphanum. N/A 64 8 2.8x1014

Alphanum. N/A 72 8 7.2x1014

Graphical 1024x752 3928 5 9.3x1017

Graphical† 1024x752 1964 5 2.9x1016

* Alphabet size for the GP is determined by taking the area of the image(in px) and dividing by the area of (in px) tolerance square; for a textbased password, it is the set of all characters permitted.† GP where half of screen is considered usable space

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 15 / 20

Page 64: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Let’s use brute force!S. Widenbeck et al. note in research on PassPoints:

it is easy to obtain larger password spaces with GPs

even considering “cool spots,” GP system key-spaces can compete

Image size Alphabet size* Length Key-space

Alphanum. N/A 64 8 2.8x1014

Alphanum. N/A 72 8 7.2x1014

Graphical 1024x752 3928 5 9.3x1017

Graphical† 1024x752 1964 5 2.9x1016

* Alphabet size for the GP is determined by taking the area of the image(in px) and dividing by the area of (in px) tolerance square; for a textbased password, it is the set of all characters permitted.† GP where half of screen is considered usable space

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 15 / 20

Page 65: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Let’s use brute force!S. Widenbeck et al. note in research on PassPoints:

it is easy to obtain larger password spaces with GPs

even considering “cool spots,” GP system key-spaces can compete

Image size Alphabet size* Length Key-space

Alphanum. N/A 64 8 2.8x1014

Alphanum. N/A 72 8 7.2x1014

Graphical 1024x752 3928 5 9.3x1017

Graphical† 1024x752 1964 5 2.9x1016

* Alphabet size for the GP is determined by taking the area of the image(in px) and dividing by the area of (in px) tolerance square; for a textbased password, it is the set of all characters permitted.† GP where half of screen is considered usable space

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 15 / 20

Page 66: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Let’s use brute force!S. Widenbeck et al. note in research on PassPoints:

it is easy to obtain larger password spaces with GPs

even considering “cool spots,” GP system key-spaces can compete

Image size Alphabet size* Length Key-space

Alphanum. N/A 64 8 2.8x1014

Alphanum. N/A 72 8 7.2x1014

Graphical 1024x752 3928 5 9.3x1017

Graphical† 1024x752 1964 5 2.9x1016

* Alphabet size for the GP is determined by taking the area of the image(in px) and dividing by the area of (in px) tolerance square; for a textbased password, it is the set of all characters permitted.† GP where half of screen is considered usable space

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 15 / 20

Page 67: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Security

Security

Let’s use brute force!S. Widenbeck et al. note in research on PassPoints:

it is easy to obtain larger password spaces with GPs

even considering “cool spots,” GP system key-spaces can compete

Image size Alphabet size* Length Key-space

Alphanum. N/A 64 8 2.8x1014

Alphanum. N/A 72 8 7.2x1014

Graphical 1024x752 3928 5 9.3x1017

Graphical† 1024x752 1964 5 2.9x1016

* Alphabet size for the GP is determined by taking the area of the image(in px) and dividing by the area of (in px) tolerance square; for a textbased password, it is the set of all characters permitted.† GP where half of screen is considered usable space

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 15 / 20

Page 68: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

Memorability

Easier to recall

Great for children

Difficult to recall when many GPs exist

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 16 / 20

Page 69: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

MemorabilityEasier to recall

Great for children

Difficult to recall when many GPs exist

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 16 / 20

Page 70: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

MemorabilityEasier to recall

Great for children

Difficult to recall when many GPs exist

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 16 / 20

Page 71: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

MemorabilityEasier to recall

Great for children

Difficult to recall when many GPs exist

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 16 / 20

Page 72: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

Tolerance for Error

Can become unusable if too strict

Decreases security when too forgiving

Tolerance Image size Alphabet size* Key-space

14x14 1024x752 3928 9.3x1017

20x20 1024x752 1925 2.6x1016

26x26 1024x752 1139 1.9x1015

*Alphabet size is Image Size ÷ Tolerance size

** Assumes 5 click points are chosen

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 17 / 20

Page 73: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

Tolerance for ErrorCan become unusable if too strict

Decreases security when too forgiving

Tolerance Image size Alphabet size* Key-space

14x14 1024x752 3928 9.3x1017

20x20 1024x752 1925 2.6x1016

26x26 1024x752 1139 1.9x1015

*Alphabet size is Image Size ÷ Tolerance size

** Assumes 5 click points are chosen

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 17 / 20

Page 74: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

Tolerance for ErrorCan become unusable if too strict

Decreases security when too forgiving

Tolerance Image size Alphabet size* Key-space

14x14 1024x752 3928 9.3x1017

20x20 1024x752 1925 2.6x1016

26x26 1024x752 1139 1.9x1015

*Alphabet size is Image Size ÷ Tolerance size

** Assumes 5 click points are chosen

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 17 / 20

Page 75: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability

Tolerance for ErrorCan become unusable if too strict

Decreases security when too forgiving

Tolerance Image size Alphabet size* Key-space

14x14 1024x752 3928 9.3x1017

20x20 1024x752 1925 2.6x1016

26x26 1024x752 1139 1.9x1015

*Alphabet size is Image Size ÷ Tolerance size

** Assumes 5 click points are chosen

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 17 / 20

Page 76: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability Overview

But... it’s not text...S. Widenbeck et al. note in their research that PassPoints users:

easily created a password

reasonably recall and input their GPs even after weeks without use

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 18 / 20

Page 77: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability Overview

But... it’s not text...S. Widenbeck et al. note in their research that PassPoints users:

easily created a password

reasonably recall and input their GPs even after weeks without use

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 18 / 20

Page 78: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Analysis Usability

Usability Overview

But... it’s not text...S. Widenbeck et al. note in their research that PassPoints users:

easily created a password

reasonably recall and input their GPs even after weeks without use

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 18 / 20

Page 79: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Conclusion

Conclusion

Graphical passwords present a welcomealternative to text based authentication.

Pros of GPs

Larger password-size space

More memorable

Cons of GPs

More susceptible to softer attacks

No standard form

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 19 / 20

Page 80: Kyle J. Hakala · Introduction Introduction Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 1 / 20 Think for a moment... How many di erent systems and services

Acknowledgments

Acknowledgments

Thank you to KK, Elena, and JustinMullin (alumni reviewer) for all of thegreat feedback!

Questions?

Kyle J. Hakala (UMN Morris) Graphical Passwords 2017 April 15 20 / 20