Security Analysis

We mentioned that the password entropy of charPattern is 20 bits which can safeguard against online attacks with lockout rules. In charPattern, we mitigate guessing and dictionary attacks by disallowing user-chosen passwords and suggesting users randomly generated passwords. On the other hand, hotspots are still could weak points of charPattern (hitting the Shue button until an easy-to-guess password is suggested.) with regard to security [13] which can be prone to shoulder surng [29] and guessing attacks. As the hotspots in charPattern, dots located on the edges of dot-matrix especially on the corner parts are assumed. While, patterns like rectangles, diamonds dots of which are located very closely or located on the edges, can weaken the charPattern password.

In this section, we tried to estimate these two weaknesses by the methods used in previous researches [13], [6].

We remind that as in the previous graphical authentication systems [13], [6],

Figure 5.3: Frequency of Selected Dots in charPattern.

[30], here also users can change randomly-generated passwords by touching the

shue button until appearing the best t charPattern password for users. On the other hand, using shue button, users are likely select hotspots. Figure 5.3 presents the frequency table of dots selected by the participants where 17.14%

were selected 0-1 times, 62.86% were 2-3 times and 20% of dots were selected more than 3 times. Here, we need to notice that two dot-characters (characters

1 and 0) were never selected, while the dot-character with a character of

7 was selected 7 times. To understand whether this particular distribution is dierent than a random distribution, we generate simulated data consisting of 100 datasets each of which has 25 pairs of (x, y) elements where x ranges from 1 to 5 and y ranges from 1 to 7 corresponding to the size of data in our user study charPattern. Figures 5.4(a) and 5.4(b) present box-plots of distributions of selected dots with horizontal lines representing maximum and minimum medians of simulated datasets. Here, as observed, median values of selected dot-characters are between maximum and minimum medians of simulated datasets. Then, we calculate rough estimate values of password entropy for the collected dataset together with random datasets using the formula H(X) dened in [13]. Our

(a)

(b)

Figure 5.4: Distribution of dots in Cartesian System where horizontal lines denote maximum and minimum medians of simulated datasets ((a) Dot Arrangements by Columns, (b) Dot Arrangements by Rows).

rough estimate password entropy of collected dataset is between maximum and minimum entropy values of simulated datasets. Since each random dataset represents a chance to include the observed data, with 99% probability, the user study dataset is a dataset occurred by chance. This analysis gives an evidence that hotspots does not skew the password distribution for charPattern. The one of main advantages of charPattern with regard to security is that as in other dotPattern authentication systems, charPattern passwords are not stored on any devices used and anywhere on the Internet [31]. On the other hand, patterns are prone to such attacks as dictionary, shoulder-surng and smudge attacks [32]. Although patterns like rectangles, diamonds can leverage memorability of charPattern password (We do not know specic goals, but 3 participants used charPattern passwords with crossed-line patterns), this case may reduce the password entropy making security trade-o to usability.

6. CONCLUSION

In spite of usability problems of traditional text passwords especially on mobile devices, text passwords are still in use for device and Internet authentications owing to its simplicity and familiarity. Alternative authentication techniques to the traditional text-based authentication such as password managers, graphical passwords, biometric passwords which have better usability features than of text passwords are being established. However, some of these new techniques are not workable on desktop computers with respect to hardware requirements, others of them have their own security deciencies.

As Android Lock Pattern has successfully demonstrated, drawing a pattern-password is preferred over typing a pattern-password or a PIN by many users for locking/unlocking their touchscreen devices. However, lock patterns could not be used over the Internet directly for remote user authentication due to dierent security and usability requirements. In this thesis, we introduce charPattern, a new pattern-based authentication method which increases password space to adequate levels (i) by increasing number of possible patterns by careful addition of more dots, (ii) by using persuasive technology to avoid hotspot passwords (more popular patterns). To accommodating users who alternately login from devices with and without full physical keyboards, the new scheme improves on the idea of Android Lock Pattern by introducing a second mode of input by enabling users to type the characters corresponding the dots forming their pattern-password.

In this research, we implement charPattern, the dual-mode authentication system supporting both of drawing and typing, in which users can draw pattern along 2D dot-matrix where unique characters are arranged on each of those 35 dots in order to easily memorize charPattern passwords or just type characters which are on dots.

To make a usability evaluation, we conduct the user study on mobile devices and desktop computers comparing charPattern's timing and success rates with

those of traditional text password and gridWordX [6]. The study results shows that charPattern has shorter login times than text password and gridWordX on the mobile device and also charPattern is faster regarding to login process than gridWordX on desktop computers, while it has comparable login times with text password on desktop computers. In addition, most users prefer to enter charPattern passwords by drawing the pattern rather than by typing via keyboard even on desktop machines, which leads to login times comparable to those of text passwords on desktops. Based on user study ndings, we conclude that charPattern is a promising alternative to text passwords for those who access same sites from both of mobile devices and desktops.

REFERENCES

[1] G.E. Blonder. Graphical password, September 24 1996. US Patent 5,559,961.

[2] J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: empirical results. Security Privacy, IEEE, 2(5):2531, Sept 2004.

[3] Eiji Hayashi and Jason Hong. A diary study of password usage in daily life.

In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '11, pages 26272630, New York, NY, USA, 2011. ACM.

[4] J. Alex Halderman, Brent Waters, and Edward W. Felten. A convenient method for securely managing passwords. In Proceedings of the 14th International Conference on World Wide Web, WWW '05, pages 471479, New York, NY, USA, 2005. ACM.

[5] Anne Adams and Martina Angela Sasse. Users are not the enemy. Commun.

ACM, 42(12):4046, December 1999.

[6] Ugur Cil and Kemal Bicakci. gridwordx: Design, implementation, and usability evaluation of an authentication scheme supporting both desktops and mobile devices. Workshop on Mobile Security Technologies (MoST’13), 2013.

[7] Rui Zhao and Chuan Yue. All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY '13, pages 333340, New York, NY, USA, 2013. ACM.

[8] Sonia Chiasson, P. C. van Oorschot, and Robert Biddle. A usability study and critique of two password managers. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.

[9] Emanuel von Zezschwitz, Paul Dunphy, and Alexander De Luca. Patterns in the wild: A eld study of the usability of pattern and pin-based authentication on mobile devices. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services, MobileHCI '13, pages 261270, New York, NY, USA, 2013. ACM.

[10] Shari Trewin, Cal Swart, Larry Koved, Jacquelyn Martino, Kapil Singh, and Shay Ben-David. Biometric authentication on a mobile device: A study of user eort, error and task disruption. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC '12, pages 159168, New York, NY, USA, 2012. ACM.

[11] Robert Biddle, Sonia Chiasson, and P.C. Van Oorschot. Graphical passwords: Learning from the rst twelve years. ACM Comput. Surv., 44(4):19:119:41, September 2012.

[12] Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. Quantifying the security of graphical passwords: The case of android unlock patterns. In Proceedings of the 2013 ACM Conference on Computer and Communications Security, CCS '13, pages 161172, New York, NY, USA, 2013. ACM.

[13] Kemal Bicakci and Paul C. van Oorschot. A multi-word password proposal (gridword) and exploring questions about science in security research and usable security evaluation. In Proceedings of the 2011 Workshop on New Security Paradigms Workshop, NSPW '11, pages 2536, New York, NY, USA, 2011. ACM.

[14] L. O'Gorman. Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE, 91(12):20212040, Dec 2003.

[15] Cormac Herley and Paul van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy, 10(1):2836, January 2012.

[16] Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. Authentication using graphical passwords: Eects of tolerance and image choice. In Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS '05, pages 112, New York, NY, USA, 2005. ACM.

[17] Paul Dunphy, Andreas P. Heiner, and N. Asokan. A closer look at recognition-based graphical passwords on mobile devices. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, pages 3:13:12, New York, NY, USA, 2010. ACM.

[18] Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber.

Exploring the design space of graphical passwords on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS '13, pages 11:111:14, New York, NY, USA, 2013. ACM.

[19] Antonella De Angeli, Lynne Coventry, Graham Johnson, and Karen Renaud.

Is a picture really worth a thousand words? exploring the feasibility of graphical authentication systems. Int. J. Hum.-Comput. Stud., 63(1-2):128

152, July 2005.

[20] Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D.

Rubin. The design and analysis of graphical passwords. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8, SSYM'99, pages 11, Berkeley, CA, USA, 1999. USENIX Association.

[21] Hai Tao and Carlisle Adams. Pass-go: A proposal to improve the usability of graphical passwords. International Journal of Network Security, 7(2):273

292, 2008.

[22] Sacha Brosto, Philip Inglesant, and M. Angela Sasse. Evaluating the usability and security of a graphical one-time pin system. In Proceedings

of the 24th BCS Interaction Specialist Group Conference, BCS '10, pages 8897, Swinton, UK, UK, 2010. British Computer Society.

[23] T. Rakesh Kumar and S. V. Raghavan. Passpattern system (pps): A pattern-based user authentication scheme. In Proceedings of the 7th International IFIP-TC6 Networking Conference on AdHoc and Sensor Networks, Wireless Networks, Next Generation Internet, NETWORKING'08, pages 162169, Berlin, Heidelberg, 2008. Springer-Verlag.

[24] Eusing Maze Lock 3.1. www.bit.ly/maze203, 2014.

[25] Markus Jakobsson and Ruj Akavipat. Rethinking passwords to adapt to constrained keyboards. In Proceedings of Mobile Security Technologies, 2012.

[26] William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, Emad A. Nabbus, U.S. Department of Commerce, National Institute of Standards, and Technology. Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology - Special Publication 800-63-1. CreateSpace Independent Publishing Platform, USA, 2012.

[27] Dinei Florêncio, Cormac Herley, and Baris Coskun. Do strong web passwords accomplish anything? In Proceedings of the 2Nd USENIX Workshop on Hot Topics in Security, HOTSEC'07, pages 10:110:6, Berkeley, CA, USA, 2007.

USENIX Association.

[28] Dinei Florêncio, Cormac Herley, and Paul C. van Oorschot. An administrator's guide to internet password research. In 28th Large Installation System Administration Conference (LISA14), Seattle, WA, November 2014. USENIX Association.

[29] Arash Habibi Lashkari, Samaneh Farmand, Omar Bin Zakaria, and Rosli Saleh. Shoulder surng attack in graphical password authentication. CoRR, abs/0912.0951, 2009.

[30] S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P.C. Van Oorschot.

Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism. Dependable and Secure Computing, IEEE Transactions on, 9(2):222235, March 2012.

[31] DotPass Security Discussion. www.lostminds.com/content/, 2014.

[32] Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Oensive Technologies, WOOT'10, pages 17, Berkeley, CA, USA, 2010. USENIX Association.

APPENDIX

A. DATA

Table A.1: Login Times of Three Methods in The Lab Study Sessions (in the table, text-text Password, grid-gridWordX, char-charPattern ).

Session1(sec.) Session2(sec.) Average(sec.) text grid char text grid char text grid char 1 20.427 10.179 11.77 19.583 6.915 6.814 20 8 9 2 10.105 6.824 7.497 16.005 16.214 6.994 13 11 7 3 23.049 11.983 10.145 30.933 17.329 10.012 26 14 10 4 19.758 7.772 10.568 27.047 31.197 8.99 23 19 9 5 16.066 14.491 7.481 19.923 8.611 7.299 17 11 7 6 24.603 6.628 11.140 79.863 13.261 19.127 52 9 15 7 17.947 7.602 6.170 17.097 21.002 11.645 17 14 8 8 24.678 9.014 9.703 25.951 7.097 5.140 25 8 7 9 20.767 14.293 7.790 19.996 14.998 9.669 20 14 8 10 29.527 14.567 5.912 15.628 12.198 5.656 22 13 5 11 31.331 7.211 7.988 22.666 10.314 12.756 27 8 10 12 50.162 16.160 6.621 24.388 6.284 5.665 37 11 6 13 18.436 8.961 6.902 21.545 9.851 14.156 19 9 10 14 19.026 27.814 8.869 23.062 9.202 14.006 21 18 11 15 35.463 12.296 15.796 15.860 9.715 30.413 25 11 23 16 22.114 6.365 14.246 25.712 22.085 10.727 23 14 12 17 26.915 14.182 17.149 43.395 9.234 7.035 35 11 12 18 19.625 16.084 22.134 60.685 8.317 13.031 40 12 17 19 19.426 9.244 6.937 25.055 6.537 9.630 22 7 8 20 24.083 18.739 7.163 29.25 9.462 12.456 26 14 9 21 14.997 6.807 5.589 15.404 6.037 6.342 15 6 5 22 15.438 5.144 8.646 24.453 5.633 3.325 19 5 5 23 48.372 10.693 13.001 25.372 7.973 17.111 36 9 15 24 30.610 18.339 7.312 19.856 8.773 10.084 25 13 8 25 13.102 11.655 10.608 13.329 7.471 9.276 13 9 9

Table A.2: Login Times of Three Methods in The Web Study Sessions (denoted in the table: text-text Password, grid-gridWordX, char-charPattern ).

Session2(sec.) Session3(sec.) Average(sec.) text grid char text grid char text grid char

1 11 23.291 7.534 8 7.235 6.908 9 15 7

2 7 39.610 10.670 13 12.94 5.681 10 26 8

3 9 13.175 6.514 7 23.750 12.820 8 18 9

4 10 16.077 62.380 26 10.910 33.910 18 13 48

5 12 10.079 13.620 10 4.574 6.782 11 7 10

6 38 13.501 8.506 24 21.230 11.700 31 17 10

7 10 10.236 5.499 21 5.536 7.192 15 7 6

8 58 43.387 15.460 12 33.220 10.740 35 38 13 9 13 14.862 5.239 13 12.560 19.190 13 13 12 10 14 165.850 19.230 9 8.773 5.923 11 87 12 11 82 14.782 8.330 13 21.470 6.734 47 18 7 12 13 42.168 21.540 19 13.300 4.952 16 27 13 13 10 35.942 11.380 6 66.030 6.260 8 50 8 14 16 29.760 22.100 21 21.310 28.900 18 25 25 15 16 34.923 7.599 10 47.550 13.300 13 41 10 16 46 20.098 34.850 10 8.310 50.280 28 14 42

17 11 41.231 8.554 2 17.130 5.358 6 29 6

18 7 32.522 9.695 14 34.700 8.029 10 33 8 19 44 16.536 8.100 8 39.380 7.836 26 27 7 20 14 16.368 26.460 11 15.690 6.804 12 16 16

21 17 5.835 4.245 14 5.984 5.813 15 5 5

22 6 19.771 20.570 13 7.319 5.050 9 13 12

23 11 14.217 51.200 10 7.505 33.900 10 10 42 24 42 8.876 14.600 9 12.520 9.453 25 10 12

25 10 8.150 8.621 14 5.827 7.313 12 6 7

Table A.3: Times to Create Passwords with Three Methods.

Table A.4: The Number of Attempts until Successful Login with All Three Methods in The Web Study(in the table, text-textPassword, grid-gridWordX, char-charPattern).

Session 2 Session 3 text grid char text grid char

1 1 1 1 1 1 1

Table A.5: Shue Counts in gridWordX and charPattern.

Table A.6: The Answers to The Questionnaire.