A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

Symposium On Usable Privacy and Security Pub Date : 2006-07-12 DOI:10.1145/1143120.1143128

F. Tari, A. A. Ozok, Stephen H. Holden

{"title":"A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords","authors":"F. Tari, A. A. Ozok, Stephen H. Holden","doi":"10.1145/1143120.1143128","DOIUrl":null,"url":null,"abstract":"Previous research has found graphical passwords to be more memorable than non-dictionary or \"strong\" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing.This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shoulder-surfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing.Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shoulder-surfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.","PeriodicalId":273244,"journal":{"name":"Symposium On Usable Privacy and Security","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-07-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"325","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Symposium On Usable Privacy and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1143120.1143128","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 325

Abstract

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing.This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shoulder-surfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing.Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shoulder-surfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

查看原文本刊更多论文

字母数字密码和图形密码之间的感知风险和真实风险的比较

此前的研究发现，图形密码比没有字典的密码或“强”字母数字密码更容易记住。在之前的一项研究中，参与者表示担心，可记忆性的提高也可能导致图形密码更容易被偷拍。这似乎是身份验证系统可用性和安全性之间的经典权衡的另一个例子。本文探讨图形密码的增加记忆性是否必然导致肩冲浪的风险。到目前为止，还没有研究调查图形密码和字母数字密码在肩冲浪中的脆弱性。本文研究了与非字典密码和字典密码相比，图形密码Passfaces™[30]的两种配置的真实和感知的肩部冲浪漏洞。一项有20名参与者参与的实验室实验要求他们尝试肩冲浪Passfaces™的两种配置(鼠标与键盘数据输入)以及强密码和弱密码。收集的数据包括四种认证系统配置对肩冲浪的脆弱性，并研究参与者对同一脆弱性的看法。对这些数据的分析比较了四种配置中每一种对肩部冲浪的相对脆弱性，并比较了研究参与者在每种配置中肩部冲浪的真实和感知成功。进一步的分析检验了研究参与者的真实成功与感知成功之间的关系，并确定了四种身份验证配置对肩部冲浪的脆弱性是否存在显著差异。研究结果表明，在实验室环境中，通过键盘配置Passfaces™的数据输入是最有效的威慑，参与者的感知与结果一致。虽然研究参与者认为带有鼠标数据输入的Passfaces™最容易受到肩部冲浪攻击，但实证结果发现，强密码实际上更容易受到攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Symposium On Usable Privacy and Security

自引率

0.00%

发文量