On Purely Automated Attacks and Click-Based Graphical Passwords
Author(s): Amirali Salehi-Abari, Julie Thorpe, P.C. van Oorschot

Date: December 2008
Publication: Proceedings of the 24th Annual Computer Security Applications Conference ACSAC '08
Page(s): 111 - 120
Publisher: IEEE
Source 1: http://thorpe.hrl.uoit.ca/documents/passpoints_acsac08.pdf
Source 2: http://www.acsac.org/openconf2008/modules/request.php?module=oc_program&action=view.php&id=98
Source 3: http://dx.doi.org/10.1109/ACSAC.2008.18 - Subscription or payment required

We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method results in a significantly better automated attack than previous work, guessing 8-15% of passwords for two representative images using dictionaries of less than 2^24.6 entries, and about 16% of passwords on each of these images using dictionaries of less than 2^31.4 entries (where the full password space is 2^43). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries of 2^34.7 entries, allowing attacks that guessed 48-54% of passwords (compared to previous results of 0.9% and 9.1% on the same two images with 2^35 guesses). These latter automated attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat.

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com