250 likes | 414 Views
Facing the Facts about Image Type in Recognition-Based Graphical Passwords. ACSAC 2011. Max Hlywa Department of Psychology Carleton University Ottawa, Canada. Robert Biddle School of Computer Science Carleton University Ottawa, Canada. Andre S. Patrick Department of Psychology
E N D
Facing the Facts about Image Type in Recognition-Based Graphical Passwords ACSAC 2011 Max Hlywa Department of Psychology Carleton University Ottawa, Canada Robert Biddle School of Computer Science Carleton University Ottawa, Canada Andre S. Patrick Department of Psychology Carleton University Ottawa, Canada ADLab 4/9
Outline • Introduction • Background • First Study • Second Study • Discussion • Conclusions
Introduction • Current security systems suffer is because they often fail to incorporate human factors knowledge in their design. • A usable password must be easy to remember. However, a secure password must be hard to guess. • Human memory recognition is typically more effective than recall.
Background • Graphical Passwords • Visual Memory • Recognition vs. Recall • Face Recognition • Password Space
Graphical Passwords • Drawmetric schemes • Locimetric schemes • Cognometic schemes
Visual Memory • Pictures are recalled and recognized by human are more easily than words. • Dual-coding theory argues that Memory of images is stronger than memory of words because images are more likely than words to be processed both visually and verbally.
Recognition vs. Recall • Recognition occurs when one correctly identifies someone or something that they already know, when it is presented to them at a later time. • Recall takes place when one thinks back in time and brings to mind information of which one was previously aware. • Example • Person’s Face vs. Person’s Name • Multiple Choice Questions vs. Essay Question
Face Recognition • There is an increasing amount of evidence that there may be regions of the brain dedicated to facial recognition and processing. • Example • Prosopagnosia (face blindness) • Visual agnosia (Visual object agnosia)
Password Space • theoretical password space (all mathematically possible combinations) • effective password space (those combinations more likely to be chosen by user)
Password Space(Cont.) • theoretical password space = effective password space
First Study • Design • faces, everyday objects, houses. • 6 panels of 26 images (28 bits) • 60 participants (between-subjects) • Their age ranged from 18 to 43 (M=21.1, SD=4.42)
First Study(Cont.) • Authentication system
First Study(Cont.) • Execute • Participants were assigned three graphical passwords randomly. • We sent the participants email several times over the course of a week, asking them to log in from home and comment on articles on each of the websites. • If passwords were forgotten they could be reset. • Not encouraged to write down password. • System logged all password-related activity on the websites.
Result • Number of password remembered • House images • M=1.15, SD=1.31 • Face images • M=1.90, SD=1.37 • Object images • M=2.35, SD=0.93
Result(Cont.) • Mean memory time - the average amount of time between the first and last successful login. (hours)
Result(Cont.) • Average login time • House images • M=83.06, SD=54.75 • Face images • M=41.45, SD=14.18 • Object images • M=31.03, SD=16.63
Implications • There was no evidence that face images were the best image type. • Roughly half of all passwords were forgotten by the end of the one week study. • The cognometric scheme traditionally employs 3 or 4 panels of 9 images and has been shown to be quite usable.
Second Study • Design(First) • faces, everyday objects, houses. • 6 panels of 26 images (28 bits) • 60 participants (between-subjects) • Their age ranged from 18 to 43 (M=21.1, SD=4.42) • Design(Second) • faces, everyday objects. • 5 panels of 16 images (20 bits) • 20 participants (within-subjects) • Age?
Result • Mean Max Memory Time • Face images • M=167.8, SD=51.73 • Object images • M=168.5, SD=42.79
Result(Cont.) • Successful Login Time • Face images • M=35.96, SD=18.10 • Object images • M=22.55, SD=10.02
Implications • Changing the password space • Login times were much quicker. • 95% of the object image passwords and 87% of the face image passwords assigned in the second study were remembered for the entire week. • 17/20 participants indicated a preference for object images, often citing increased distinctiveness as their reason.
Discussion • Object > Face > House • Object • shape, size, color, white backgrounds • tools, toys, food, flowers, stationery items, furniture, and more. • Face • age, race, gender, expression, etc. • Experience • Brief verbalization • Login time
Conclusions • It has been suggested that face images are the ideal image type, but we found no evidence to support that claim. • We may have a special ability to process and memorize faces, this does not necessarily lead to a superior ability. • Random assigned passwords would be preferable.