More Web Proxy on the site http://driver.im/

short-paper

Pass-O: A Proposal to Improve the Security of Pattern Unlock Scheme

Authors:

Harshal Tupsamudre,

Vijayanand Banahatti,

Ketan VyasAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 400 - 407

https://doi.org/10.1145/3052973.3053041

Published: 02 April 2017 Publication History

Abstract

The graphical pattern unlock scheme which requires users to connect a minimum of 4 nodes on 3X3 grid is one of the most popular authentication mechanism on mobile devices. However prior research suggests that users' pattern choices are highly biased and hence vulnerable to guessing attacks. Moreover, 3X3 pattern choices are devoid of features such as longer stroke lengths, direction changes and intersections that are considered to be important in preventing shoulder-surfing attacks. We attribute these insecure practices to the geometry of the grid and its complicated drawing rules which prevent users from realising the full potential of graphical passwords. In this paper, we propose and explore an alternate circular layout referred to as Pass-O which unlike grid layout allows connection between any two nodes, thus simplifying the pattern drawing rules. Consequently, Pass-O produces a theoretical search space of 9,85,824, almost 2.5 times greater than 3X3 grid layout. We compare the security of 3X3 and Pass-O patterns theoretically as well as empirically. Theoretically, Pass-O patterns are uniform and have greater visual complexity due to large number of intersections. To perform empirical analysis, we conduct a large-scale web-based user study and collect more than 1,23,000 patterns from 21,053 users. After examining user-chosen 3X3 and Pass-O patterns across different metrics such as pattern length, stroke length, start point, end point, repetitions, number of direction changes and intersections, we find that Pass-O patterns are much more secure than 3X3 patterns.

References

[1]

Top 500 Popular Patterns. https://docs.google.com/spreadsheets/d/1o-EWLuKQXtuQ7rhXQpQzWvmzplRyh7EGk5nbw2bU2O0/.

[2]

Fingerprint security on Nexus devices. https://support.google.com/nexus/answer/6300638?hl=en, accessed on 14 Feb 2016.

[3]

World's Biggest Data Breaches. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/, accessed on 14 Feb 2016.

[4]

P. Andriotis et al. Complexity metrics and user strength perceptions of the pattern-lock graphical authentication method. In Human Aspects of Information Security, Privacy, and Trust, pages 115--126. Springer, 2014.

Digital Library

[5]

P. Andriotis et al. A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In WiSec '13, pages 1--6. ACM.

Digital Library

[6]

A. J. Aviv et al. Is bigger better? comparing user-generated passwords on 3x3 vs. 4x4 grid sizes for android's pattern unlock. In ACSAC '14, pages 301--310. ACM.

Digital Library

[7]

R. Biddle, et al. Graphical passwords: Learning from the first twelve years. ACM Comput. Surv., 44(4):19:1--19:41, 2012.

Digital Library

[8]

J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In SP '12, pages 538--552. IEEE Computer Society.

Digital Library

[9]

A. Paivio. Mind and Its Evolution: A Dual Coding Theoretical Approach. Lawrence Erlbaum: Mahwah, In N.J., 2006.

[10]

Y. Song et al. On the effectiveness of pattern lock strength meters: Measuring the strength of real world pattern locks. In CHI '15, pages 2343--2352. ACM.

Digital Library

[11]

C. Sun et al. Dissecting pattern unlock: The effect of pattern strength meter on pattern selection. Journal of Information Security and Applications, 19(4):308--320, 2014.

Digital Library

[12]

H. Tao et al. Pass-go: A proposal to improve the usability of graphical passwords. I. J. Network Security, 7(2):273--292, 2008.

[13]

S. Uellenbeck et al. Quantifying the security of graphical passwords: The case of android unlock patterns. In CCS '13, pages 161--172. ACM.

Digital Library

[14]

E. von Zezschwitz et al. Easy to draw, but hard to trace?: On the observability of grid-based (un)lock patterns. In CHI '15, pages 2339--2342. ACM.

Digital Library

[15]

E. von Zezschwitz et al. Patterns in the wild: A field study of the usability of pattern and pin-based authentication on mobile devices. In MobileHCI '13, pages 261--270. ACM.

Digital Library

Cited By

Babu PVeerendra Kumar ABisoyi SGopinath KAdhikari DNema PPanda G(2024)Advanced Agriculture System Using IoTProceedings of Third International Symposium on Sustainable Energy and Technological Advancements10.1007/978-981-97-6976-6_29(393-410)Online publication date: 10-Dec-2024
https://doi.org/10.1007/978-981-97-6976-6_29
Olade ILiang HFleming C(2023)Story-based authentication for mobile devices using semantically-linked imagesInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2022.102967171:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.ijhcs.2022.102967
Tan JSarmah D(2023)Hollow-Pass: A Dual-View Pattern Password Against Shoulder-Surfing AttacksCyber Security, Cryptology, and Machine Learning10.1007/978-3-031-34671-2_18(251-272)Online publication date: 21-Jun-2023
https://doi.org/10.1007/978-3-031-34671-2_18
Show More Cited By

Index Terms

Pass-O: A Proposal to Improve the Security of Pattern Unlock Scheme
1. Security and privacy
  1. Security services
    1. Authentication
      1. Graphical / visual passwords
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfaces

When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...
A Novel Cued-recall Graphical Password Scheme
ICIG '11: Proceedings of the 2011 Sixth International Conference on Image and Graphics

Graphical passwords have been proposed as an alternative to alphanumeric passwords with their advantages in usability and security. However, most of these alternate schemes have their own disadvantages. For example, cued-recall graphical password ...
Force vs. Nudge: Comparing Users' Pattern Choices on SysPal and TinPal
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Android's 3X3 graphical pattern lock scheme is one of the widely used authentication method on smartphone devices. However, users choose 3X3 patterns from a small subspace of all possible 389,112 patterns. The two recently proposed interfaces, SysPal by ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
287
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)2

Reflects downloads up to 10 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Babu PVeerendra Kumar ABisoyi SGopinath KAdhikari DNema PPanda G(2024)Advanced Agriculture System Using IoTProceedings of Third International Symposium on Sustainable Energy and Technological Advancements10.1007/978-981-97-6976-6_29(393-410)Online publication date: 10-Dec-2024
https://doi.org/10.1007/978-981-97-6976-6_29
Olade ILiang HFleming C(2023)Story-based authentication for mobile devices using semantically-linked imagesInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2022.102967171:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.ijhcs.2022.102967
Tan JSarmah D(2023)Hollow-Pass: A Dual-View Pattern Password Against Shoulder-Surfing AttacksCyber Security, Cryptology, and Machine Learning10.1007/978-3-031-34671-2_18(251-272)Online publication date: 21-Jun-2023
https://doi.org/10.1007/978-3-031-34671-2_18
Andriotis PKirby MTakasu A(2022)Bu-Dash: a universal and dynamic graphical password scheme (extended version)International Journal of Information Security10.1007/s10207-022-00642-222:2(381-401)Online publication date: 4-Dec-2022
https://doi.org/10.1007/s10207-022-00642-2
Andriotis PKirby MTakasu A(2022)Bu-Dash: A Universal and Dynamic Graphical Password SchemeHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-05563-8_14(209-227)Online publication date: 26-Jun-2022
https://dl.acm.org/doi/10.1007/978-3-031-05563-8_14
Li QDong PZheng J(2020)Enhancing the Security of Pattern Unlock with Surface EMG-Based BiometricsApplied Sciences10.3390/app1002054110:2(541)Online publication date: 11-Jan-2020
https://doi.org/10.3390/app10020541
Forman TAviv A(2020)Double Patterns: A Usable Solution to Increase the Security of Android Unlock PatternsProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427252(219-233)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427252
Forman TRoche DAviv ABernhaupt RMueller FVerweij DAndres JMcGrenere JCockburn AAvellino IGoguey ABjørn PZhao SSamson BKocielnik R(2020)Twice as Nice? A Preliminary Evaluation of Double Android Unlock PatternsExtended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems10.1145/3334480.3382922(1-7)Online publication date: 25-Apr-2020
https://dl.acm.org/doi/10.1145/3334480.3382922
Tupsamudre HVaddepalli SBanahatti VLodha SCavallaro LKinder JWang XKatz J(2019)Force vs. NudgeProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3363250(2537-2539)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3363250

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents