Nicholas Wright
Robert Biddle
ABSTRACT
Text-based password systems are the authentication mechanism most commonly used on computer systems. Graphical passwords have recently been proposed because the pictorial-superiority effect suggests that people have better memory for images. The most widely advocated graphical password systems are based on recognition rather than recall. This approach is favored because recognition is a more effective manner of retrieval than recall, exhibiting greater accuracy and longevity of material. However, schemes such as these combine both the use of graphical images and the use of recognition as a retrieval mechanism. This paper reports on a study that sought to address this confound by exploring the recognition of text as a novel means of authentication. We hypothesized that there would be significant differences between text recognition and text recall conditions. Our study, however, showed that the conditions were comparable; we found no significant difference in memorability. Furthermore, text recognition required more time to authenticate successfully.
- Bauer, J. L. 2008. Ogden's Basic English. Retrieved November, 2010, from http://ogden.basic-english.org/Google Scholar
- Biddle, R., Chiasson, S., & van Oorschot, P. C. in press. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys. Google ScholarDigital Library
- Brostoff, S. & Sasse, M. A. 2000. Are PassFaces More Usable Than Passwords? A Field Trial Investigation. British Human-Computer Interaction Conference (HCI), September 2000.Google ScholarCross Ref
- Burr, W. E., Dodson, D. F., Polk, W. T., Evans, D. L. 2004. Electronic Authentication Guideline, in NIST Special Publication 800-63.Google Scholar
- Chiasson, S., Biddle, R. & van Oorschot, P. C. 2007. A Second Look at the Usability of Click-Based Graphical Passwords. Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, U. S. A. Google ScholarDigital Library
- Chiasson, S., Forget, A., Biddle, R., & Van Oorschot, P. C. 2008. Influencing users toward better passwords: Persuasive Cued Click-Points. Human Computer Interaction (HCI), the British Computer Society, September 2008. Google ScholarDigital Library
- Chiasson, S., Forget, A., Stobert, E., Biddle, R., & Van Oorschot, P. C. 2009. Multiple password interference in text and click-based graphical passwords. ACM Computer and Communications Security (CCS), Chicago, USA, Nov. 2009. Google ScholarDigital Library
- Chiasson, S., Deschamps, C., Stobert, E., Hlywa, M., Freitas Machado, B., Forget, A., Wright, N., Chan, G., & Biddle, R. 2012 The MVP Web-based Authentication Framework, Financial Cryptography and Data Security, Springer.Google Scholar
- Craik, F. I. M. & Lockhart, R. S. 1972. Levels of processing. A framework for memory research. Journal of Verbal Learning and Verbal Behaviour (11), 671--684.Google ScholarCross Ref
- Crowder, R. G. 1976. Principles of Learning and Memory. New Jersey: Lawrence Erlbaum Associates.Google Scholar
- Davis, D., Monrose, F., & Reiter, M. K. 2004. On User Choice in Graphical Password Schemes. Proceedings of the 13th USENIX Security Symposium, 151--164. Google ScholarDigital Library
- De Angeli, A., Coventry, L., Johnson, G. & Renaud, K. 2005. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies (63), 128--152. Google ScholarDigital Library
- Deese, J. 1959. Influence of inter-item associative strength upon immediate free recall. Psychological Reports (5), 305--312.Google Scholar
- Dhamija, R., & Perrig, A. 2000. Dééjà vu: A user study using Images for Authentication. Proceedings of the 9th Conference on USENIX Security Symposium, 9, 4-4. Google ScholarDigital Library
- Dunphy, P. & Yan, J. 2007. Do Background Images improve "Draw a Secret" Graphical Passwords? Proceedings of the ACM conference on computer and communications security. pp. 36--47. Google ScholarDigital Library
- Federal Information Processing Standards Publication (FIPS) 1985. FIPS 112: Password Usage, National Institute of Standards and Technology, http://www.itl.nist.gov/fipspubs/fip112.htm. Accessed Jan, 2011.Google Scholar
- Florencio, D. & Herley, C. 2007. A Large-Scale Study of Web Password Habits. WWW: Banff, AB. Canada. Google ScholarDigital Library
- Florencio, D. & Herley, C. 2010. Where do security policies come from? Proceedings of the Sixth Symposium on Usable Privacy and Security. ACM: Washington. Google ScholarDigital Library
- Gardiner, J. M. 1988. Functional aspects of recollective experience. Memory and Cognition. 16(4), 309--313.Google ScholarCross Ref
- Hintzman, D. L. 1990 Human learning and memory: Connections and Dissociations. Annual Review of Psychology. 41, 109--139.Google ScholarCross Ref
- Hirshman, E., & Jackson, E. 1997. Distinctive perceptual processing and memory. Journal of Memory and Language, 36(1), 2--12.Google ScholarCross Ref
- Hunt, R. R, & Elliot, J. M. 1980. The role of nonsemantic information in memory: Orthographic distinctiveness effects on retention. Journal of Experimental Psychology: General, 109(1), 49--74.Google ScholarCross Ref
- Hlywa, M. A. X., Patrick, A. S, Biddle, R. 2011. Do houses have faces? The effect of image type in recognition-based graphical passwords. Annual Computer Security Applications Conference (ACSAC 2012).Google ScholarCross Ref
- Jacoby, L. L. 1983. Perceptual enhancement: Persistent effects of an experience. Journal of Experimental Psychology: Learning, Memory, and Cognition, 9, 21-3.Google ScholarCross Ref
- Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., & Rubin, A. D. 1999. The design and analysis of graphical passwords. Proceedings of the 8th conference on USENIX Security Symposium, p.1-1, Washington, D. C. Google ScholarDigital Library
- Johnston, W. A., Dark, V. J., & Jacoby, L. L. 1985. Perceptual fluency and recognition judgments. Journal of Experimental Psychology: Learning, Memory and Cognition. 11(1), 3--11.Google ScholarCross Ref
- Jung, J. 1968. Verbal Learning. New York: Holt, Rinehart & Winston.Google Scholar
- Just, M. & Aspinall, D. 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment, in Proceedings of the 5th ACM Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Kausler, D. H. 1974. Psychology of Verbal Learning and Memory. New York: Academic Press.Google Scholar
- Miller, G. A. 1956, The Magical Number Seven, Plus or Minus Two: Some Limits on our Capacity for Processing Information. Psychological Review, 63, 81--97.Google ScholarCross Ref
- Moncur, W. & LePlââtre, G. 2007. Pictures at the ATM: Exploring the usability of multiple graphical passwords. Human Factors in Computing Systems (CHI). San Jose, California, USA. Google ScholarDigital Library
- Passfaces Corporation, "The science behind PassFaces," http://www.passfaces.com/enterprise/resources/white_papers.htm, accessed December 2010.Google Scholar
- Renaud, K. 2009. Guidelines for Designing Graphical Authentication Interfaces. International Journal of Computer Security (IJICS). 3(1), 60--85. Google ScholarDigital Library
- Renaud, K. & De Angeli, A. 2009. Visual Passwords: Cure all or snake oil? Communications of the ACM. 52(12), 135--140. Google ScholarDigital Library
- Richardson-Klavehn, A., & Bjork, R. A. 1988 Measures of memory. Annual Review of Psychology. 39, 475--543.Google ScholarCross Ref
- Sasse, M. A., Brostoff, S. & Weirich, D. 2001. Transforming the 'Weakest Link' -- A Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal. Google ScholarDigital Library
- Schacter, D. L. 1987. Implicit memory: History and current status. Journal of Experimental Psychology: Learning. Memory, and Cognition.13. 501--518.Google ScholarCross Ref
- Suo, X. & Zhu, Y. 2005. Graphical Passwords: a survey. Proceedings of the 21st Annual Computer Security Applications Conference. pp. 463--472. Google ScholarDigital Library
- Thorpe, J., & Van Oorschot, P. C. 2007. Human seeded attacks and exploiting hot-spots in graphical passwords, in 16th USENIX Security Symposium, August 2007. Google ScholarDigital Library
- Tulving, E., & Pearlstone, Z. 1966. Availability vs. accessibility of information in memory for words. Journal of Verbal Learning and Verbal Behavior. 5, 381--391.Google ScholarCross Ref
- Tulving, E., & Schacter, D. L. 1990. Priming and human memory systems. Science, 247, 301--396.Google ScholarCross Ref
- Watkins, M. & Gardiner, J. M. 1979. An appreciation of the generate-recognize theory of recall. Journal of Verbal Learning and Verbal Behavior, 18, 687--704.Google ScholarCross Ref
- Wiedenbeck S., Waters, J., Birget, JC., Brodskiy, A., & Memon, N. 2005 PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies. 63(1-2), 102--127. Google ScholarDigital Library
- Yan, J., Blackwell, A., Anderson, R., Grant, A. 2005. The Memorability and Security of Passwords. In L. F. Cranor & S. Garfinkel (Eds.), Security and Usability: designing secure systems that people can use (pp. 129--142). Sebastopol, CA: O'Reillly.Google Scholar
Index Terms
- Do you see your password?: applying recognition to textual passwords
Recommendations
Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityThe underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfacesWhen users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Comments