Glasgow Theses Service http://theses.gla.ac.uk/ theses@gla.ac.uk Jebriel, Salem Meftah (2014) Empirical approach towards investigating usability, guessability and social factors affecting graphical based passwords security. PhD thesis. http://theses.gla.ac.uk/5399/ Copyright and moral rights for this thesis are retained by the author A copy can be downloaded for personal non-commercial research or study, without prior permission or charge This thesis cannot be reproduced or quoted extensively from without first obtaining permission in writing from the Author The content must not be changed in any way or sold commercially in any format or medium without the formal permission of the Author When referring to this work, full bibliographic details including the author, title, awarding institution and date of the thesis must be given Empirical Approach Towards Investigating Usability, Guessability and Social Factors Affecting Graphical Based Passwords Security By Salem Meftah Jebriel alsewi@dcs.gla.ac.uk Submitted in fulfilment of the requirements for the degree of Doctor of Philosophy School of Computing Science College of Science and Engineering University of Glasgow September 2013 Declaration PhD Thesis Sep 2013 I Declaration I declare that this thesis was composed by myself and that the work contained therein is my own, except where explicitly stated otherwise in the text. ( Salem Meftah Jebriel ) Abstract PhD Thesis Sep 2013 II Abstract This thesis investigates the usability and security of recognition-based graphical authentication schemes in which users provide simple images. These images can either be drawn on paper and scanned into the computer, or alternatively, they can be created with a computer paint program. In our first study, looked at how culture and gender might affect the types of images drawn. A large number of simple drawings were provided by Libyan, Scottish and Nigerian participants and then divided into categories. Our research found that many doodles (perhaps as many as 20%) contained clues about the participants’ own culture or gender. This figure could be reduced by providing simple guidelines on the types of drawings which should be avoided. Our second study continued this theme and asked the participants to try to guess the culture of the person who provided the image. This provided examples of easily guessable and harder to guess images. Our third study we built a system to automatically register simple images provided by users. This involved creating a website where the users could register their images and which they could later login to. Image analysis software was also written which corrected any mistakes the user might make when scanning in their images or using the Paint program. This research showed that it was possible to build an automatic registration system, and that users preferred using a paint tool rather than drawing on paper and then scanning in the drawing. This study also exposed poor security in some user habits, since many users kept their drawings or image files. This research represents one of the first studies of interference effects where users have to choose two different graphical passwords. Around half of the users provided very similar set of drawings. The last study conducted an experiment to find the best way of avoiding ‘shoulder surfing’ attacks to security when selecting simple images during the login stage. Pairs of participants played the parts of the observer and the user logging in. The most secure approaches were selecting using a single keystroke and selecting rows and columns with two key strokes. Lists of Contents PhD Thesis Sep 2013 III Table of Contents ABSTRACT II ACKNOWLEDGEMENTS XV CHAPTER ONE INTRODUCTION 1 1.1 I NTRODUCTION TO U SER A UTHENTICATION 1 1.1.1 H AND - DRAWN IMAGES AND CULTURE FAMILIARITY 4 1.1.2 W HY USE HAND - DRAWN IMAGES RATHER THAN OTHER IMAGES ? 5 1.2 M OTIVATION 6 1.3 T HESIS S TATEMENT 7 1.4 T HESIS C ONTRIBUTIONS AND P UBLICATIONS 8 1.5 O VERVIEW OF THE T HESIS 9 CHAPTER TWO LITERATURE REVIEW 11 2.1 C LASSIFICATION OF G RAPHICAL P ASSWORD S YSTEMS 11 2.2 T HE S ECURITY AND U SABILITY OF GRAPHICAL PASSWORDS 13 2.2.1 S ECURITY OF G RAPHICAL P ASSWORDS 13 2.2.2 U SABILITY OF G RAPHICAL PASSWORDS 15 2.2.3 M EMORABILITY 18 2.3 R ECOGNITION B ASED G RAPHICAL P ASSWORDS 20 2.3.1 D ÉJÀ V U 20 2.3.2 P ASS F ACE 21 2.3.3 S TORY SCHEME , EVERYDAY OBJECTS 21 2.3.4 S UMMARY AND A C OMPARISON OF OTHER GUA A LGORITHMS B ASED ON R ECOGNITION S CHEMES 22 2.4 R ECALL -B ASED G RAPHICAL P ASSWORDS 27 2.4.1 D RAW A S ECRET 27 2.4.2 Y ET A NOTHER G RAPHICAL P ASSWORD (YAGP) 28 2.4.3 S UMMARY AND A C OMPARISON OF OTHER GUA A LGORITHMS B ASED ON R ECALL S CHEMES 29 2.5 C UED R ECALL B ASED G RAPHICAL P ASSWORDS 33 2.5.1 B LONDER S YSTEM 33 2.5.2 P ASS P OINTS SCHEME 33 Lists of Contents PhD Thesis Sep 2013 IV 2.5.3 S UMMARY AND A C OMPARISON OF OTHER GUA A LGORITHMS B ASED ON C UED R ECALL S CHEMES 34 2.6 H AND -D RAWN D OODLES IN G RAPHICAL U SER A UTHENTICATION GUA 39 2.6.1 D OODLING A S A S ECONDARY T ASK 39 2.6.2 D OODLES AS GENERALISED SIGNATURES 40 2.6.3 H ANDWING 40 2.6.4 C HOOSING D ISTRACTORS 41 2.7 R EVIEWS OF G RAPHICAL P ASSWORDS 43 2.7.1 E NTROPY OF PICTURE AND TEXT PASSWORDS 43 2.7.2 S HOULDER -S URFING USING GRAPHICAL PASSWORDS 44 2.8 C ULTURE EFFECTS ON COMPUTING AND DRAWINGS 47 2.8.1 C ULTURE 47 2.8.2 C ULTURAL EFFECTS ON RECOGNITION - BASED GRAPHICAL PASSWORD AUTHENTICATION 48 2.8.3 C ULTURAL EFFECTS ON D RAWINGS 50 2.9 S UMMARY 56 CHAPTER THREE CULTURAL ASPECTS OF USER DRAWN IMAGES FOR AUTHENTICATION 58 3.1 I NTRODUCTION 58 3.2 T HE AIM OF THIS STUDY 59 3.3 E XPERIMENTAL PROCEDURE 60 3.3.1 P ARTICIPANTS 60 3.3.2 M ETHOD 61 3.3.3 D ATA COLLECTION 62 3.4 R ESULTS AND E XPLANATIONS 62 3.4.1 C OMPUTER U SAGE 63 3.4.2 H AND - DRAWN TASK 66 3.5 C ULTURAL A SPECTS OF U SER D RAWN I MAGES 71 3.6 A NALYSIS OF THE R ESULTS 76 3.7 D ISCUSSION 81 3.7.1 C OMPUTER AND I NTERNET USAGE 81 3.7.2 C REATIVITY IN DRAWING 82 3.7.3 A CCEPTABILITY OF USING DRAWINGS FOR AUTHENTICATION IN A M USLIM COUNTRY 83 3.8 C ONCLUSION 84 3.8.1 L IMITATIONS 84 Lists of Contents PhD Thesis Sep 2013 V CHAPTER FOUR EXPLORING THE GUESSABILITY OF HAND DRAWN IMAGES BASED ON CULTURAL CHARACTERISTICS 86 4.1 I NTRODUCTION 86 4.2 E XPERIMENTAL D ETAILS 88 4.2.1 P ARTICIPANT INFORMATION AND TIME REQUIRED 88 4.2.2 E XPERIMENTAL DESIGN 89 4.2.3 E XPERIMENTAL PROCEDURE 91 4.3 R ESULTS AND D ISCUSSION 91 4.3.1 T HE MOST GUESSED AND UN - GUESSED IMAGE BY ALL USERS 92 4.3.2 G UESSABILITY BY GENDER 98 4.3.3 T HE MOST GUESSED AND UN - GUESSED IMAGE BY N ATIONALITY 103 4.3.4 T HE USERS WHO GUESSED THE MOST IMAGES 107 4.3.5 O VERALL GUESSED IMAGES DRAWN BY CULTURAL GROUPS AND BY CATEGORIES 109 4.4 D ISCUSSION 110 4.5 C ONCLUSION 114 CHAPTER FIVE AUTOMATIC REGISTRATION OF USER DRAWN GRAPHICAL PASSWORDS 115 5.1 I NTRODUCTION 115 5.1.1 R EGISTRATION WHEN THE SYSTEM PROVIDES THE IMAGES 116 5.1.2 R EGISTRATION WHEN THE USER PROVIDES THE IMAGES 116 5.1.3 A UTOMATIC REGISTRATION OF USER DRAWN IMAGES 116 5.2 D RAWING ON P APER , S CANNING AND I MAGE A NALYSIS 117 5.2.1 D ESIGN OF THE D RAWING F ORM 118 5.2.2 J AVA AND IMAGE FILE FORMAT 119 5.2.3 F INDING THE EDGES OF THE BOXES 120 5.2.4 C ORRECTING DRAWING AND SCANNING ERRORS 120 5.3 U SING P AINT S OFTWARE 125 5.3.1 C ORRECTING P AINT E RRORS 126 5.4 T HE W EBSITE 127 5.4.1 O FFENSIVE IMAGES 128 5.4.2 A UTHENTICATION (L OG IN ) 128 5.5 E XPERIMENTAL P ROCEDURE 131 5.5.1 D ETAILS OF THE Q UESTIONNAIRE 131 Lists of Contents PhD Thesis Sep 2013 VI 5.5.2 P ILOT STUDY 133 5.5.3 T HE E XPERIMENT IT SELF 134 5.6 E XPERIMENT R ESULTS 134 5.6.1 T HE P ARTICIPANTS 134 5.6.2 D ROPOUT RATES 136 5.6.3 S ATISFACTION 138 5.6.4 U SER P REFERENCE 141 5.6.5 U SE OF I MAGES AFTER REGISTRATION 143 5.6.6 L OGIN S UCCESS R ATE 145 5.6.7 A C OMPARISON OF DRAWING STYLES 146 5.6.8 F AILURE TO FOLLOW INSTRUCTIONS 151 5.6.9 R EGISTRATION T IMES 156 5.6.10 L OGIN T IME 158 5.7 D ISCUSSION 160 5.8 C ONCLUSIONS 161 5.9 C HAPTER S UMMARY 162 CHAPTER SIX SHOULDER SURFING AND RECOGNITION- BASED GRAPHICAL PASSWORDS 163 6.1 I NTRODUCTION 163 6.2 R ECOGNITION -B ASED G RAPHICAL A UTHENTICATION 163 6.3 E XPERIMENT D ETAILS 164 6.3.1 N UMERIC TYPE 165 6.3.2 N UMERIC AND ALPHABETIC TYPE 166 6.3.3 C OLUMNS AND ROWS TYPE ( MATRIX ) 166 6.3.4 C LICKING T YPE 167 6.4 E VALUATION ASSESSMENTS 167 6.5 R ESULTS 168 6.5.1 Q UESTIONNAIRE RESPONSES 168 6.5.2 E FFECTIVENESS OF THE OBSERVERS 170 6.5.3 T IME TO ENTER DATA 171 6.6 D ISCUSSION 173 6.6.1 N UMERIC AND N UMERIC & A LPHABETIC TYPES 173 6.6.2 M ATRIX T YPE 173 Lists of Contents PhD Thesis Sep 2013 VII 6.6.3 M OUSE TYPE 174 6.7 C ONCLUSION AND FUTURE WORK 174 CHAPTER SEVEN CONCLUSIONS AND FUTURE WORK 175 7.1 I NTRODUCTION 175 7.2 R ESEARCH C ONTRIBUTIONS AND A CHIEVEMENTS 175 7.3 T HESIS S UMMARY 176 7.4 F UTURE W ORK 178 7.4.1 F UTURE WORK SUGGESTION IN C HAPTER 3 AND C HAPTER 4 178 7.4.2 F UTURE WORK SUGGESTION IN C HAPTER 5 178 7.4.3 F UTURE WORK SUGGESTION IN C HAPTER 6 179 BIBLIOGRAPHY 180 Appendix A 192 Appendix B 196 Appendix C 199 Appendix D 210 Appendix E 217 Lists of Contents PhD Thesis Sep 2013 VIII Table of Figures F IGURE 2-1 L AYERED M ODEL OF U SABILITY 16 F IGURE 2-2 D ÉJÀ V U 26 F IGURE 2-3 P ASS F ACES S CHEME 26 F IGURE 2-4 C ONVEX H ULL C LICKS S CHEME 26 F IGURE 2-5 J ANSEN S CHEME 26 F IGURE 2-6 S TORY S CHEME 26 F IGURE 2-7 H ANDWING S CHEME 26 F IGURE 2-8 3-D S CHEME 26 F IGURE 2-9 T RICERION SMA S CHEME 26 F IGURE 2-10 VIDOOP S CHEME 26 F IGURE 2-11 RGGPW S CHEME 26 F IGURE 2-12 U SE Y OUR I LLUSION S CHEME 26 F IGURE 2-13 JETAFIDA S CHEME 26 F IGURE 2-14 T WO S TEP A HYBRID S CHEME 26 F IGURE 2-15 M IKONS S CHEME 26 F IGURE 2-16 D RAW A S ECRET DAS 27 F IGURE 2-17 YAGP S CHEME 29 F IGURE 2-18 P ASSDOODLE S CHEME 32 F IGURE 2-19 G RID S ELECTION S CHEME 32 F IGURE 2-20 M ASTER D OODLE S CHEME 32 F IGURE 2-21 E YE P ASS S CHEME 32 F IGURE 2-22 R ECALL A S TORY S CHEME 32 F IGURE 2-23 R ECALL B ASED S HAPE S CHEME 32 F IGURE 2-24 B LONDER ’ S SCHEME 33 F IGURE 2-25 P ASS P OINTS S CHEME 34 F IGURE 2-26 V-G O S CHEME 38 F IGURE 2-27 V IS K EY S CHEME 38 F IGURE 2-28 P ASS G O S CHEME 38 F IGURE 2-29 BDAS S CHEME 38 F IGURE 2-30 CCP S CHEME 38 F IGURE 2-31 M ULTIFACTOR C LICK P OINTS S CHEME 38 F IGURE 2-32 CDS S CHEME 38 F IGURE 2-33 C UED R ECALL G RID S CHEME 38 F IGURE 2-34 CD-GPS S CHEME 38 F IGURE 2-35 G EO P ASS S CHEME 38 [...]... the security of graphical passwords including the threats encountered by recognition based systems and also defines usability and describes the usability elements of graphical passwords Section 2.3 reviews the definition and background of Recognition Based Graphical Passwords Section 2.4 reviews the definition and background of Recall Based Graphical Passwords Section 2.5 reviews the definition and. .. recall Most recognition -based graphical passwords use pictures, images and photos, see Chapter Two for examples In this thesis, hand-drawn images are suggested for use as a recognition -based graphical technique, particularly at the registration stage, through two different methods, Scan and Paint The concept of using hand-drawn images (doodles) as recognition -based graphical passwords was introduced... Based Graphical Passwords Section 2.6 displays some graphical password based on hand-drawn images Section 2.7 highlighted some graphical password reviews Section 2.8 considers and describes cross culture studies in graphical password in term of drawings Finally, Section 2.9 presents the summary of this chapter 2.1 Classification of Graphical Password Systems Many studies have classified graphical passwords. .. However, only a few graphical password systems can be classified as 19 Chapter 2: Literature Review PhD Thesis Sep 2013 based on self-performed tasks where the users have to create their passwords from scratch, such as graphical passwords based on Mikons [68] and those based on standard shapes [69] Both of these are discussed in more detail later in this thesis 2.3 Recognition Based Graphical Passwords The... choice and usage of drawn images as passwords It describes a comparison of selecting and drawing everyday pictures or doodles, details of their analysis, and explains how culture may play a role when drawing and selecting doodles and compares the different results obtained from Scots, Libyans and Nigerians Chapter Four focuses on one of the most important security issues related to graphical passwords: guessability. .. literature related to graphical passwords in general It also explores some security and strategic usability issues involved with graphical passwords in detail, such as threats and vulnerabilities and the usability layers of such systems This is chapter divided into nine sections and is organized as follows The first section gives an overview of the enormous classification of graphical passwords Section... polyphonics, and hand signatures for authentication [14] Graphical passwords are another alternative to text passwords These were introduced in 1996 by Blonder [15] The idea of using graphical passwords instead of textual passwords was based on some psychological studies [16] which indicated that people can remember pictures better than words Additionally, user studies have shown that graphical passwords. .. Thesis Sep 2013 List of Tables TABLE 2-1 USABILITY FEATURES AND POSSIBLE ATTACKS ON RECOGNITION -BASED GRAPHICAL PASSWORD 23 TABLE 2-2 USABILITY FEATURES AND POSSIBLE ATTACKS ON RECALL -BASED GRAPHICAL PASSWORD 30 TABLE 2-3 USABILITY FEATURES AND POSSIBLE ATTACKS ON CUED RECALL -BASED GRAPHICAL PASSWORD 35 TABLE 3-1 COMPARISON OF ALJAHDALI AND POET AND PRESENTED STUDY 59 TABLE 3-2 THE NUMBERS ARE... present research focuses on recognition based systems, but the literature on recall and cued recall is also mentioned to provide a complete picture of this subject area 12 Chapter 2: Literature Review PhD Thesis Sep 2013 2.2 The Security and Usability of graphical passwords 2.2.1 Security of Graphical Passwords Many studies in this chapter will show that the security and usability are related to each other... rate of error by both users and systems and subjective satisfaction, as discussed by Sollie [52] 2.2.2.2 Memorability Memorability is the main issue of usability when considering passwords and the various studies mentioned above and others have focused on how users can remember the graphical passwords and what factors affect doing so, such as human factors (primary memory and long term memory) Some . institution and date of the thesis must be given Empirical Approach Towards Investigating Usability, Guessability and Social Factors Affecting Graphical Based Passwords Security. Jebriel, Salem Meftah (2014) Empirical approach towards investigating usability, guessability and social factors affecting graphical based passwords security. PhD thesis. http://theses.gla.ac.uk/5399/. to replace text passwords, for example, using sounds, such as polyphonics, and hand signatures for authentication [14]. Graphical passwords are another alternative to text passwords. These