{"id":13195,"date":"2021-12-07T20:36:57","date_gmt":"2021-12-08T01:36:57","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13195"},"modified":"2021-12-07T20:36:57","modified_gmt":"2021-12-08T01:36:57","slug":"tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/","title":{"rendered":"TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords"},"content":{"rendered":"<p>Carleton University<br \/>\n<a href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/\">Technical Report<\/a> TR-07-05<br \/>\nFebruary 22, 2007<\/p>\n<h2>Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords<\/h2>\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<p class=\"tr_t3\">Julie Thorpe &amp; P.C. Van Oorschot<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3>Abstract<\/h3>\n<p>Although motivated by both usability and security concerns, the existing literature on clickbased graphical password schemes that use a single background image like PassPoints (Wiedenbeck et al., 2005) has focused largely on usability. We examine the security of such schemes, including the impact of different background images, and strategies for cracking user passwords. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, and the other a field test of 223 users. We provide empirical evidence that popular points (hot-spots) do indeed exist for many images, and exploit them. We create and evaluate two different types of attack to exploit this hot-spotting effect: a \u0093human-seeded\u0094 attack based on harvesting click-points from a small set of users, and an entirely automated attack based on image processing techniques. Our most effective attacks are generated by harvesting password data from a small set of users to attack others\u0092 passwords. These attacks can crack 36% of user passwords with a 31-bit dictionary (or 11% with a 17-bit dictionary) on one image, and 20% with a 33-bit dictionary (or 6% with a 22-bit dictionary) on a second image. We perform an image-processing attack by implementing and adapting a bottom-up model of visual attention, resulting in a purely automated tool that cracks up to 30% of user passwords with a 35-bit dictionary for some images, but under 3% on others. Our results show that these graphical passwords, even using the best among our tested background images, are at least as susceptible to offline attack as the traditional text-based passwords they have been proposed to replace.<\/p>\n<p><a href=\"https:\/\/carleton.ca\/scs\/wp-content\/uploads\/TR-07-05.pdf\">TR-07-05.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Carleton University Technical Report TR-07-05 February 22, 2007 Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords Julie Thorpe &amp; P.C. Van Oorschot Abstract Although motivated by both usability and security concerns, the existing literature on clickbased graphical password schemes that use a single background image like PassPoints (Wiedenbeck et al., 2005) has focused largely on [&hellip;]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12385,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-07-05 February 22, 2007 Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords Julie Thorpe &amp;\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/\",\"name\":\"TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-08T01:36:57+00:00\",\"dateModified\":\"2021-12-08T01:36:57+00:00\",\"description\":\"Carleton University Technical Report TR-07-05 February 22, 2007 Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords Julie Thorpe &amp;\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2007\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords - School of Computer Science","description":"Carleton University Technical Report TR-07-05 February 22, 2007 Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords Julie Thorpe &amp;","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/","name":"TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-08T01:36:57+00:00","dateModified":"2021-12-08T01:36:57+00:00","description":"Carleton University Technical Report TR-07-05 February 22, 2007 Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords Julie Thorpe &amp;","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-05-human-seeded-attacks-and-exploiting-hot-spots-in-graphical-passwords\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2007","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/"},{"@type":"ListItem","position":5,"name":"TR-07-05: Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13195"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13195"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13195\/revisions"}],"predecessor-version":[{"id":13196,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13195\/revisions\/13196"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12385"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}