Predictability tests are tests conducted to ascertain the predictability of password systems. Predictability has been an important issue in the use of text based passwords as user’s select passwords they can very easily remember, but which are highly predictable [60, 130]. Considerable research has been conducted in trying to understand the guessability of image passwords and measures that can be taken to reduce such vulnerability [84]. The research on
guessability has, however been focused on the provision of cues which may assist an attacker in his ability to guess a user’s password. Such cues include the use of mnemonics [17, 73] and the use of verbal and written descriptions of a user’s image portfolio [84]. Researcher in [46] also conducted research on measures that could be employed to suppress the ability to guess face-based passwords from verbal and written descriptions.
In this research, experiments are performed to ascertain the guessability of property based passwords. As in existing research [17, 84], the researcher investigate the possibility of launching a guessing attack on a property based system using some ‘hint’. The hint selected for use in the work is ‘favourite colour’ or ‘favourite number’. The experiment was motivated by the belief of some research participants during previous experiments that understanding a user’s favourite colour or number can make a property based password guessable. Although suggestions were brought forward to first look into the possibility of succeeding with what can normally be called a ‘blind guess’ on property based systems, the idea was not considered due to timing constraints. A blind guess can be considered as a guessing attack launched solely from predictions made by the attacker himself. This is contrary to what can be called a ‘hinted guess’, a guessing attack launched when some form of a clue or ‘hint’ has been provided for the attacker by the user about the content of his password. It is, however, highly unlikely that a totally blind guess will succeed on a property based system, as this type of attack is only possible if predictable patterns can be observed in the use of a password system.
6.4.1 The Guessability Test
Considerable work has been done in existing literature on a guessability of image passwords [17]. This research takes its cue from those projects. In this work, a user creates a password with one of the implementations of the property based paradigm. The user ensures that for both the first and second steps of his password selection, he had selected the ‘favourite’ feature (either ‘favourite colour’ or ‘favourite number’, depending on the system implementation) as part of the properties for his image password. Five models were selected for this test; these include the colour, the magnitude, the mixed, the digit and the representation based models. These represent three ‘favourite colour’ and two ‘favourite number’ models.
6.4.2 Experimental Variables
The experiment seeks to understand if any correlation exists between the authentication models being examined and the login failure rate for a guessing attack if the user’s favourite colour or favourite number have been given away. Hence the dependent variable is the login failure rate,
while the independent variables are the models being examined. The number of authentication steps and the size of the image selection grid are control variables. In each of the experiments, the number of steps for authentication is 2, while the grid size (a number (NxN) which represents the number of decoy images + the user’s password image) is chosen as 3. This gives 9 as the number of images to select from in each grid.
6.4.3 Research Participants
All participants were university undergraduate students between the ages of 20 and 35. They were all studying either computer science, mathematics or statistics. They all have experience in the use of passwords and PINs. All the participants claim they have never interacted with a picture based password. The study was conducted as a laboratory experiment in a between subject design, in which each student was allowed to observe authentication on any one of the system prototypes. The participants (the ‘victims’ and the ‘attackers’) were randomly allocated to the authentication systems which they used. For ease of comparison and data analysis, the researcher ensured that an even number of participants was used for each of the test cases. Twenty (20) participants were allocated to each of the authentication systems to act as victims, hence another twenty were allocated to act as the attackers.
6.4.4 Experimental Procedure
The experiment was conducted in a laboratory setting. The participants were grouped according to the manner in which they arrived. On arrival, the participants are taken through some form of training on procedure for password creation in the specific authentication system they will use for the research. This is to orient the participants on the use of the system and for the attackers to know where to look at when the hints are provided. In this experiment, the researcher chose not to act as the ‘victim’ so as to allow for a wider range of choices from the ‘password creator’ participants, which in turn will reflect the multiplicity of password choices in the real world.
One of the participants is then asked to create a password on the system using either his favourite colour or favourite number, depending on the specifics of the systems being used. At this time, the other participant stands or sits at a location from which the password creation process will not be visible to him. After successful password creation and single login entry by the ‘victim’ participant, he lets out the favourite number or colour he has used in his password creation and allows the ‘attacker’ to take his seat and try to guess the password. A data entry form is used to capture correct and incorrect guesses. A is entered into the data entry form for a correct guess
and an for an incorrect guess. This is repeated for every victim-attacker pair throughout the experiment.
6.4.5 Results for guessability test
One hundred students participated in the guessability test. The results for the number of login success and failures for the guessability test are presented below.
Table 6.5: Success and failure rates for guessability test
From the table it can be seen that in the 20 participant allocated to each of the models, the colour model and the mixed model each recorded three successes, the digit model recorded 2 successful logins, the number rep. model recorded one successful login, while the magnitude model recorded no successful login entry. The fourth column of the table contains the login failure percentage of each of the models. From here, it can be seen that the highest login failure percentage goes to the magnitude model which has 100%. The magnitude model is next with 95%, then the digit model with 90% and then the colour and mixed models with 85% each. The data in the table is represented in figure 6.5
A chi-square test conducted on the results (appendix 10) reveals that no statistically significant correlation exists between the authentication model being used and the failure login rate. The chi square value is given by X(4) = 4.151, p = 0.386