{"id":13268,"date":"2021-12-08T20:32:15","date_gmt":"2021-12-09T01:32:15","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13268"},"modified":"2021-12-08T20:34:03","modified_gmt":"2021-12-09T01:34:03","slug":"tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/","title":{"rendered":"TR-08-15: On Purely Automated Attacks and Click-Based Graphical Passwords"},"content":{"rendered":"<p>Carleton University<br \/>\n<a href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/\">Technical Report<\/a> TR-08-15<br \/>\nJune 20, 2008<\/p>\n<h2>On Purely Automated Attacks and Click-Based Graphical Passwords<\/h2>\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<p class=\"tr_t3\">Amirali Salehi-Abari, Julie Thorpe, P.C. van Oorschot<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3>Abstract<\/h3>\n<p>We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from Itti et al.&#8217;s (1998) computational model of visual attention. Testing our method against previous work, it results in a significantly better automated attack, guessing 8-15% of passwords for two representative images using dictionaries of less than 2**24.6 entries, and about 16% of passwords on each of these images using dictionaries of less than 2**31.4 entries (where the full password space is 43 bits). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries, allowing attacks that guessed 48-54% of passwords in less than 2**35 guesses (compared to previous results of 0.9% and 9.1% on the same two images with 2**35 guesses). These latter automated attacks are independent of focus-of-attention models, and in fact are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to launch than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat to PassPoints-style graphical passwords, and offer an effective alternative to human-seeded attacks.<\/p>\n<p><a href=\"https:\/\/carleton.ca\/scs\/wp-content\/uploads\/TR-08-15-Van-Oorschot-Thorpe-SalehiAbari.pdf\">TR-08-15.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Carleton University Technical Report TR-08-15 June 20, 2008 On Purely Automated Attacks and Click-Based Graphical Passwords Amirali Salehi-Abari, Julie Thorpe, P.C. van Oorschot Abstract We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from Itti et al.&#8217;s (1998) computational [&hellip;]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12410,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TR-08-15: On Purely Automated Attacks and Click-Based Graphical Passwords - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-08-15 June 20, 2008 On Purely Automated Attacks and Click-Based Graphical Passwords Amirali Salehi-Abari, Julie\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/\",\"name\":\"TR-08-15: On Purely Automated Attacks and Click-Based Graphical Passwords - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-09T01:32:15+00:00\",\"dateModified\":\"2021-12-09T01:34:03+00:00\",\"description\":\"Carleton University Technical Report TR-08-15 June 20, 2008 On Purely Automated Attacks and Click-Based Graphical Passwords Amirali Salehi-Abari, Julie\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2008\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-08-15: On Purely Automated Attacks and Click-Based Graphical Passwords\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-08-15: On Purely Automated Attacks and Click-Based Graphical Passwords - School of Computer Science","description":"Carleton University Technical Report TR-08-15 June 20, 2008 On Purely Automated Attacks and Click-Based Graphical Passwords Amirali Salehi-Abari, Julie","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/","name":"TR-08-15: On Purely Automated Attacks and Click-Based Graphical Passwords - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-09T01:32:15+00:00","dateModified":"2021-12-09T01:34:03+00:00","description":"Carleton University Technical Report TR-08-15 June 20, 2008 On Purely Automated Attacks and Click-Based Graphical Passwords Amirali Salehi-Abari, Julie","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-15-on-purely-automated-attacks-and-click-based-graphical-passwords\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2008","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/"},{"@type":"ListItem","position":5,"name":"TR-08-15: On Purely Automated Attacks and Click-Based Graphical Passwords"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13268"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13268"}],"version-history":[{"count":2,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13268\/revisions"}],"predecessor-version":[{"id":13270,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13268\/revisions\/13270"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12410"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}