presented by: payas gupta
DESCRIPTION
Multiple Password Interference in text Passwords and click based G raphical Passwords by Sonia Chiasson , Alian Forget, Elizabeth Stobert , PC van Oorschot and Robert Biddle. Presented by: Payas Gupta. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/1.jpg)
Multiple Password Interference in text Passwords and click based Graphical Passwords
bySonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot and Robert Biddle
Presented by:Payas Gupta
![Page 2: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/2.jpg)
Motivation
• We know that people generally have difficulty remembering multiple passwords.
• To compare multiple text password recalls with recall of multiple click-based graphical password.– Short term– Long term
![Page 3: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/3.jpg)
What it is about?
• No algorithm no technique
• It has only user study.
• But a message as how to show such results in a nice way
![Page 4: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/4.jpg)
PassPoints
• 5 click points in the same order• Tolerance accepted around each click
point
![Page 5: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/5.jpg)
Hotspots
• Dictionary attacks in graphical password:– Areas of the image that have higher
probability of being selected by users.
![Page 6: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/6.jpg)
Study Details
• Hypothesis– Click based graphical passwords would be
easier for users to recall than text passwords when users had multiple passwords to remember.
– Less interference from multiple unique graphical passwords than multiple unique text passwords.
![Page 7: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/7.jpg)
Specific hypothesis
• Participants will have lower recall success rates with text passwords than with PassPoints passwords.
• Participants in the Text condition are more likely than PassPoints participants to use patterns across their own passwords.
• Participants will recall text passwords more slowly than PassPoints passwords.
• Participants in the Text condition are more likely than Pass-Points participants to create passwords that are directly related to their corresponding accounts.
• Participants in the Text condition will make more recall errors than participants in the PassPoints condition.
![Page 8: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/8.jpg)
Demographics
• 65 participants– 26 males and 39 females
• Participants were primarily university students from various degree programs.
• None were expert in computer security
![Page 9: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/9.jpg)
Methodology
• 65 participants in session 1• Second session after two weeks– 26 participants
![Page 10: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/10.jpg)
Session 1
• Create• Confirm• Answer Questions– Perceived difficulty of creating
• Perform Distraction Task–Mental rotation test
• Login– Retry as many times to get it correct
![Page 11: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/11.jpg)
Results
• Used chi-square test to compare non-ordered categorical data (comparing login/failure ratios).
• Success rate– The success rate is the number of
successful password entry attempts divided by the total number of attempts, across all participants.
![Page 12: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/12.jpg)
Recall 1
• First attempt– Text passwords – 68%– PassPoints – 95%
• Participants could try recalling their password as many times as they wished, until they either succeeded or gave up.
• Participants in the Text condition reached an 88% success rate with multiple recall attempts, compared to 99% for PassPoints participants.
![Page 13: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/13.jpg)
Recall 2
• Two weeks after creating their passwords, only 70% of Text participants and 57% of PassPoints participants were able to successfully recall their passwords.
• Higher accuracies in male in passpoints.– Result aligns with psychology research– Male tend to perform better in visual and female in linguistic
tasks
![Page 14: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/14.jpg)
Recall Errors
![Page 15: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/15.jpg)
Success rate for male and female
• Recall 2
![Page 16: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/16.jpg)
![Page 17: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/17.jpg)
Timings
• Recall-1– Participants were quicker at entering
PassPoints passwords and this aligns with the fact that participants made fewer errors in the passpoints condition (when participants repeatedly entered the passwords).
• Recall-2– No significant difference
![Page 18: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/18.jpg)
Use of Mnemonics
• 23 out of 34 (68%) participants in the Text condition used the account as a cue for at least one of their passwords.– Some passwords were directly linked with the
account name.– instantmsg for the instant messenger– “lovelove” for the online dating account– 40% of text passwords were related to their
account– males being more likely to create passwords that
were directly related to their accounts
![Page 19: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/19.jpg)
For text conditions
• Recall 1– Participants classified as having used
account-related text passwords had a 96% success rate for Recall-1 while those who did not had an 83% recall success rate.
• Recall 2– Those classified as having created
account-related passwords had a 71% success rate for Recall-2, while those who did not had a 69% success rate.
![Page 20: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/20.jpg)
Text Password Patterns
• 71 out of 204 passwords (35%) were obviously related to other passwords created by the same user– ins901333” for the instant messenger
account and “lib901333” for the library account
![Page 21: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/21.jpg)
PassPoints Patterns
• The earlier study found that in PassPoints, participants were likely to select click-points in simple patterns such as a straight line or C- shape
![Page 22: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/22.jpg)
Comparison PPLab and MPP
![Page 23: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/23.jpg)
• Found no statistical difference between the patterns found in the current study (where participants had to create and remember multiple passwords) and the earlier PassPoints lab study (where participants had to remember only one password at a time).
• Two participants had 4 out of 6 passwords following a “Z” pattern
![Page 24: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/24.jpg)
Text Password Dictionary Attack
• First tested passwords using the free dictionary of 4 million entries.
• Followed by a second attack using a larger dictionary of 40 million entries purchased from the John the Ripper web site.
• Smaller cracked 9.8%• Larger cracked 15.2%
![Page 25: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/25.jpg)
• Examples of passwords that were not cracked by John the Ripper include: “msnhotmail” for an email password, “instantmsg” for an instant messenger account, and “inlibrary” for a library account.
• In an earlier study of text passwords [16], 9.5% (18 out of 190) of passwords were cracked using John the Ripper with the same 4 million entry dictionary and 18.9% (36 out of 190) of passwords with the larger dictionary.
![Page 26: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/26.jpg)
Passpoints hotspot formation
• To evaluate PassPoints passwords for predictability, we compared the distribution of click-points in the current study to those of an earlier PassPoints study on the same images [6]. –Wanted to see whether there was
increased clustering of click-points across participants.
![Page 27: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/27.jpg)
• The J-function measures the level of clustering of points within a dataset.– 32 PassPoints participants for each image
in this study (160 click-points per image).– The earlier PassPoints datasets [6]
contained between 155 to 220 click-points per image.
![Page 28: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/28.jpg)
J-stat
![Page 29: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/29.jpg)
Validation of hypothesis
• Participants will have lower recall success rates with text passwords than with PassPoints passwords. – Hypothesis partially supported.
• Participants in the Text condition are more likely than PassPoints participants to use patterns across their passwords.– Hypothesis partially supported.
• Participants will recall text passwords more slowly than PassPoints passwords. – Hypothesis partially supported.
![Page 30: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/30.jpg)
• Participants in the Text condition are more likely than PassPoints participants to create passwords that are directly related to their corresponding accounts. – Hypothesis supported.
• Participants in the Text condition will make more recall errors than participants in the PassPoints condition.– Hypothesis supported.
![Page 31: Presented by: Payas Gupta](https://reader035.vdocuments.us/reader035/viewer/2022062811/56816181550346895dd111f5/html5/thumbnails/31.jpg)
Not a mirror image of real life
• Unlikely to create 6 passwords one at a time• No one in our study wrote down their
password, users often tend to do so.
• However, examining the issue of multiple password interference in a controlled laboratory setting is an important step in understanding the effects of increased memory load and the coping behaviours exhibited by users.