{"id":13151,"date":"2021-12-06T19:10:42","date_gmt":"2021-12-07T00:10:42","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13151"},"modified":"2021-12-06T19:10:42","modified_gmt":"2021-12-07T00:10:42","slug":"tr-05-11-on-the-security-of-graphical-password-schemes","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/","title":{"rendered":"TR-05-11: On the Security of Graphical Password Schemes"},"content":{"rendered":"<p>Carleton University<br \/>\n<a href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/\">Technical Report<\/a> TR-05-11<br \/>\nDecember 21, 2005<\/p>\n<h2>On the Security of Graphical Password Schemes<\/h2>\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<p class=\"tr_t3\">P.C. Van Oorschot &amp; Julie Thorpe<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3>Abstract<\/h3>\n<p>On the Security of Graphical Password Schemes P.C. van Oorschot, Julie Thorpe School of Computer Science, Carleton University, Canada Abstract In commonplace textual password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask what classes of graphical passwords users tend to choose because they are more memorable, with particular focus on the &#8220;Draw-A-Secret&#8221; (DAS) graphical password scheme of Jermyn et al.(1999). We postulate a set of such classes based on password complexity factors (e.g., reflective symmetry and stroke-count), supported by a collection of cognitive studies on visual recall. We suggest that an attacker would prioritize an attack dictionary for graphical passwords based on these classes. We analyze the size of these classes for DAS (under reasonable parameter choices), showing their combined bit-size ranges from 31 to 41 &#8211; a surprisingly tiny proportion of the full password space (58 bits). Our results suggest that DAS (and other graphical password schemes) may well be less secure than previously believed, unless measures such as password rules are employed. For a given security level in DAS, this translates into a requirement for longer passwords with a higher stroke-count than previously believed. Finally, we examine methods to decrease susceptibility to graphical dictionary attacks. Our results have implications beyond DAS, to graphical password schemes in general; they can be directly applied to graphical password guidelines, proactive graphical password checking,and in the design of graphical password user studies.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><a href=\"https:\/\/carleton.ca\/scs\/wp-content\/uploads\/TR-05-11.pdf\">TR-05-11.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Carleton University Technical Report TR-05-11 December 21, 2005 On the Security of Graphical Password Schemes P.C. Van Oorschot &amp; Julie Thorpe Abstract On the Security of Graphical Password Schemes P.C. van Oorschot, Julie Thorpe School of Computer Science, Carleton University, Canada Abstract In commonplace textual password schemes, users typically choose passwords that are easy to [&hellip;]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12337,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TR-05-11: On the Security of Graphical Password Schemes - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-05-11 December 21, 2005 On the Security of Graphical Password Schemes P.C. Van Oorschot &amp; Julie Thorpe\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/\",\"name\":\"TR-05-11: On the Security of Graphical Password Schemes - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-07T00:10:42+00:00\",\"dateModified\":\"2021-12-07T00:10:42+00:00\",\"description\":\"Carleton University Technical Report TR-05-11 December 21, 2005 On the Security of Graphical Password Schemes P.C. Van Oorschot &amp; Julie Thorpe\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2005\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-05-11: On the Security of Graphical Password Schemes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-05-11: On the Security of Graphical Password Schemes - School of Computer Science","description":"Carleton University Technical Report TR-05-11 December 21, 2005 On the Security of Graphical Password Schemes P.C. Van Oorschot &amp; Julie Thorpe","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/","name":"TR-05-11: On the Security of Graphical Password Schemes - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-07T00:10:42+00:00","dateModified":"2021-12-07T00:10:42+00:00","description":"Carleton University Technical Report TR-05-11 December 21, 2005 On the Security of Graphical Password Schemes P.C. Van Oorschot &amp; Julie Thorpe","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-11-on-the-security-of-graphical-password-schemes\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2005","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/"},{"@type":"ListItem","position":5,"name":"TR-05-11: On the Security of Graphical Password Schemes"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13151"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13151"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13151\/revisions"}],"predecessor-version":[{"id":13152,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13151\/revisions\/13152"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12337"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}