TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords

Abstract

Although motivated by both usability and security concerns, the existing literature on clickbased graphical password schemes that use a single background image like PassPoints (Wiedenbeck et al., 2005) has focused largely on usability. We examine the security of such schemes, including the impact of different background images, and strategies for cracking user passwords. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, and the other a field test of 223 users. We provide empirical evidence that popular points (hot-spots) do indeed exist for many images, and exploit them. We create and evaluate two different types of attack to exploit this hot-spotting effect: a “human-seeded” attack based on harvesting click-points from a small set of users, and an entirely automated attack based on image processing techniques. Our most effective attacks are generated by harvesting password data from a small set of users to attack others’ passwords. These attacks can crack 36% of user passwords with a 31-bit dictionary (or 11% with a 17-bit dictionary) on one image, and 20% with a 33-bit dictionary (or 6% with a 22-bit dictionary) on a second image. We perform an image-processing attack by implementing and adapting a bottom-up model of visual attention, resulting in a purely automated tool that cracks up to 30% of user passwords with a 35-bit dictionary for some images, but under 3% on others. Our results show that these graphical passwords, even using the best among our tested background images, are at least as susceptible to offline attack as the traditional text-based passwords they have been proposed to replace.

TR-07-05.pdf