On Exploiting Hot-Spots in Click-Based Graphical Passwords

Julie Thorpe

Abstract

Although motivated by both usability and security concerns, the existing literature on click-based graphical password schemes using a single background image (e.g., PassPoints) has focused largely on usability. We examine the security of such schemes, including the impact of different background images, and strategies for guessing user passwords. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, and the other a field test of 223 user accounts. We provide empirical evidence that popular points (hot-spots) do exist for many images, and explore three different types of attack to exploit this hot-spotting: (1) an entirely automated attack based on image processing techniques, (2) a "human-seeded" attack based on harvesting click-points from a small set of users, and (3) a bigram-generated attack based on harvesting click-points from a larger set of users. Our results suggest that these graphical password schemes appear to be at least as susceptible to attack as the traditional text passwords they were proposed to replace.