A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

Furkan Tari; A. Ant Ozok; Stephen H. Holden

doi:10.1145/1143120.1143128

A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

Furkan Tari, A. Ant Ozok, Stephen H. Holden

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

136 Scopus citations

Abstract

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

Original language	English (US)
Title of host publication	ACM International Conference Proceeding Series
Pages	56-66
Number of pages	11
Volume	149
DOIs	https://doi.org/10.1145/1143120.1143128
State	Published - 2006
Externally published	Yes
Event	2nd Symposium on Usable Privacy and Security, SOUPS 2006 - Pittsburgh, PA, United States Duration: Jul 12 2006 → Jul 14 2006

Other

Other	2nd Symposium on Usable Privacy and Security, SOUPS 2006
Country/Territory	United States
City	Pittsburgh, PA
Period	7/12/06 → 7/14/06

Keywords

Authentication
Graphical passwords
Human factors
Password security
Shoulder surfing
Social engineering
Usable security

ASJC Scopus subject areas

Human-Computer Interaction

Access to Document

10.1145/1143120.1143128

Cite this

@inproceedings{ea886136a5734d1bb5e414a99e266e8b,

title = "A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords",

abstract = "Previous research has found graphical passwords to be more memorable than non-dictionary or {"}strong{"} alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces{\texttrademark}[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces{\texttrademark} (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces{\texttrademark} through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces{\texttrademark} with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.",

keywords = "Authentication, Graphical passwords, Human factors, Password security, Shoulder surfing, Social engineering, Usable security",

author = "Furkan Tari and Ozok, {A. Ant} and Holden, {Stephen H.}",

year = "2006",

doi = "10.1145/1143120.1143128",

language = "English (US)",

isbn = "1595934480",

volume = "149",

pages = "56--66",

booktitle = "ACM International Conference Proceeding Series",

note = "2nd Symposium on Usable Privacy and Security, SOUPS 2006 ; Conference date: 12-07-2006 Through 14-07-2006",

}

TY - GEN

T1 - A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

AU - Tari, Furkan

AU - Ozok, A. Ant

AU - Holden, Stephen H.

PY - 2006

Y1 - 2006

N2 - Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

AB - Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

KW - Authentication

KW - Graphical passwords

KW - Human factors

KW - Password security

KW - Shoulder surfing

KW - Social engineering

KW - Usable security

UR - http://www.scopus.com/inward/record.url?scp=34250782167&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34250782167&partnerID=8YFLogxK

U2 - 10.1145/1143120.1143128

DO - 10.1145/1143120.1143128

M3 - Conference contribution

AN - SCOPUS:34250782167

SN - 1595934480

SN - 9781595934482

VL - 149

SP - 56

EP - 66

BT - ACM International Conference Proceeding Series

T2 - 2nd Symposium on Usable Privacy and Security, SOUPS 2006

Y2 - 12 July 2006 through 14 July 2006

ER -

A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

Abstract

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this