research-article

Quantifying the security of graphical passwords: the case of android unlock patterns

Authors:

Sebastian Uellenbeck,

Markus Dürmuth,

Christopher Wolf,

Thorsten HolzAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 161 - 172

https://doi.org/10.1145/2508859.2516700

Published: 04 November 2013 Publication History

Abstract

Graphical passwords were proposed as an alternative to overcome the inherent limitations of text-based passwords, inspired by research that shows that the graphical memory of humans is particularly well developed. A graphical password scheme that has been widely adopted is the Android Unlock Pattern, a special case of the Pass-Go scheme with grid size restricted to 3x3 points and restricted stroke count.

In this paper, we study the security of Android unlock patterns. By performing a large-scale user study, we measure actual user choices of patterns instead of theoretical considerations on password spaces. From this data we construct a model based on Markov chains that enables us to quantify the strength of Android unlock patterns. We found empirically that there is a high bias in the pattern selection process, e.g., the upper left corner and three-point long straight lines are very typical selection strategies. Consequently, the entropy of patterns is rather low, and our results indicate that the security offered by the scheme is less than the security of only three digit randomly-assigned PINs for guessing 20% of all passwords (i.e., we estimate a partial guessing entropy G_0.2 of 9.10 bit).

Based on these insights, we systematically improve the scheme by finding a small, but still effective change in the pattern layout that makes graphical user logins substantially more secure. By means of another user study, we show that some changes improve the security by more than doubling the space of actually used passwords (i.e., increasing the partial guessing entropy G_0.2 to 10.81 bit).

References

[1]

atom. HashCat. Online at http://hashcat.net/oclhashcat-plus/.

[2]

A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge Attacks on Smartphone Touch Screens. In USENIX Workshop on Offensive Technologies (WOOT), 2010.

Digital Library

[3]

J. A. Bargh, M. Chen, and L. Burrows. Automaticity of Social Behavior: Direct Effects of Trait Construct and Stereotype Priming on Action. Journal of Personality and Social Psychology, 71:230--244, 1996.

[4]

R. Biddle, S. Chiasson, and P. Van Oorschot. Graphical Passwords: Learning From the First Twelve Years. ACM Computing Surveys, 44(4):19:1--19:41, Sept. 2012.

Digital Library

[5]

G. Blonder. Graphical Passwords. US Patent 5559961, 1996.

[6]

M. Bond. Comments on gridsure authentication. Online at http://www.cl.cam.ac.uk/ mkb23/research/GridsureComments.pdf.

[7]

J. Bonneau. Guessing Human-chosen Secrets. PhD thesis, University of Cambridge, May 2012.

[8]

J. Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In IEEE Symposium on Security and Privacy, 2012.

Digital Library

[9]

J. Bonneau, S. Preibusch, and R. Anderson. A Birthday Present Every Eleven Wallets? The Security of Customer-chosen Banking PINs. In Financial Cryptography and Data Security (FC), 2012.

[10]

S. Brostoff, P. Inglesant, and M. A. Sasse. Evaluating the Usability and Security of a Graphical One-time PIN System. In BCS Interaction Specialist Group Conference (BCS), 2010.

Digital Library

[11]

S. Brostoff and A. Sasse. Are Passfaces More Usable Than Passwords? A Field Trial Investigation. In Conference on Human-Computer Interaction (HCI), 2000.

[12]

C. Cachin. Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH Zürich, 1997.

[13]

C. Castelluccia, M. Dürmuth, and D. Perito. Adaptive Password-Strength Meters from Markov Models. In Symposium on Network and Distributed System Security (NDSS), 2012.

[14]

S. Chiasson, R. Biddle, and P. van Oorschot. A Second Look at the Usability of Click-based Graphical Passwords. In Symposium on Usable Privacy and Security (SOUPS), 2007.

Digital Library

[15]

S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot. Influencing Users Towards Better Passwords: Persuasive Cued Click-points. In British HCI Group Annual Conference on People and Computers: Celebrating People and Technology (BCS HCI), 2008.

Digital Library

[16]

S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot. User Interface Design Affects Security: Patterns in Click-based Graphical Passwords. International Journal of Information Security, 8(6):387--398, 2009.

Digital Library

[17]

S. Chiasson, P. Oorschot, and R. Biddle. Graphical Password Authentication Using Cued Click Points. In European Symposium on Research in Computer Security (ESORICS), 2007.

Digital Library

[18]

D. Davis, F. Monrose, and M. K. Reiter. On User Choice in Graphical Password Schemes. In USENIX Security Symposium, 2004.

Digital Library

[19]

R. Dhamija and A. Perrig. Deja Vu: A User Study Using Images for Authentication. In USENIX Security Symposium, 2000.

Digital Library

[20]

A. E. Dirik, N. Memon, and J.-C. Birget. Modeling User Choice in the PassPoints Graphical Password Scheme. In Symposium on Usable Privacy and Security (SOUPS), 2007.

Digital Library

[21]

P. Dunphy and J. Yan. Do Background Images Improve "Draw a Secret" Graphical Passwords? In ACM Conference on Computer and Communications Security (CCS), 2007.

Digital Library

[22]

H. Gao, X. Guo, X. Chen, L. Wang, and X. Liu. YAGP: Yet Another Graphical Password Strategy. In Annual Computer Security Applications Conference (ACSAC), 2008.

Digital Library

[23]

P. Golle and D. Wagner. Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract). In IEEE Symposium on Security and Privacy, 2007.

Digital Library

[24]

I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The Design and Analysis of Graphical Passwords. In USENIX Security Symposium, 1999.

Digital Library

[25]

S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of Passwords and People: Measuring the Effect of Password-Composition Policies. In ACM Conference on Human Factors in Computing Systems (CHI), 2011.

Digital Library

[26]

J. Massey. Guessing and Entropy. In IEEE International Symposium on Information Theory (ISIT), 1994.

[27]

R. Morris and K. Thompson. Password Security: A Case History. Communications of the ACM, 22(11):594--597, 1979.

Digital Library

[28]

A. Narayanan and V. Shmatikov. Fast Dictionary Attacks on Passwords Using Time-space Tradeoff. In ACM Conference on Computer and Communications Security (CCS), 2005.

Digital Library

[29]

M. Orozco, B. Malek, M. Eid, and A. El Saddik. Haptic-based Sensible Graphical Password. Proceedings of Virtual Concept, 2006.

[30]

Passfaces Corporation. The Science Behind Passfaces. White paper, available at http://www.passfaces.com/enterprise/resources/white_papers.htm.

[31]

A. Salehi-Abari, J. Thorpe, and P. van Oorschot. On Purely Automated Attacks and Click-Based Graphical Passwords. In Annual Computer Security Applications Conference (ACSAC), 2008.

Digital Library

[32]

Solar Designer. John the Ripper. Online at http://www.openwall.com/john/.

[33]

L. Standing, J. Conezio, and R. N. Haber. Perception and Memory for Pictures: Single-trial Learning of 2500 Visual Stimuli. Psychonomic Science, 19(2):73--74, 1970.

[34]

X. Suo. A Design and Analysis of Graphical Password. Master's thesis, College of Arts and Science, Georgia State University, 2006.

[35]

H. Tao and C. Adams. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. International Journal of Network Security, 7(2):273--292, 2008.

[36]

J. Thorpe and P. C. van Oorschot. Human-seeded Attacks and Exploiting Hot-spots in Graphical Passwords. In USENIX Security Symposium, 2007.

Digital Library

[37]

P. C. van Oorschot and J. Thorpe. Exploiting Predictability in Click-based Graphical Passwords. Journal of Computer Security, 19(4):669--702, 2011.

Digital Library

[38]

C. Varenhorst, M. V. Kleek, and L. Rudolph. Passdoodles: A Lightweight Authentication Method. Online at http://people.csail.mit.edu/emax/public_html/papers/varenhorst.pdf, 2004.

[39]

D. Weinshall. Cognitive Authentication Schemes Safe Against Spyware. In IEEE Symposium on Security and Privacy, 2006.

Digital Library

[40]

M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password Cracking Using Probabilistic Context-Free Grammars. In IEEE Symposium on Security and Privacy, 2009.

Digital Library

[41]

R. Weiss and A. De Luca. PassShapes: Utilizing Stroke Based Authentication to Increase Password Memorability. In Nordic Conference on Human-Computer Interaction (NordiCHI), 2008.

Digital Library

[42]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication Using Graphical Passwords: Basic Results. In Conference on Human-Computer Interaction (HCI), 2005.

Digital Library

[43]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In Symposium on Usable Privacy and Security (SOUPS), 2005.

Digital Library

[44]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. PassPoints: Design and Longitudinal Evaluation of a Graphical Password System. International Journal of Human-Computer Studies, 63(1--2):102--127, July 2005.

Digital Library

Cited By

Korkes EMunyendo CIsaac AHennemann VAviv A(2024)"I'm going to try her birthday": Investigating How Friends Guess Each Other's Smartphone Unlock PINs in the LabProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688461(220-234)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688461
Sathya KEsther JKavitha SKamalakumari J(2024)Facetpass- Intelligent Facial Recognition Authentication System Security and Usability2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA)10.1109/AIMLA59606.2024.10531549(1-6)Online publication date: 15-Mar-2024
https://doi.org/10.1109/AIMLA59606.2024.10531549
Alawami MAbuhmed TAbuhamad MKim H(2024)MotionID: Towards practical behavioral biometrics-based implicit user authentication on smartphonesPervasive and Mobile Computing10.1016/j.pmcj.2024.101922101(101922)Online publication date: Jul-2024
https://doi.org/10.1016/j.pmcj.2024.101922
Show More Cited By

Index Terms

Quantifying the security of graphical passwords: the case of android unlock patterns
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Revisiting graphical passwords for augmenting, not replacing, text passwords
ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Users generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and ...
System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies

After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The ...
Passwords: Stunning Notebook Journal for your Passwords, Usernames and URLs/ 5in. x 8in./ Sturdy softback glossy cover/ 50 white pages (Volume 1)

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

135
Total Citations
View Citations
1,819
Total Downloads

Downloads (Last 12 months)71
Downloads (Last 6 weeks)6

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Korkes EMunyendo CIsaac AHennemann VAviv A(2024)"I'm going to try her birthday": Investigating How Friends Guess Each Other's Smartphone Unlock PINs in the LabProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688461(220-234)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688461
Sathya KEsther JKavitha SKamalakumari J(2024)Facetpass- Intelligent Facial Recognition Authentication System Security and Usability2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA)10.1109/AIMLA59606.2024.10531549(1-6)Online publication date: 15-Mar-2024
https://doi.org/10.1109/AIMLA59606.2024.10531549
Alawami MAbuhmed TAbuhamad MKim H(2024)MotionID: Towards practical behavioral biometrics-based implicit user authentication on smartphonesPervasive and Mobile Computing10.1016/j.pmcj.2024.101922101(101922)Online publication date: Jul-2024
https://doi.org/10.1016/j.pmcj.2024.101922
Zhang JBai R(2024)An intelligent identity authentication method based on mouse trajectory and wireless signalDigital Signal Processing10.1016/j.dsp.2024.104555(104555)Online publication date: May-2024
https://doi.org/10.1016/j.dsp.2024.104555
Zhao CGao FShen Z(2024)Multi-Motion Sensor Behavior based Continuous Authentication on Smartphones using Gated Two-Tower Transformer Fusion NetworksComputers & Security10.1016/j.cose.2023.103698(103698)Online publication date: Jan-2024
https://doi.org/10.1016/j.cose.2023.103698
Shende STembhurne JAnsari N(2024)Deep learning based authentication schemes for smart devices in different modalities: progress, challenges, performance, datasets and future directionsMultimedia Tools and Applications10.1007/s11042-024-18350-583:28(71451-71493)Online publication date: 8-Feb-2024
https://doi.org/10.1007/s11042-024-18350-5
Bailey DMunyendo CDyer HGrant MMarkert PAviv A(2023)“Someone Definitely Used 0000”: Strategies, Performance, and User Perception of Novice Smartphone-Unlock PIN-GuessersProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617113(158-174)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617113
Huh JKwag SKim IPopov APark YCho GLee JKim HLee C(2023)On the Long-Term Effects of Continuous Keystroke AuthenticationProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35962367:2(1-32)Online publication date: 12-Jun-2023
https://dl.acm.org/doi/10.1145/3596236
Yang YLi XYe ZWang YChen YHui PAmiri Sani ANurmi PLiu Y(2023)BioCase: Privacy Protection via Acoustic Sensing of Finger Touches on Smartphone Case Mini-StructuresProceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services10.1145/3581791.3596841(397-409)Online publication date: 18-Jun-2023
https://dl.acm.org/doi/10.1145/3581791.3596841
Huh JShin HKim HCheon ESong YLee COakley I(2023)WristAcousticProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35694736:4(1-34)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3569473
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents