A graphical password guiding image serves as a visual prompt to improve password memorability. However, passwords may be easily guessed if the guiding image contains hotspots, or commonly chosen (e.g., 'clickable') points that are predictable via automated means. In this paper, we propose a method to determine graphical password guiding image suitability in terms of potential password strength. Our method uses image saliency to measure image suitability; the higher the saliency, the more suitable the image. Next, we evaluate the regions of interest (e.g., circles, faces, corners, etc.) of suitable images to predict the strength of resultant graphical passwords. We provide support for our method in two ways: first, we analyzed the guiding images and resulting graphical password strength from an existing dataset and secondly, we conducted our own user study to measure the usability and memorability of the same guiding images in terms of registration, login and recall times. We found that the more visually salient the image, the stronger the resulting graphical passwords in terms of entropy with little or no effect on usability and memorability. Furthermore, users tended to select more suitable images even when given the choice of less suitable images. Thus, our approach may be used to improve the strength of graphical passwords before the user chooses a single point or action simply by excluding unsuitable guiding images.
Institute of Public Administration
Florida Institute of Technology