research-article

Memorability of cued-recall graphical passwords with saliency masks

Authors:

Mateusz Mikusz,

Stefan Schneegass,

Andreas BullingAuthors Info & Claims

MUM '16: Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia

Pages 191 - 200

https://doi.org/10.1145/3012709.3012730

Published: 12 December 2016 Publication History

Abstract

Cued-recall graphical passwords have a lot of potential for secure user authentication, particularly if combined with saliency masks to prevent users from selecting weak passwords. Saliency masks were shown to significantly improve password security by excluding those areas of the image that are most likely to lead to hotspots. In this paper we investigate the impact of such saliency masks on the memorability of cued-recall graphical passwords. We first conduct two pre-studies (N=52) to obtain a set of images with three different image complexities as well as real passwords. A month-long user study (N=26) revealed that there is a strong learning effect for graphical passwords, in particular if defined on images with a saliency mask. While for complex images, the learning curve is steeper than for less complex ones, they best supported memorability in the long term, most likely because they provided users more alternatives to select memorable password points. These results complement prior work on the security of such passwords and underline the potential of saliency masks as both a secure and usable improvement to cued-recall gaze-based graphical passwords.

References

[1]

Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (1999), 40--46.

Digital Library

[2]

Florian Alt, Stefan Schneegass, Alireza Sahami Shirazi, Mariam Hassib, and Andreas Bulling. 2015. Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). ACM, New York, NY, USA, 316--322.

Digital Library

[3]

Antonella De Angeli, Lynne Coventry, Graham Johnson, and Karen Renaud. 2005. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies 63, 1--2 (2005), 128 -- 152.

Digital Library

[4]

R.C. Atkinson and R.M. Shiffrin. 1968. Human memory: A proposed system and its control processes. The psychology of learning and motivation: Advances in research and theory 2 (1968), 89--195.

[5]

J. Beard, L. Clark, and V. Velten. 1985. Characterization of ATR Performance in relation to image measurements. ATRWG Report, AFWAL/AARF, Wright Patterson AFB, OG 45433 (1985).

[6]

B. Bhanu. 1986. Automatic Target Recognition: State of the Art Survey. IEEE Transactions on Aerospace and Electronic Systems, AES-22, 4 (1986), 364--379.

[7]

Robert Biddle, Sonia Chiasson, and Paul C Van Oorschot. 2012. Graphical passwords: Learning from the first twelve years. Comput. Surveys 44, 4 (2012), 19.

Digital Library

[8]

Sacha Brostoff and M Angela Sasse. 2000. Are Passfaces more usable than passwords? A field trial investigation. In People and Computers XIV - Usability or Else! Springer, Berlin-Heidelberg, 405--424.

[9]

Alan S. Brown, Elisabeth Bracken, Sandy Zoccoli, and King Douglas. 2004. Generating and remembering passwords. Applied Cognitive Psychology 18, 6 (2004), 641--651. http://dx.doi.org/10.1002/acp.1014

[10]

Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the Security of Gaze-Based Cued-Recall Graphical Passwords Using Saliency Masks. In Proceedings of the 30th SIGCHI International Conference on Human Factors in Computing Systems (CHI'12). 3011--3020.

Digital Library

[11]

Sonia Chiasson, Robert Biddle, and P. C. van Oorschot. 2007a. A Second Look at the Usability of Click-based Graphical Passwords. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07). ACM, New York, NY, USA, 1--12.

Digital Library

[12]

Sonia Chiasson, P. C. van Oorschot, and Robert Biddle. 2007b. Graphical Password Authentication Using Cued Click Points. In Proceedings of the 12th European Symposium On Research In Computer Security. Springer, Berlin-Heidelberg, 359--374.

[13]

Darren Davis, Fabian Monrose, and Michael K. Reiter. 2004. On User Choice in Graphical Password Schemes. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (SSYM'04). USENIX Association, Berkeley, CA, USA, 11--11. http://dl.acm.org/citation.cfm?id=1251375.1251386

Digital Library

[14]

Alexander De Luca, Martin Denzel, and Heinrich Hussmann. 2009. Look into My Eyes!: Can You Guess My Password?. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS '09). ACM, New York, NY, USA, Article 7, 12 pages.

Digital Library

[15]

Rachna Dhamija and Adrian Perrig. 2000. DéJà Vu: A User Study Using Images for Authentication. In Proceedings of the 9th Conference on USENIX Security Symposium - Volume 9 (SSYM'00). USENIX Association, Berkeley, CA, USA, 4--4. http://dl.acm.org/citation.cfm?id=1251306.1251310

Digital Library

[16]

Katherine M. Everitt, Tanya Bragin, James Fogarty, and Tadayoshi Kohno. 2009. A Comprehensive Study of Frequency, Interference, and Training of Multiple Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '09). ACM, New York, NY, USA, 889--898.

Digital Library

[17]

Jonathan Harel. 2006. Graph-Based Visual Saliency Toolbox for MATLAB, http://www.klab.caltech.edu/harel/share/gbvs.php. (2006). http://www.klab.caltech.edu/harel/share/gbvs.php

[18]

Jonathan Harel, Christof Koch, and Pietro Perona. 2006. Graph-Based Visual Saliency. In Proceedings of the 20th International Conference on Neural Information Processing Systems. 545--552.

[19]

Laurent Itti, Christof Koch, and Ernst Niebur. 1998. A Model of Saliency-Based Visual Attention for Rapid Scene Analysis. IEEE Transactions on Pattern Analysis and Machine Intelligence 20, 11 (1998), 1254--1259.

Digital Library

[20]

Ian Jermyn, Alain J Mayer, Fabian Monrose, Michael K Reiter, Aviel D Rubin, and others. 1999. The Design and Analysis of Graphical Passwords. In Usenix Security.

[21]

Mohamed Khamis, Florian Alt, Mariam Hassib, Emanuel von Zezschwitz, Regina Hasholzner, and Andreas Bulling. 2016. GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices. In Proceedings of the 34th Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems (CHI EA '16). ACM, New York, NY, USA, 6.

Digital Library

[22]

Di Lin, Paul Dunphy, Patrick Olivier, and Jeff Yan. 2007. Graphical Passwords & Qualitative Spatial Relations. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07). ACM, New York, NY, USA, 161--162.

Digital Library

[23]

Wendy Moncur and Grégory Leplâtre. 2007. Pictures at the ATM: Exploring the Usability of Multiple Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '07). ACM, New York, NY, USA, 887--894.

Digital Library

[24]

R.A. Peters and R.N. Strickland. 1990. Image complexity metrics for automatic target recognizers. In Proc. of the Automatic Target Recognizer System and Technology Conference. 1--17.

[25]

Stefan Schneegass, Frank Steimle, Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2014. SmudgeSafe: Geometric Image Transformations for Smudge-resistant User Authentication. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '14). ACM, New York, NY, USA, 775--786.

Digital Library

[26]

Norman J. Slamecka and Peter Graf. 1978. The generation effect: Delineation of a phenomenon. Journal of Experimental Psychology: Human Learning and Memory 4, 6 (1978), 592--604.

[27]

Xiaoyuan Suo, Ying Zhu, and G. Scott. Owen. 2005. Graphical Passwords: A Survey. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05). IEEE, 463--472.

Digital Library

[28]

Kim-Phuong L. Vu, Robert W. Proctor, Abhilasha Bhargav-Spantzel, Bik-Lam (Belin) Tai, Joshua Cook, and E. Eugene Schultz. 2007. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies 65, 8 (2007), 744 -- 757.

Digital Library

[29]

Roman Weiss and Alexander De Luca. 2008. PassShapes: Utilizing Stroke Based Authentication to Increase Password Memorability. In Proceedings of the 5th Nordic Conference on Human-computer Interaction: Building Bridges (NordiCHI '08). ACM, New York, NY, USA, 383--392.

Digital Library

[30]

Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005a. Authentication Using Graphical Passwords: Effects of Tolerance and Image Choice. In Proceedings of the 2005 Symposium on Usable Privacy and Security (SOUPS '05). ACM, New York, NY, USA, 1--12.

Digital Library

[31]

Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005b. PassPoints: design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1--2 (2005), 102--127.

Digital Library

[32]

J. Yan, A. Blackwell, R. Anderson, and A. Grant. 2004. Password memorability and security: empirical results. IEEE Security Privacy 2, 5 (2004), 25--31.

Digital Library

[33]

Jie Zhang, Xin Luo, Somasheker Akkaladevi, and Jennifer Ziegelmayer. 2009. Improving multiple-password recall: an empirical study. European Journal of Information Systems 18, 2 (2009), 165--176.

Cited By

Rawat PTurkmen RNwagu CSunday KBarrera Machuca M(2024)Evaluating Voxel-Based Graphical Passwords for Virtual Reality2024 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW)10.1109/VRW62533.2024.00009(12-17)Online publication date: 16-Mar-2024
https://doi.org/10.1109/VRW62533.2024.00009
Milousi CRaptis GKatsini CKatsanos C(2023)RePaLM: A Data-Driven AI Assistant for Making Stronger Pattern ChoicesHuman-Computer Interaction – INTERACT 202310.1007/978-3-031-42286-7_4(59-69)Online publication date: 28-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-42286-7_4
Khamis MMarky KBulling AAlt F(2022)User-centred multimodal authentication: securing handheld mobile devices using gaze and touch inputBehaviour & Information Technology10.1080/0144929X.2022.206959741:10(2061-2083)Online publication date: 6-May-2022
https://doi.org/10.1080/0144929X.2022.2069597
Show More Cited By

Index Terms

Memorability of cued-recall graphical passwords with saliency masks
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. Interaction devices
      1. Touch screens
2. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Increasing the security of gaze-based cued-recall graphical passwords using saliency masks
CHI '12: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

With computers being used ever more ubiquitously in situations where privacy is important, secure user authentication is a central requirement. Gaze-based graphical passwords are a particularly promising means for shoulder-surfing-resistant ...
The Affect of Familiarity on the Usability of Recognition-Based Graphical Passwords: Cross Cultural Study between Saudi Arabia and the United Kingdom
TRUSTCOM '13: Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

Recognition-based graphical password have been proposed as an alternative to overcome the drawbacks of the alphanumeric password in user authentication. A web-based study was performed to determine the cultural impact on the usability of recognition-...
The impact of cues and user interaction on the memorability of system-assigned recognition-based graphical passwords
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security

User-chosen passwords reflecting common strategies and patterns ease memorization, but offer uncertain and often weak security. System-assigned passwords provide higher security, and thus in commercially deployed graphical-password systems (e.g., ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

MUM '16: Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia

December 2016

366 pages

ISBN:9781450348607

DOI:10.1145/3012709

General Chairs:
Jonna Häkkila
University of Lapland, Finland
,
Timo Ojala
University of Oulu, Finland

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MUM '16

MUM '16: 15th International Conference on Mobile and Ubiquitous Multimedia

December 12 - 15, 2016

Rovaniemi, Finland

Acceptance Rates

MUM '16 Paper Acceptance Rate 35 of 77 submissions, 45%;

Overall Acceptance Rate 190 of 465 submissions, 41%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
136
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rawat PTurkmen RNwagu CSunday KBarrera Machuca M(2024)Evaluating Voxel-Based Graphical Passwords for Virtual Reality2024 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW)10.1109/VRW62533.2024.00009(12-17)Online publication date: 16-Mar-2024
https://doi.org/10.1109/VRW62533.2024.00009
Milousi CRaptis GKatsini CKatsanos C(2023)RePaLM: A Data-Driven AI Assistant for Making Stronger Pattern ChoicesHuman-Computer Interaction – INTERACT 202310.1007/978-3-031-42286-7_4(59-69)Online publication date: 28-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-42286-7_4
Khamis MMarky KBulling AAlt F(2022)User-centred multimodal authentication: securing handheld mobile devices using gaze and touch inputBehaviour & Information Technology10.1080/0144929X.2022.206959741:10(2061-2083)Online publication date: 6-May-2022
https://doi.org/10.1080/0144929X.2022.2069597
Alt F(2021)Out-of-the-Lab Research in Usable Security and PrivacyAdjunct Proceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3450614.3464468(363-365)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1145/3450614.3464468
Raptis GKatsini CCen AArachchilage NNacke LKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)Better, Funner, Stronger: A Gameful Approach to Nudge People into Making Less Predictable Graphical Password ChoicesProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445658(1-17)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445658
Khamis MEiband MZürn MHussmann H(2018)EyeSpot: Leveraging Gaze to Protect Private Text Content on Mobile Devices from Shoulder SurfingMultimodal Technologies and Interaction10.3390/mti20300452:3(45)Online publication date: 9-Aug-2018
https://doi.org/10.3390/mti2030045
Trotter LPrange SKhamis MDavies NAlt F(2018)Design Considerations for Secure and Usable Authentication on Situated DisplaysProceedings of the 17th International Conference on Mobile and Ubiquitous Multimedia10.1145/3282894.3289743(483-490)Online publication date: 25-Nov-2018
https://dl.acm.org/doi/10.1145/3282894.3289743

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents