A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

Furkan Tari, A. Ant Ozok, Stephen H. Holden

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

Original languageEnglish (US)
Title of host publicationACM International Conference Proceeding Series
Pages56-66
Number of pages11
Volume149
DOIs
StatePublished - 2006
Externally publishedYes
Event2nd Symposium on Usable Privacy and Security, SOUPS 2006 - Pittsburgh, PA, United States
Duration: Jul 12 2006Jul 14 2006

Other

Other2nd Symposium on Usable Privacy and Security, SOUPS 2006
CountryUnited States
CityPittsburgh, PA
Period7/12/067/14/06

Fingerprint

Authentication
Data acquisition
Glossaries
Experiments

Keywords

  • Authentication
  • Graphical passwords
  • Human factors
  • Password security
  • Shoulder surfing
  • Social engineering
  • Usable security

ASJC Scopus subject areas

  • Human-Computer Interaction

Cite this

Tari, F., Ozok, A. A., & Holden, S. H. (2006). A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In ACM International Conference Proceeding Series (Vol. 149, pp. 56-66) https://doi.org/10.1145/1143120.1143128

A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. / Tari, Furkan; Ozok, A. Ant; Holden, Stephen H.

ACM International Conference Proceeding Series. Vol. 149 2006. p. 56-66.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Tari, F, Ozok, AA & Holden, SH 2006, A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. in ACM International Conference Proceeding Series. vol. 149, pp. 56-66, 2nd Symposium on Usable Privacy and Security, SOUPS 2006, Pittsburgh, PA, United States, 7/12/06. https://doi.org/10.1145/1143120.1143128
Tari F, Ozok AA, Holden SH. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In ACM International Conference Proceeding Series. Vol. 149. 2006. p. 56-66 https://doi.org/10.1145/1143120.1143128
Tari, Furkan ; Ozok, A. Ant ; Holden, Stephen H. / A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. ACM International Conference Proceeding Series. Vol. 149 2006. pp. 56-66
@inproceedings{ea886136a5734d1bb5e414a99e266e8b,
title = "A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords",
abstract = "Previous research has found graphical passwords to be more memorable than non-dictionary or {"}strong{"} alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.",
keywords = "Authentication, Graphical passwords, Human factors, Password security, Shoulder surfing, Social engineering, Usable security",
author = "Furkan Tari and Ozok, {A. Ant} and Holden, {Stephen H.}",
year = "2006",
doi = "10.1145/1143120.1143128",
language = "English (US)",
isbn = "1595934480",
volume = "149",
pages = "56--66",
booktitle = "ACM International Conference Proceeding Series",

}

TY - GEN

T1 - A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

AU - Tari, Furkan

AU - Ozok, A. Ant

AU - Holden, Stephen H.

PY - 2006

Y1 - 2006

N2 - Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

AB - Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased susceptibility of graphical passwords to shoulder-surfing. This appears to be yet another example of the classic trade-off between usability and security for authentication systems. This paper explores whether graphical passwords' increased memorability necessarily leads to risks of shoulder-surfing. To date, there are no studies examining the vulnerability of graphical versus alphanumeric passwords to shoulder-surfing. This paper examines the real and perceived vulnerability to shoulder-surfing of two configurations of a graphical password, Passfaces™[30], compared to non-dictionary and dictionary passwords. A laboratory experiment with 20 participants asked them to try to shoulder surf the two configurations of Passfaces™ (mouse versus keyboard data entry) and strong and weak passwords. Data gathered included the vulnerability of the four authentication system configurations to shoulder-surfing and study participants' perceptions concerning the same vulnerability. An analysis of these data compared the relative vulnerability of each of the four configurations to shouldersurfing and also compared study participants' real and perceived success in shoulder-surfing each of the configurations. Further analysis examined the relationship between study participants' real and perceived success in shoulder-surfing and determined whether there were significant differences in the vulnerability of the four authentication configurations to shoulder-surfing. Findings indicate that configuring data entry for Passfaces™ through a keyboard is the most effective deterrent to shouldersurfing in a laboratory setting and the participants' perceptions were consistent with that result. While study participants believed that Passfaces™ with mouse data entry would be most vulnerable to shoulder-surfing attacks, the empirical results found that strong passwords were actually more vulnerable.

KW - Authentication

KW - Graphical passwords

KW - Human factors

KW - Password security

KW - Shoulder surfing

KW - Social engineering

KW - Usable security

UR - http://www.scopus.com/inward/record.url?scp=34250782167&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34250782167&partnerID=8YFLogxK

U2 - 10.1145/1143120.1143128

DO - 10.1145/1143120.1143128

M3 - Conference contribution

AN - SCOPUS:34250782167

SN - 1595934480

SN - 9781595934482

VL - 149

SP - 56

EP - 66

BT - ACM International Conference Proceeding Series

ER -