Skip to main content

On user choice in graphical password schemes

Publication ,  Conference
Davis, D; Monrose, F; Reiter, MK
Published in: Proceedings of the 13th USENIX Security Symposium
January 1, 2004

Graphical password schemes have been proposed as an alternative to text passwords in applications that support graphics and mouse or stylus entry. In this paper we detail what is, to our knowledge, the largest published empirical evaluation of the effects of user choice on the security of graphical password schemes. We show that permitting user selection of passwords in two graphical password schemes, one based directly on an existing commercial product, can yield passwords with entropy far below the theoretical optimum and, in some cases, that are highly correlated with the race or gender of the user. For one scheme, this effect is so dramatic so as to render the scheme insecure. A conclusion of our work is that graphical password schemes of the type we study may generally require a different posture toward password selection than text passwords, where selection by the user remains the norm today.

Duke Scholars

Published In

Proceedings of the 13th USENIX Security Symposium

Publication Date

January 1, 2004
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Davis, D., Monrose, F., & Reiter, M. K. (2004). On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium.
Davis, D., F. Monrose, and M. K. Reiter. “On user choice in graphical password schemes.” In Proceedings of the 13th USENIX Security Symposium, 2004.
Davis D, Monrose F, Reiter MK. On user choice in graphical password schemes. In: Proceedings of the 13th USENIX Security Symposium. 2004.
Davis, D., et al. “On user choice in graphical password schemes.” Proceedings of the 13th USENIX Security Symposium, 2004.
Davis D, Monrose F, Reiter MK. On user choice in graphical password schemes. Proceedings of the 13th USENIX Security Symposium. 2004.

Published In

Proceedings of the 13th USENIX Security Symposium

Publication Date

January 1, 2004