Tag Archive for 'graphical passwords'

Paper Discussion - Do Background Images Improve “Draw a Secret” Graphical Passwords?

Published
by
sevinc
on March 29, 2008
in Academic Papers
. Comments

Short Summary of the paper:

Draw a Secret- DAS is a graphical password scheme where users are suppose to draw a secret on a grid. A completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst constructing the secret. Each time a user lifts the en from the drawing grid surface, a “pen-up” event is encoded by distinguished coordinate pair. Here the important thing to note is even if the shape are not same as long as the encoding is identical it will yield to the same password. The basic problem with this scheme is it is vulnerable to graphical dictionary attacks. Also, users tend to choose passwords which are symmetrical and centralized. Therefore in this paper, authors proposed to use a background image to help users 1)remember the password more easily 2)set none symmetrical or none centralized passwords. The only difference here, users are not drawing their passwords onto an empty grid, but they are choosing a background image to draw on it as well. Experimental results show that this scheme is better than DAS since people chose more complicated and longer passwords. Also symmetry and centralization was lesser for this scheme, therefore authors concluded it is more secure than DAS. However the question arises here : introducing background images may give the attackers clue about the password. So can security reduction caused by this background images be compensated by reduced symmetry and centering? Unfortunately in the paper there is no study about this question. It is an open problem!

Questions arised in the meeting:

  • Do we really believe in graphical passwords? Are they really more memorable? Are the really more usable? Are they really more secure?
  • What would be the impact of background images in this scheme? Will they mess up the security?
  • Which graphical password scheme is more secure? DAS or PassPoints(where user click on the points of an image in a particular order)
  • How about using PassPhrases instead of Passwords? Will it be more secure to use initials of a secret Phrase as a password?
  • Can we design a new scheme combining both graphical and text?
    • How about writing your password with your own hand writing and make the scheme verify that it is you who is writing. (how about combining password with your biometric?) Will you feel uncomfortable about shoulder surfing in this case? (Note that even if the shoulder-surfers capture your movements, they can’t capture all about your handwriting, they can only capture about the letters that you use in your password.)