CCBS – a method to maintain memorability, accuracy of password submission and the effective password space in click-based visual passwords
Abstract
Text passwords are vulnerable to many security attacks due to a number of reasons such as the insecure practices of end users who select weak passwords to maintain their long term memory. As such, visual password (VP) solutions were developed to maintain the security and usability of user authentication in collaborative systems. This paper focuses on the challenges facing click-based visual password systems and proposes a novel method in response to them. For instance, Hotspots reveal a serious vulnerability. They occur because users are attracted to specific parts of an image and neglect other areas. Undertaking image analysis to identify these high probability areas can assist dictionary attacks. Another concern is that click-based systems do not guide users towards the correct click-point they are aiming to select. For instance, users might recall the correct spot or area but still fail to include their click within the tolerance distance around the original click-point which results in more incorrect password submissions. Nevertheless, the Passpoints study by Wiedenbeck et al., 2005 inspected the retention of their VP in comparison with text passwords over the long term. Despite being cued-recall the successful rate of their VP submission was not superior to text passwords as it decreased from 85% (the instant retention on the day of registration) to 55% after 2 weeks. This result was identical to that of the text password in the same experiment. The successful submission rates after 6 weeks were also 55% for both VP and text passwords. This paper addresses these issues, and then presents a novel method (CCBS) as a usable solution supported by an empirical proof. A user study is conducted and the results are evaluated against a comparative study.Citation
al-Khateeb, H. M., Maple, C. (2011) ‘CCBS – A Method to Maintain Memorability, Accuracy of Password Submission and The Effective Password Space in Click-Based Visual Passwords’, IADIS International Workshop on the Transgressive Uses of Collaborative Systems 2011 (TUCS 2011), MCCSIS, 20-26 July, Rome, ItalyPublisher
IADISType
Conference papers, meetings and proceedingsLanguage
enISBN
978-972-8939-40-3 © 2011 IADISae974a485f413a2113503eed53cd6c53
10.13140/RG.2.1.2561.6485
Scopus Count
The following license files are associated with this item:
Related items
Showing items related by title, author, creator and subject.
-
Accessible and secure? design constraints on image and sound based passwordsGibson, Marcia; Conrad, Marc; Maple, Carsten; Renaud, Karen; University of Bedfordshire (IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC, 2010)When members of society cannot access the World Wide Web, or the information and services it contains in a meaningful or useful way, they can become digitally excluded. Many factors have been highlighted as having an effect on the likelihood of exclusion, including psychological, material and skills related barriers. In this paper, we consider the role played by authentication systems in the divide. In light of the widely researched tension between aspects of usability and security in authentication, we identify a number of conflicting accessibility and security goals as manifested in image and sound based schemes.
-
Security and usability in click-based authentication systemsal-Khateeb, Haider (University of BedfordshireUniversity of Bedfordshire, 2011-04)Web applications widely use text passwords to confirm people‟s identity. However, investigations reveal text passwords have many problems and that there is a need for alternative solutions. For instance, users often forget their passwords, choose passwords which are easy-to-guess or vulnerable to cracking tools. Further, people write passwords down and/or share them with others. In addition, phishing attacks (using fraudulent websites to steal users‟ credentials) continue to cost millions of dollars every year. During the second half of 2009, the Anti-Phishing Working Group (APWG) reported 126,697 unique phishing attacks worldwide. As such, one of this research‟s objectives is to investigate public awareness of, and attitude towards, text password security and usability supported by surveying both up-to-date literature and users. The aim of this research is to develop an alternative solution using visual passwords (VPs) to authenticate users on web applications and investigate its security and usability. A VP can be many things: a set of images used as a login portfolio, click-points inside images or a doodle (signature) drawn by a user. Since text passwords are favoured for their usability over tokens and biometrics, the research scope has been set to investigate alternative ideas which do not require resources additional to standard computer devices used to sustain human-computer interactions, such as mouse and keyboard. VPs have the potential to develop an alternative solution within this scope. A comprehensive survey of the VP schemes found in the literature is conducted followed by a security and usability evaluation in which click-based systems are selected as the most suitable approach to achieve the aims and objectives of this research. Click- iii based systems are VP authentication schemes in which the VP is a sequence of click-points performed on one or more images. Further, user perceptions were investigated to study their acceptance of various authentication mechanisms and techniques. A novel click-based scheme is presented and developed throughout the research to introduce and investigate novel ideas to maintain security and usability simultaneously. It can resist multiple phishing and shoulder-surfing attacks without revealing the full user credentials. Further, the layout is designed to prevent MiTM attacks, also known as the second generation of phishing attacks. The VP is hashed to resist database attacks and the password space is extremely large compared to text passwords to resist brute force attacks. It has dual cues to maintain memorability and password recall is easy even when it is system-generated. Usability is considered through observation and laboratory studies to meet the requirements of HCI-Sec (Secure Human-Computer Interactions) aiming to present a secure scheme people can actually use.
-
Novel, robust and cost-effective authentication techniques for online servicesNorrington, Peter (University of BedfordshireUniversity of Bedfordshire, 2009-01)This thesis contributes to the study of the usability and security of visuo-cognitive authentication techniques, particularly those relying on recognition of abstract images, an area little researched. Many usability and security problems with linguistic passwords (including traditional text-based passwords) have been known for decades. Research into visually-based techniques intends to overcome these by using the extensive human capacity for recognising images, and add to the range of commercially viable authentication solutions. The research employs a mixed methodology to develop several contributions to the field. A novel taxonomy of visuo-cognitive authentication techniques is presented. This is based on analysis and synthesis of existing partial taxonomies, combined with new and extensive analysis of features of existing visuo-cognitive and other techniques. The taxonomy advances consistent terminology, and coherent and productive classification (cognometric, locimetric, graphimetric and manipulometric, based respectively on recognition of, location in, drawing of and manipulation of images) and discussion of the domain. The taxonomy is extensible to other classes of cognitive authentication technique (audio-cognitive, spatio-cognitive, biometric and token-based, etc.). A revised assessment process of the usability and security of visuo-cognitive techniques is proposed (employing three major assessment categories – usability, memorability and security), based on analysis, synthesis and refinement of existing models. The revised process is then applied to the features identified in the novel taxonomy to prove the process‘s utility as a tool to clarify both the what and the why of usability and security issues. The process is also extensible to other classes of authentication technique. iii Cognitive psychology experimental methods are employed, producing new results which show with statistical significance that abstract images are harder to learn and recall than face or object images. Additionally, new experiments and a new application of the chi-squared statistic show that users‘ choices of abstract images are not necessarily random over a group, and thus, like other cognitive authentication techniques, can be attacked by probabilistic dictionaries. A new authentication prototype is designed and implemented, embodying the usability and security insights gained. Testing of this prototype shows good usability and user acceptance, although speed of use remains an issue. A new experiment shows that abstract image authentication techniques are vulnerable to phishing attacks. Further, the testing shows two new results: that abstract image visuo-cognitive techniques are usable on mobile phones; and that such phones are not, currently, necessarily a threat as part of observation attacks on visual passwords.