research-article

On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks

Authors:

Hyoungshick Kim,

Jun Ho HuhAuthors Info & Claims

CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

Pages 2343 - 2352

https://doi.org/10.1145/2702123.2702365

Published: 18 April 2015 Publication History

Abstract

We propose an effective pattern lock strength meter to help users choose stronger pattern locks on Android devices. To evaluate the effectiveness of the proposed meter with a real world dataset (i.e., with complete ecological validity), we created an Android application called EnCloud that allows users to encrypt their Dropbox files. 101 pattern locks generated by real EnCloud users were collected and analyzed, where some portion of the users were provided with the meter support. Our statistical analysis indicates that about 10% of the pattern locks that were generated without the meter support could be compromised through just 16 guessing attempts. As for the pattern locks that were generated with the meter support, that number goes up to 48 guessing attempts, showing significant improvement in security. Our recommendation is to implement a strength meter in the next version of Android.

Supplementary Material

suppl.mov (pn1221.mp4)

Supplemental video

Download
7.15 MB

References

[1]

Adams, A., and Sasse, M. A. Users are not the enemy. Communications of the ACM 42, 12 (1999).

Digital Library

[2]

Amitay, D. Most Common iPhone Passcodes. http://amitay.us/blog/files/most_common_iphone_ passcodes.php, 6 (2011).

[3]

Andriotis, P., Tryfonas, T., and Oikonomou, G. Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method. Springer, (2014).

Digital Library

[4]

Biddle, R., Chiasson, S., and Van Oorschot, P. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys 44, 4 (2012), 1--41.

Digital Library

[5]

Bonneau, J. Guessing human-chosen secrets. PhD thesis, University of Cambridge, (2012).

[6]

Bonneau, J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of Security and Privacy (SP), IEEE (2012).

Digital Library

[7]

Castelluccia, C., Dürmuth, M., and Perito, D. Adaptive password-strength meters from markov models. In Proceedings of Network and Distributed Systems Security Symposium (2012).

[8]

Davis, D., Monrose, F., and Reiter, M. K. On user choice in graphical password schemes. In Proceedings of USENIX Security Symposium (2004).

Digital Library

[9]

de Carné de Carnavalet, X., and Mannan, M. From very weak to very strong: Analyzing password-strength meters. In Proceedings of Network and Distributed System Security Symposium (2013).

[10]

De Luca, A., Langheinrich, M., and Hussmann, H. Towards understanding atm security: a field study of real world atm use. In Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS), ACM (2010).

Digital Library

[11]

Dirik, A. E., Memon, N., and Birget, J.-C. Modeling user choice in the passpoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS), ACM (2007).

Digital Library

[12]

Dunphy, P., and Yan, J. Do background images improve draw a secret graphical passwords? In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), ACM (2007).

Digital Library

[13]

Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., and Herley, C. Does my password go up to eleven? the impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (HFCS), ACM (2013).

Digital Library

[14]

Gao, H., Guo, X., Chen, X., Wang, L., and Liu, X. Yagp: Yet another graphical password strategy. In Proceedings of Computer Security Applications Conference (ACSAC), IEEE (2008).

Digital Library

[15]

Golle, P., and Wagner, D. Cryptanalysis of a cognitive authentication scheme. In Proceedings of Security and Privacy (SP), IEEE (2007).

Digital Library

[16]

Jermyn, I., Mayer, A. J., Monrose, F., Reiter, M. K., Rubin, A. D., et al. The design and analysis of graphical passwords. In Proceedings of USENIX Security Symposium (1999).

Digital Library

[17]

Kim, H., and Huh, J. H. PIN selection policies: Are they really effective? Computers & Security 31, 4 (2012), 484--496.

Digital Library

[18]

Massey, J. L. Guessing and entropy. In Proceedings of Information Theory, IEEE (1994).

[19]

Narayanan, A., and Shmatikov, V. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the 12th ACM conference on Computer and Communications Security (CCS), ACM (2005).

Digital Library

[20]

Shannon, C. E. A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review 5, 1 (2001), 3--55.

Digital Library

[21]

Song, Y., Kim, H., and Mohaisen, A. A private walk in the clouds: Using end-to-end encryption between cloud applications in a personal domain. In Proceedings of Trust, Privacy, and Security in Digital Business. Springer, 2014, 72--82.

[22]

Standing, L., Conezio, J., and Haber, R. N. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science 19, 2 (1970), 73--74.

[23]

Tao, H., and Adams, C. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. International Journal of Network Security 7, 2 (2008), 273--292.

[24]

Thorpe, J., and van Oorschot, P. C. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of USENIX Security Symposium (2007), 103--118.

Digital Library

[25]

Uellenbeck, S., Dürmuth, M., Wolf, C., and Holz, T. Quantifying the security of graphical passwords: the case of android unlock patterns. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), ACM (2013).

Digital Library

[26]

Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? the effect of strength meters on password creation. In Proceedings of USENIX Security Symposium (2012).

Digital Library

[27]

Varenhorst, C., Kleek, M., and Rudolph, L. Passdoodles: A lightweight authentication method. Research Science Institute (2004).

[28]

von Zezschwitz, E., Dunphy, P., and De Luca, A. Patterns in the wild: A field study of the usability of pattern and pin-based authentication on mobile devices. In Proceedings of the 15th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI), ACM (2013).

Digital Library

[29]

Zakaria, N. H., Griffiths, D., Brostoff, S., and Yan, J. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security (SOUPS), ACM (2011).

Digital Library

Cited By

Zhou MZhou YSu SWang QLi QHu SYu CLi Z(2024)FingerPattern: Securing Pattern Lock via Fingerprint-Dependent Friction SoundIEEE Transactions on Mobile Computing10.1109/TMC.2023.333814823:6(7210-7224)Online publication date: Jun-2024
https://doi.org/10.1109/TMC.2023.3338148
Sriman JAkilarasu G(2024)Zero-Lock: Revolutionizing Mobile Security with an Enhanced Pattern Lock Method2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10725337(1-6)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10725337
Cheon EHuh JOakley I(2023)GestureMeter: Design and Evaluation of a Gesture Password Strength MeterProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581397(1-19)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581397
Show More Cited By

Index Terms

On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks
1. Human-centered computing

Recommendations

A Video-based Attack for Android Pattern Lock

Pattern lock is widely used for identification and authentication on Android devices. This article presents a novel video-based side channel attack that can reconstruct Android locking patterns from video footage filmed using a smartphone. As a ...
Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Android allows 20 consecutive fail attempts on unlocking a device. This makes it difficult for pure guessing attacks to crack user patterns on a stolen device before it permanently locks itself. We investigate the effectiveness of combining Markov model-...
A pilot study on the security of pattern screen-lock methods and soft side channel attacks
WiSec '13: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks

Graphical passwords that allow a user to unlock a smartphone's screen are one of the Android operating system's features and many users prefer them instead of traditional text-based codes. A variety of attacks has been proposed against this mechanism, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

April 2015

4290 pages

ISBN:9781450331456

DOI:10.1145/2702123

General Chairs:
Bo Begole
Huawei, USA
,
Jinwoo Kim
Yonsei University, Korea
,
Program Chairs:
Kori Inkpen
Microsoft Research, USA
,
Woontack Woo
KAIST, Korea

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CHI '15

Sponsor:

SIGCHI

CHI '15: CHI Conference on Human Factors in Computing Systems

April 18 - 23, 2015

Seoul, Republic of Korea

Acceptance Rates

CHI '15 Paper Acceptance Rate 486 of 2,120 submissions, 23%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

40
Total Citations
View Citations
715
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)5

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou MZhou YSu SWang QLi QHu SYu CLi Z(2024)FingerPattern: Securing Pattern Lock via Fingerprint-Dependent Friction SoundIEEE Transactions on Mobile Computing10.1109/TMC.2023.333814823:6(7210-7224)Online publication date: Jun-2024
https://doi.org/10.1109/TMC.2023.3338148
Sriman JAkilarasu G(2024)Zero-Lock: Revolutionizing Mobile Security with an Enhanced Pattern Lock Method2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10725337(1-6)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10725337
Cheon EHuh JOakley I(2023)GestureMeter: Design and Evaluation of a Gesture Password Strength MeterProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581397(1-19)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581397
Ibrahim NSellahewa H(2023)A cross-setting study of user unlocking behaviour in a graphical authentication scheme: a case study on android Pattern UnlockInternational Journal of Information Security10.1007/s10207-023-00722-x22:6(1849-1863)Online publication date: 7-Jul-2023
https://doi.org/10.1007/s10207-023-00722-x
Milousi CRaptis GKatsini CKatsanos C(2023)RePaLM: A Data-Driven AI Assistant for Making Stronger Pattern ChoicesHuman-Computer Interaction – INTERACT 202310.1007/978-3-031-42286-7_4(59-69)Online publication date: 28-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-42286-7_4
Tan JSarmah D(2023)Hollow-Pass: A Dual-View Pattern Password Against Shoulder-Surfing AttacksCyber Security, Cryptology, and Machine Learning10.1007/978-3-031-34671-2_18(251-272)Online publication date: 29-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-34671-2_18
Park LHwang ELee DKwon T(2023)Towards Constructing Consistent Pattern Strength Meters with User’s Visual PerceptionInformation Security and Cryptology – ICISC 202210.1007/978-3-031-29371-9_5(81-99)Online publication date: 31-Mar-2023
https://doi.org/10.1007/978-3-031-29371-9_5
Chen YNi TXu WGu T(2022)SwipePassProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35502926:3(1-25)Online publication date: 7-Sep-2022
https://dl.acm.org/doi/10.1145/3550292
Zimmermann VMarky KRenaud K(2022)Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password informationBehaviour & Information Technology10.1080/0144929X.2022.204238442:6(700-743)Online publication date: 1-Mar-2022
https://doi.org/10.1080/0144929X.2022.2042384
Rayani PChangder S(2022)Continuous user authentication on smartphone via behavioral biometrics: a surveyMultimedia Tools and Applications10.1007/s11042-022-13245-982:2(1633-1667)Online publication date: 9-Jun-2022
https://doi.org/10.1007/s11042-022-13245-9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents