Comparing the Results

In the following sub-sections, the results obtained from the usability (US2) and guessability (GS2) studies are compared to the existing research that has reported similar studies.

5.6.1 Comparing US2 Results

In this section, we will compare the results obtained in US2 to the similar multiple graphical password studies (reported in the literature) and US1 (user study reported in Chapter 3). US2 – Moncur & Leplatre (2007)

According to the statistics presented in Table 2.5 (Section 2.6), the login success percentage was highest in the case of group 3, i.e. participants who were asked to use a mnemonic strategy to remember their object passwords (RT1- 92%, RT2- 14%, RT3 – 20%, Mean- 42%). The results obtained in US2 show superior performance, viz. 75.6 % mean login

142

success percentage in the case of object (story) passwords, compared to the mean login success of group 3 in Moncur & Leplatre (2007). The experimental protocol adopted in US2 also ensured that each of the subjects in US2 employed a mnemonic strategy to create their passwords, which could have influenced superior results compared to Moncur & Leplatre (2007).

US2 – Chiasson et al. (2009)

The results of the memorability tests conducted two weeks after the registration stage in Chiasson et al. (2009), reported that the success rate of click-based passwords was 57%, and text-based password was 70%. In case of story passwords, the success rate is highest in the case of object passwords (75.4%), followed by Mikon (63.25%), then doodle (61.85%) and lowest in the case of art passwords (44.6%). The mean registration time for click-based passwords was 43.9sec, which is lower than the story passwords, varying between 59.68 sec (object) and 86.11 sec (art). The mean authentication time for click-based password varied from 15.1sec to 47.0sec after two weeks, which is higher than the story passwords, varying between 20.35sec (object) and 26.65sec (art).

US2 – Everitt et al. (2009)

The study reported in Everitt et al. (2009) found that participants using four different system- issued face passwords each week had a failure rate of 15.23% after four weeks. In US2, the lowest failure rate is in the case of the object passwords (24.4%) and highest in the case of the art passwords (55.4%), which shows that the story passwords had an inferior performance compared to face passwords. The mean login time reported in Everitt et al. (2009) was 29.7 sec, which is more than the story passwords (20.35- 26.65 sec).

US2 – Hlywa et al. (2011)

The results reported in Hlywa et al. (2011)demonstrated slightly better performance, viz. mean success rate of 78.33% in study 1 and much superior performance, i.e. mean success rate of 95% in study 2 for object passwords, compared to the login success results reported in US2 (Table 5.2). In relation to the mean authentication time, the performance of the object passwords in US2 (Table 5.4) is superior compared to the statistics reported in Hlywa et al. (2011) for both the studies, as shown in Table 2.5. The login performance with face passwords in Hlywa et al. (2011) was better in study 2 (Table 2.5) compared to the results

143

reported in US2 (Table 5.2). The mean authentication time of face passwords in both the studies reported in Hlywa et al. (2011) were much higher compared to all the conditions in US2 (Table 5.4).

US2 - US1

The memorability results reported in Chapter 3 demonstrate that the successful login percentage after a period of eight weeks for Mikon was 74.17%; doodle - 67.04%; art - 54.9%; object - 77.3%. The same trend is observed in the results obtained in US2; however the login success percentage decreased in each condition (Table 5.2). The mean registration time (Table 5.3) and authentication time (Table 5.4) reported for story passwords follow the same order as in US1 (Tables 3.5 and 3.6). However, there is a difference in the quantitative values reported in both the studies, which is favourable towards US1. Hence, the effectiveness (memorability) results obtained from both the studies US1 and US2 provide evidence that, mnemonic strategies do not enhance the memorability of multiple RBGS passwords.

5.6.2 Guessability of Story Passwords

This chapter also reported a guessability study that was conducted with 70 participants to examine the vulnerability of story passwords in RBGSs to written descriptions. The guessability of Mikon, doodle and object passwords was 100%, whereas art passwords had a guessability of 50%. The results show that all the story passwords that have one or two target images recorded as sketches (annotated/ non-annotated) were guessed during the guessability attack. If it is assumed that the story passwords having three or four target images recorded as sketches are guessable, then the overall guessability (80 passwords created in US2) of Mikon, doodle and object passwords will be 100%, making them highly insecure to use. Seventy (out of 80) art passwords created in US2 had textual descriptions for at least three to four target images. In GS2, ten passwords which had textual descriptions for three-four target images were not guessed at all. But, these results do not provide sufficient evidence to claim that the remaining 60 passwords having textual descriptions for three to four target images cannot be guessed. Hence we maintain that in the current experimental setting, all the passwords which had one to two target images recorded as sketches were successfully guessed.

144

GS2 – Dunphy et al. (2008)

The results reported in Dunphy et al. (2008) found that, out of 158 authentication attempts made by 56 participants, (8%) were successful. The guessability of story passwords was much higher as discussed in section 5.5.3 and the statistics presented in Table 5.10, compared to Dunphy et al. (2008).

GS2 – GS1

In GS1 the descriptions given to the attackers took the form of words (text) only. However, in GS2 the descriptions comprised of sketches (annotated/ non-annotated) as well as words. The

results presented in Tables 4.4 and 5.10 suggest that the overall performance of the attackers was almost the same, except for the Mikon passwords, in both GS1 and GS2 respectively. In the case of Mikon passwords, the guessability performance was better in GS2 (77.5%) compared to GS1 (52.14%). The high guessability of Mikon in GS2 can be attributed to the fact that most Mikon images were recorded as sketches, which made it easier to guess them. However, the results discussed in Sections 4.4.3 and 5.5.3 also suggest that all the Mikon, doodle and object passwords were guessed at least once during the attack, in both the guessability studies GS1 and GS2 respectively. In both GS1 and GS2, only 50% of the art passwords were guessed. Moreover, it was also found that the target images forming the art passwords were the least recorded as sketches in both GS1 (stage 1) and GS2.

5.6.3 Limitations of the Studies

In US2, two limitations in the field raised by Biddle et al. (2009) have been addressed: (1) the usability of multiple RBGS story passwords was examined; (2) the registration of the passwords was split into multiple sessions (i.e. different days in the same week). The limitations in the usability study (US2) were the same as in US1, which has been discussed in Chapter 3 (Section 3.7.3).

The limitation in the guessability study (GS2) in the context of the unskilled attackers is same as that of GS1, which has been discussed in Chapter 4 (Section 4.6). In the context of the descriptions provided by the subjects who took part in US2, it is not known, whether the

145

descriptions were influenced by the mnemonic strategy employed to create and remember the RBGS passwords. A short questionnaire study with the subjects, once they finished recording their descriptions would have helped to assess it. We believe that if the descriptions provided by the subjects are influenced by the mnemonic strategy employed to create the respective passwords, then it would make RBGS passwords highly guessable, if the descriptions are compromised. In the current experimental set-up subjects in US2 were asked to record a description (maximum 25 words) for each of their passwords. However in the real world, instead of writing a description of the target images, subjects might have recorded the mnemonic strategy used to create and remember the respective passwords. Hence, subjects in US2 should have been explicitly asked about the coping mechanism they would employ in real life to remember the multiple story passwords. This information would have helped to better understand the coping mechanism that will be used in a real life scenario. However, we believe that these limitations do not invalidate the results obtained in GS2 because the main aim was to examine, whether RBGS story passwords can be guessed by a third-party using the descriptions, which are provided by the RBGS password owners; the experimental set-up used in GS2 did investigate and found answers to the research question.