{"id":13285,"date":"2021-12-08T21:03:57","date_gmt":"2021-12-09T02:03:57","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13285"},"modified":"2021-12-08T21:04:04","modified_gmt":"2021-12-09T02:04:04","slug":"tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/","title":{"rendered":"TR-08-21: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords"},"content":{"rendered":"<p>Carleton University<br \/>\n<a href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/\">Technical Report<\/a> TR-08-21<br \/>\nNovember 7, 2008<\/p>\n<h2>On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords<\/h2>\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<p class=\"tr_t3\">P.C. van Oorschot &amp; J. Thorpe<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3>Abstract<\/h3>\n<p>We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of &#8220;human-computation&#8221; (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two &#8220;human-seeded&#8221; attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack guesses 4% of passwords in one instance, and 10% of passwords in a second instance. Our independent model-based attack guesses 20% within 2^33 guesses in one instance and 36% within 2^31 guesses in a second instance. These are all for a system whose full password space has cardinality 2^43. We also evaluate our first-order Markov model-based attack with cross-validation of the field study data, finding that it guesses an average of 7-10% of user passwords within 3 guesses. Our results suggest that these graphical password schemes (as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies.<\/p>\n<p><a href=\"https:\/\/carleton.ca\/scs\/wp-content\/uploads\/TR-08-21_Thorpe.pdf\">TR-08-21.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Carleton University Technical Report TR-08-21 November 7, 2008 On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords P.C. van Oorschot &amp; J. Thorpe Abstract We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit [&hellip;]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12410,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TR-08-21: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-08-21 November 7, 2008 On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords P.C. van\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/\",\"name\":\"TR-08-21: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-09T02:03:57+00:00\",\"dateModified\":\"2021-12-09T02:04:04+00:00\",\"description\":\"Carleton University Technical Report TR-08-21 November 7, 2008 On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords P.C. van\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2008\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-08-21: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-08-21: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords - School of Computer Science","description":"Carleton University Technical Report TR-08-21 November 7, 2008 On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords P.C. van","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/","name":"TR-08-21: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-09T02:03:57+00:00","dateModified":"2021-12-09T02:04:04+00:00","description":"Carleton University Technical Report TR-08-21 November 7, 2008 On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords P.C. van","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/tr-08-21-on-predicting-and-exploiting-hot-spots-in-click-based-graphical-passwords\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2008","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2008\/"},{"@type":"ListItem","position":5,"name":"TR-08-21: On Predicting and Exploiting Hot-Spots in Click-Based Graphical Passwords"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13285"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13285"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13285\/revisions"}],"predecessor-version":[{"id":13287,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13285\/revisions\/13287"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12410"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}