research-article

On quantifying the effective password space of grid-based unlock gestures

Authors:

Emanuel von Zezschwitz,

Daniel Buschek,

Sascha Oberhuber,

Alexander De Luca,

Heinrich HussmannAuthors Info & Claims

MUM '16: Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia

Pages 201 - 212

https://doi.org/10.1145/3012709.3012729

Published: 12 December 2016 Publication History

Abstract

We present a similarity metric for Android unlock patterns to quantify the effective password space of user-defined gestures. Our metric is the first of its kind to reflect that users choose patterns based on human intuition and interest in geometric properties of the resulting shapes. Applying our metric to a dataset of 506 user-defined patterns reveals very similar shapes that only differ by simple geometric transformations such as rotation. This shrinks the effective password space by 66% and allows informed guessing attacks. Consequently, we present an approach to subtly nudge users to create more diverse patterns by showing background images and animations during pattern creation. Results from a user study (n = 496) show that applying such countermeasures can significantly increase pattern diversity. We conclude with implications for pattern choices and the design of enrollment processes.

References

[1]

Florian Alt, Stefan Schneegass, Alireza Sahami Shirazi, Mariam Hassib, and Andreas Bulling. 2015. Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). ACM, New York, NY, USA, 316--322.

Digital Library

[2]

Panagiotis Andriotis, Theo Tryfonas, and George Oikonomou. 2014. Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method. In Human Aspects of Information Security, Privacy, and Trust, Theo Tryfonas and Ioannis Askoxylakis (Eds.). Lecture Notes in Computer Science, Vol. 8533. Springer International Publishing, 115--126.

Digital Library

[3]

Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, and Can Yildiz. 2013. A Pilot Study on the Security of Pattern Screen-lock Methods and Soft Side Channel Attacks. In Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '13). ACM, New York, NY, USA, 1--6.

Digital Library

[4]

Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge Attacks on Smartphone Touch Screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT'10). USENIX Association, Berkeley, CA, USA, 1--7. https://www.usenix.org/legacy/event/woot10/tech/full_papers/Aviv.pdf

Digital Library

[5]

Robert Biddle, Sonia Chiasson, and P.C. Van Oorschot. 2012. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys (CSUR) 44, 4, Article 19 (Sept. 2012), 41 pages.

Digital Library

[6]

Judith Cederberg. 2013. A course in modern geometries. Springer Science & Business Media.

[7]

Sonia Chiasson, Alain Forget, Robert Biddle, and P.C. van Oorschot. 2009a. User interface design affects security: patterns in click-based graphical passwords. International Journal of Information Security 8, 6 (2009), 387--398.

Digital Library

[8]

Sonia Chiasson, Alain Forget, Robert Biddle, and P. C. van Oorschot. 2009b. User Interface Design Affects Security: Patterns in Click-based Graphical Passwords. Int. J. Inf. Secur. 8, 6 (Oct. 2009), 387--398.

Digital Library

[9]

V. Chvatal. 1979. A Greedy Heuristic for the Set-Covering Problem. Mathematics of Operations Research 4, 3 (1979), 233--235.

Digital Library

[10]

Paul Dunphy and Jeff Yan. 2007. Do Background Images Improve "Draw a Secret" Graphical Passwords?. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07). ACM, New York, NY, USA, 36--47.

Digital Library

[11]

Dinei Florěncio, Cormac Herley, and Paul C. Van Oorschot. 2014. An Administrator's Guide to Internet Password Research. In Proceedings of the 28th USENIX Conference on Large Installation System Administration (LISA'14). USENIX Association, Berkeley, CA, USA, 35--52. https://www.usenix.org/system/files/conference/lisa14/lisa14-paper-florencio.pdf

[12]

Haichang Gao, Wei Jia, Fei Ye, and Licheng Ma. 2013. A Survey on the Use of Graphical Passwords in Security. Journal of Software 8, 7 (Jul 2013), 1678--1698.

[13]

Marian Harbach, Alexander De Luca, and Serge Egelman. 2016. The Anatomy of Smartphone Unlocking: A Field Study of Android Lock Screens. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16). ACM, New York, NY, USA, 4806--4817.

Digital Library

[14]

Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The Design and Analysis of Graphical Passwords. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8 (SSYM'99). USENIX Association, Berkeley, CA, USA, 1--14. https://www.usenix.org/legacy/events/sec99/full_papers/jermyn/jermyn.pdf

Digital Library

[15]

Ming Li and Paul MB Vitányi. 2008. An Introduction to Kolmogorov Complexity and Its Applications (3 ed.). Springer New York.

[16]

Di Lin, Paul Dunphy, Patrick Olivier, and Jeff Yan. 2007. Graphical Passwords & Qualitative Spatial Relations. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07). ACM, New York, NY, USA, 161--162.

Digital Library

[17]

Wanli Ma, John Campbell, Dat Tran, and Dale Kleeman. 2010. Password Entropy and Password Quality. In 4th International Conference on Network and System Security (NSS'10). IEEE, 583--587.

Digital Library

[18]

Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring Password Guessability for an Entire University. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 173--186.

Digital Library

[19]

Deholo Nali and Julie Thorpe. 2004. Analyzing User Choice in Graphical Passwords. Technical Report. School of Information Technology and Engineering, University of Ottawa, Canada. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.85.998&rep=rep1&type=pdf

[20]

L. Y. Por, X. T. Lim, M. T. Su, and F. Kianoush. 2008. The Design and Implementation of Background Pass-Go Scheme Towards Security Threats. WSEAS Transactions on Information Science & Applications 5, 6 (June 2008), 943--952. http://www.wseas.us/e-library/transactions/information/2008/27-356.pdf

[21]

Karen Renaud and Antonella De Angeli. 2009. Visual Passwords: Cure-all or Snake-oil? Commun. ACM 52, 12 (Dec. 2009), 135--140.

Digital Library

[22]

Stuart Schechter, Cormac Herley, and Michael Mitzenmacher. 2010. Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks. In The 5th USENIX Workshop on Hot Topics in Security (HotSec'10). USENIX Association, Berkeley, CA, USA, 1--8. http://research.microsoft.com/apps/pubs/default.aspx?id=132859

[23]

Hossein Siadati and Nasir Memon. 2015. Fortifying Android Patterns using Persuasive Security Framework. Technical Report. New York University. http://isis.poly.edu/~hossein/publications/hossein-qualexam.pdf

[24]

Youngbae Song, Geumhwan Cho, Seongyeol Oh, Hyoungshick Kim, and Jun Ho Huh. 2015. On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2343--2352.

Digital Library

[25]

Chen Sun, Yang Wang, and Jun Zheng. 2014. Dissecting pattern unlock: The effect of pattern strength meter on pattern selection. Journal of Information Security and Applications 19, 4--5 (2014), 308 -- 320.

Digital Library

[26]

Hai Tao and Carlisle Adams. 2008. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. International Journal of Network Security 7, 2 (Sep 2008), 273--292. http://ijns.jalaxy.com.tw/contents/ijns-v7-n2/ijns-2008-v7-n2-p273-292.pdf

[27]

Julie Thorpe, Muath Al-Badawi, Brent MacRae, and Amirali Salehi-Abari. 2014. The Presentation Effect on Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2947--2950.

Digital Library

[28]

Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2013. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 161--172.

Digital Library

[29]

Christopher Varenhorst, Max Van Kleek, and Larry Rudolph. 2004. Passdoodles: A lightweight authentication method. Technical Report. Massachusetts Institute of Technology. http://people.csail.mit.edu/emax/public_html/papers/varenhorst.pdf

[30]

Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hussmann. 2015. Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2339--2342.

Digital Library

[31]

Emanuel von Zezschwitz, Paul Dunphy, and Alexander De Luca. 2013. Patterns in the Wild: A Field Study of the Usability of Pattern and Pin-based Authentication on Mobile Devices. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services (MobileHCI '13). ACM, New York, NY, USA, 261--270.

Digital Library

[32]

Matt Weir, Sudhir Aggarwal, Breno de Medeiros, and Bill Glodek. 2009. Password Cracking Using Probabilistic Context-Free Grammars. In 30th IEEE Symposium on Security and Privacy. 391--405.

Digital Library

Cited By

Yi XZhang SPan ZShi LHan FKong YLi HShi Y(2023)Squeez’In: Private Authentication on Smartphones based on Squeezing GesturesProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581419(1-15)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581419
Ibrahim NSellahewa H(2023)A cross-setting study of user unlocking behaviour in a graphical authentication scheme: a case study on android Pattern UnlockInternational Journal of Information Security10.1007/s10207-023-00722-x22:6(1849-1863)Online publication date: 7-Jul-2023
https://doi.org/10.1007/s10207-023-00722-x
Wang SSalehi-Abari AThorpe J(2023)PiXi: Password Inspiration by Exploring InformationInformation and Communications Security10.1007/978-981-99-7356-9_15(249-266)Online publication date: 20-Oct-2023
https://doi.org/10.1007/978-981-99-7356-9_15
Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

MUM '16: Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia

December 2016

366 pages

ISBN:9781450348607

DOI:10.1145/3012709

General Chairs:
Jonna Häkkila
University of Lapland, Finland
,
Timo Ojala
University of Oulu, Finland

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MUM '16

MUM '16: 15th International Conference on Mobile and Ubiquitous Multimedia

December 12 - 15, 2016

Rovaniemi, Finland

Acceptance Rates

MUM '16 Paper Acceptance Rate 35 of 77 submissions, 45%;

Overall Acceptance Rate 190 of 465 submissions, 41%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
181
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yi XZhang SPan ZShi LHan FKong YLi HShi Y(2023)Squeez’In: Private Authentication on Smartphones based on Squeezing GesturesProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581419(1-15)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581419
Ibrahim NSellahewa H(2023)A cross-setting study of user unlocking behaviour in a graphical authentication scheme: a case study on android Pattern UnlockInternational Journal of Information Security10.1007/s10207-023-00722-x22:6(1849-1863)Online publication date: 7-Jul-2023
https://doi.org/10.1007/s10207-023-00722-x
Wang SSalehi-Abari AThorpe J(2023)PiXi: Password Inspiration by Exploring InformationInformation and Communications Security10.1007/978-981-99-7356-9_15(249-266)Online publication date: 20-Oct-2023
https://doi.org/10.1007/978-981-99-7356-9_15
Smith-Creasey MSmith-Creasey M(2023)Traditional AuthenticationContinuous Biometric Authentication Systems10.1007/978-3-031-49071-2_2(5-34)Online publication date: 29-Oct-2023
https://doi.org/10.1007/978-3-031-49071-2_2
Milousi CRaptis GKatsini CKatsanos C(2023)RePaLM: A Data-Driven AI Assistant for Making Stronger Pattern ChoicesHuman-Computer Interaction – INTERACT 202310.1007/978-3-031-42286-7_4(59-69)Online publication date: 28-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-42286-7_4
Abdrabou YAsbeck MPfeuffer KAbdelrahman YHassib MAlt F(2023)Empowering Users: Leveraging Interface Cues to Enhance Password SecurityHuman-Computer Interaction – INTERACT 202310.1007/978-3-031-42280-5_22(359-368)Online publication date: 25-Aug-2023
https://doi.org/10.1007/978-3-031-42280-5_22
Stragapede GVera-Rodriguez RTolosana RMorales AAcien ALan G(2022)Mobile Passive Authentication through Touchscreen and Background Sensor Data2022 International Workshop on Biometrics and Forensics (IWBF)10.1109/IWBF55382.2022.9794524(1-6)Online publication date: 20-Apr-2022
https://doi.org/10.1109/IWBF55382.2022.9794524
Yang GHu QAsghar M(2022)TIM: Secure and usable authentication for smartphonesJournal of Information Security and Applications10.1016/j.jisa.2022.10337471(103374)Online publication date: Dec-2022
https://doi.org/10.1016/j.jisa.2022.103374
Andriotis PKirby MTakasu A(2022)Bu-Dash: a universal and dynamic graphical password scheme (extended version)International Journal of Information Security10.1007/s10207-022-00642-222:2(381-401)Online publication date: 4-Dec-2022
https://doi.org/10.1007/s10207-022-00642-2
Andriotis PKirby MTakasu A(2022)Bu-Dash: A Universal and Dynamic Graphical Password SchemeHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-05563-8_14(209-227)Online publication date: 26-Jun-2022
https://dl.acm.org/doi/10.1007/978-3-031-05563-8_14
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents