Facing the Facts about Image Type in Recognition-Based

Graphical PasswordsMax HlywaDepartment of

PsychologyCarleton University

Ottawa, Canada

Robert BiddleSchool of Computer

ScienceCarleton University

Ottawa, Canada

Andre S. PatrickDepartment of

PsychologyCarleton University

Ottawa, Canada

ADLab 4/9

ACSAC 2011

OutlineIntroductionBackgroundFirst StudySecond StudyDiscussionConclusions

IntroductionCurrent security systems suffer is because

they often fail to incorporate human factors knowledge in their design.

A usable password must be easy to remember. However, a secure password must be hard to guess.

Human memory recognition is typically more effective than recall.

This Paper Analyzes…

BackgroundGraphical PasswordsVisual MemoryRecognition vs. RecallFace RecognitionPassword Space

Graphical PasswordsDrawmetric schemesLocimetric schemesCognometic schemes

Visual MemoryPictures are recalled and recognized by

human are more easily than words.

Dual-coding theory argues that Memory of images is stronger than memory of words because images are more likely than words to be processed both visually and verbally.

Recognition vs. RecallRecognition occurs when one correctly identifies

someone or something that they already know, when it is presented to them at a later time.

Recall takes place when one thinks back in time and brings to mind information of which one was previously aware.

ExamplePerson’s Face vs. Person’s NameMultiple Choice Questions vs. Essay Question

Face RecognitionThere is an increasing amount of evidence

that there may be regions of the brain dedicated to facial recognition and processing.

ExampleProsopagnosia (face blindness)Visual agnosia (Visual object agnosia)

Password Spacetheoretical password space (all

mathematically possible combinations)effective password space (those combinations

more likely to be chosen by user)

Password Space(Cont.)

Password Space(Cont.)theoretical password space = effective

password space

First StudyDesign

faces, everyday objects, houses.6 panels of 26 images (28 bits)60 participants (between-subjects)Their age ranged from 18 to 43 (M=21.1,

SD=4.42)

First Study(Cont.)Authentication system

First Study(Cont.)Execute

Participants were assigned three graphical passwords randomly.

We sent the participants email several times over the course of a week, asking them to log in from home and comment on articles on each of the websites.

If passwords were forgotten they could be reset.Not encouraged to write down password.System logged all password-related activity on

the websites.

Result Number of password remembered

House imagesM=1.15, SD=1.31

Face imagesM=1.90, SD=1.37

Object imagesM=2.35, SD=0.93

Result(Cont.)Mean memory time - the average amount of

time between the first and last successful login. (hours)

Result(Cont.)Average login time

House imagesM=83.06, SD=54.75

Face imagesM=41.45, SD=14.18

Object imagesM=31.03, SD=16.63

ImplicationsThere was no evidence that face images were

the best image type.

Roughly half of all passwords were forgotten by the end of the one week study.

The cognometric scheme traditionally employs 3 or 4 panels of 9 images and has been shown to be quite usable.

Second StudyDesign(First)

faces, everyday objects, houses.

6 panels of 26 images (28 bits)

60 participants (between-subjects)

Their age ranged from 18 to 43 (M=21.1, SD=4.42)

Design(Second)faces, everyday

objects.

5 panels of 16 images (20 bits)

20 participants (within-subjects)

Age?

ResultMean Max Memory TimeFace images

M=167.8, SD=51.73Object images

M=168.5, SD=42.79

Result(Cont.)Successful Login TimeFace images

M=35.96, SD=18.10Object images

M=22.55, SD=10.02

ImplicationsChanging the password space

Login times were much quicker.95% of the object image passwords and 87% of

the face image passwords assigned in the second study were remembered for the entire week.

17/20 participants indicated a preference for object images, often citing increased distinctiveness as their reason.

DiscussionObject > Face > HouseObject

shape, size, color, white backgroundstools, toys, food, flowers, stationery items,

furniture, and more.Face

age, race, gender, expression, etc.ExperienceBrief verbalizationLogin time

ConclusionsIt has been suggested that face images are

the ideal image type, but we found no evidence to support that claim.

We may have a special ability to process and memorize faces, this does not necessarily lead to a superior ability.

Random assigned passwords would be preferable.