On Purely Automated Attacks and Click-Based Graphical Passwords

PDF
0.5MB

Amirali Salehi-Abari
Carleton University
Canada

Julie Thorpe
Carleton University
Canada

Paul Van Oorschot
Carleton University
Canada

Abstract:
We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from Itti et al.'s (1998) computational model of visual attention. Testing our method against previous work, it results in a significantly better automated attack, guessing 8-15% of passwords for two representative images using dictionaries of less than 2^24.6 entries, and about 16% of passwords on each these images using dictionaries of less than 2^31.4 entries (where the full password space is 43 bits). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries, allowing attacks that guessed 48% of passwords on one image and 54% of passwords on a second image in less than 2^{35} guesses (compared to previous results of 0.9% and 9.1% on the same two images). These latter automated attacks are independent of focus-of-attention models, and in fact are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to launch than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat to Passpoints-style graphical passwords, and offer an effective alternative to human-seeded attacks.