gridWordX: Design, Implementation, and Usability Evaluation of an Authentication Scheme Supporting Both Desktops and Mobile Devices Ugur Cil
Kemal Bicakci
TOBB University of Economics and Technology Ankara, Turkey Email:
[email protected]
TOBB University of Economics and Technology Ankara, Turkey Email:
[email protected]
Abstract—We are currently witnessing the evolution of Internet access devices. Smart phones, tablets and other mobile devices begin to be widely used to access online systems which require user authentication. However, because of less friendly input methods, using traditional text-based passwords becomes even more tedious on these devices. Motivated by the desire of users wishing to access the same sites alternatively from mobile devices and desktop machines, we propose a hybrid knowledgebased authentication scheme, gridWordX, which combines text and graphical elements. We conduct lab and web studies to compare usability of gridWordX with text-based passwords. The results show that gridWordX has significantly shorter login times on a mobile device and maintains comparable login times on a desktop machine.
I.
I NTRODUCTION
Text-based passwords are the de facto authentication method due to reasons such as simplicity, low cost, accessibility from multiple platforms, familiarity, etc. On the other hand, their deficiencies are also well-known [1]. Easy-to-guess passwords are usually the first choice of users [2] and stronger text passwords are in general less memorable and thus less usable [3]. Many online systems establish password policies to reduce the vulnerability of text passwords to guessing attacks. For instance, a minimum length requirement of sixeight characters is common. In addition to known drawbacks of text passwords, evolution of Internet access devices gives rise to a new challenge for users; the need to enter the password from input-limited devices [4]. The lack of a physical keyboard and small screen sizes mean users struggle even more for the correct entry of their passwords. For example, if we consider just the mechanics of password entry, the password “a1bc1d” needs 50% more keystrokes with the soft (screen-based) keyboard of mobile devices having the standard qwerty layout as compared to a physical keyboard. Not to mention the finger fatigue due to use of mini-keyboards. We frequently alter our accessing platforms between devices with ineffective input modes and standard desktop machines having full physical keyboards [5]. New user authentication schemes which employ special functionality of mobile devices, such as accelerometers for gesture [6], or GPS for location tracking or user profiling [7], are not suitable for interworking with traditional desktop computers. Hence, a
secure and usable mechanism for password entry on mobile devices compatible with traditional desktop machines is a new research challenge. To address this previously unstudied problem, a hybrid authentication mechanism which allows choice between text and screen-based input, gridWord, has been proposed in early work [5]. In this paper, a new version, gridWordX, is proposed with some critical improvements in order to improve usability further. We evaluate the usability of gridWordX through lab and web studies and report the results in our work. The results of user studies indicate that gridWordX is a promising new approach for user authentication supporting both desktops and mobile devices. The rest of the paper is organized as follows. Section 2 reviews the related work. Section 3 introduces the proposed system. Section 4 describes hypothesis and methodology of our user study. Section 5 presents the results of user study which are discussed in section 6. Section 7 provides a security analysis of collected dataset of gridWordX passwords. Finally, we conclude in section 8. II.
R ELATED W ORK
In this section, we first overview the graphical password scheme PCCP, from which our new proposal gets some of its design features. Then, we focus on previous proposals supporting user authentication across devices with different input mechanisms. Persuasive Cued Click Points (PCCP). PCCP is a clickbased graphical password method in which the password consists of one click point on five images shown in sequence [8], [9]. The next image displayed is based on the location of previously entered click-point. A different click point results in a different image hence for the legitimate user the image sequence serves as an implicit feedback for the correctness of the password. To mitigate the problem of hotspots (regions on the images where users are more likely to make a click), PCCP proposes the use of “viewport”. During password creation, the user could make a click only inside a viewport, which is a smaller size rectangle area randomly positioned on the image. In case the user does not want to make the click on the current viewport (the system suggestion), he can change its location by clicking on the “Shuffle” button. The new location of the viewport is again determined randomly. The user is free to shuffle as much as he wants but since shuffling requires effort,
Fig. 1: Login Interface of gridWord (earlier version) with three words.
Fig. 2: Login Interface of gridWordX on a desktop with three words.
making a click on a location which is not hotspot becomes the “path of least resistance”. By use of a viewport, the user is persuaded for avoiding hotspots and thus he chooses a more secure password.
1)
Password managers. On average, Internet users have 25 password protected accounts [10], therefore it is of no surprise password managers become so popular as they effectively reduce the memory burden to a single master password. These tools also make passwords available on mobile devices. For instance, LastPass is a password manager supporting multiplatforms; desktop machines and mobile devices. It stores passwords and other user data on proprietary servers after encrypting locally on the user side. This choice may cause security vulnerabilities; attackers can exploit the servers and access information. Then, an offline attack could be conducted against encrypted passwords. Indeed this scenario occurred in May 2011 and users were urged to change their master passwords [11]. There are also other password managers such as KeePass and Robofrom2Go allowing users to transfer their passwords to mobile devices manually without involvement of a server.
3)
Browser-based synchronization. Some browsers provide the functionality for synchronizing user passwords between desktop machines and mobile devices. For instance, Mozilla Firefox stores passwords on their servers (after encryption) so that users can reach their passwords on mobile versions of Firefox browser. As compared to custom-built password managers, browser-based synchronization has the advantage of not requiring to install additional software. ObPwd. Object-based password [12] (ObPwd) is a crossplatform/cross-device password mechanism. The implementation of ObPwd is available as Mozilla Firefox extension and as stand-alone application in Android, MS Windows, Linux, and Mac OS. With ObPwd, a textual password is produced from a selected object (e.g., videos, pictures, URLs, text string) using SHA-1 hashing algorithm and Hash2Text function. The basic version of ObPwd has the following security vulnerability. If attackers can access the selected object (e.g., when a picture available in user’s facebook account is used), then they can easily produce the password. There are three variants of ObPwd for increased security:
2)
Variant 1 uses a user-selected salt to produce the password. The cost is that user now must memorize the salt. Variant 2 allows selecting more than one object to produce textual password. Variant 3 uses URL together with the object so that passwords generated for different web sites are no longer same. This variant prevents some types of phishing attacks.
In a recent work, Mannan and van Oorschot revisited ObPwd idea for its cross-device password entry properties [13]. Multiword passwords and Fastword. Building passwords from pronounceable words is not something new. It was dated as early as 1980’s [5]. Recent Fastword proposal [14] revisited this idea for input-limited devices. Error-correction capabilities and auto-complete features are what makes Fastword passwords suitable to enter on small-size devices. It was claimed that Fastword has three main benefits over text passwords: Increased speed and convenience, improved security, and higher recall rates. Another feature not present in traditional passwords but is enabled by Fastword is the voice-entry of passwords. III.
T HE P ROPOSED S YSTEM
In this section, we first present the initial version of the proposed system. Then, we discuss the pilot study which helps us to finalize the prototype to be tested in a more elaborate user study. At the end, we provide the implementation details. A. Initial Version The underlying idea in gridWord is that password is formed by an ordered set of distinct words which correspond to “concrete” objects, e.g., boat, in order to help user to gain leverage while memorizing her password as retrieval of concrete words from memory are easier and faster than abstract words [5]. The login interface (Fig. 1) includes a set of combo-boxes (one for each word) at the top of screen. The user can either type a word or select from a drop-down list. Also, comboboxes have auto-complete feature so that the user does not need to perform a search throughout the whole drop-down list,
Fig. 3: Login Interface of text passwords on a mobile device (Samsung Galaxy Tab).
Fig. 4: Login Interface of gridWordX on a mobile device (Samsung Galaxy Tab) with three words.
she can filter the list by typing only the first few characters of a word.
working memory. Finally, they re-entered their passwords to login. We summarize the results of pilot study as follows:
The main difference between gridWord and other multiword password proposals like Fastword [14] is as follows. On its interface, at the bottom of combo-boxes there is a 2D grid composed of numerous cells, each cell is associated with an exactly one word and this one-to-one mapping between words and cells is static at all times. Selecting a cell automatically enters its associated word into the corresponding combo box and vice-versa1 . In the initial version, the cells are not labeled by the object names but users can search and see which word is assigned to a cell by local exploration (as shown for the first word in Fig. 1).
1)
Adopting the idea from PCCP [8], password creation involves system-suggested passwords in gridWord. The user is free to either accept the suggested password or ask for another suggestion through the use of Shuffle button.
3)
A stand-alone desktop application of gridWord was implemented for the pilot study. In this implementation, 2D grid has 400 cells (16 rows and 25 columns) each with a size of 19 × 19 pixels. The values of these parameters were adjusted to be consistent with a typical implementation of PCCP [8]. The grid size in gridWord is approximately same as the size of background picture in PCCP and each cell has the same size of the tolerance region in PCCP. Therefore if the number of words in gridWord is equal to the number of clicks in PCCP, two schemes provide around the same password space2 . B. Pilot Study Elaborate user studies require significant amount of effort and time therefore we wanted to fine-tune the design of gridWord using smaller studies first. The pilot study involves a lab-based experiment performed in a single session with a few participants. We asked each participant to create and confirm both a gridWord and a PCCP password on a desktop machine having a physical keyboard. After answering a short questionnaire, we applied a mental rotation test to clear their 1 Screen-based selection and unconcealed words in combo-boxes may render the password more susceptible to shoulder surfing and recording attacks, which are not investigated in our work. 2 Our initial plan was to compare usability of gridWord with PCCP but after the pilot study we decided to do the comparison with text passwords instead.
2)
We observed that even if they remembered the correct words forming their gridWord passwords, many users had difficulty to locate the correct cells due to their small sizes. Users preferred typing rather than clicking their passwords. 82.6% of all login attempts were done only using combo-boxes. In response to our question, users stated that they liked using combo-boxes more for entering their passwords. Moreover, average success rate when combo-boxes were used was higher than the overall success rate of gridWord. The pilot study showed that in many aspects usability of gridWord is comparable to or better than PCCP (not discussed here further). Hence, more time investment on gridWord seems worthwhile.
C. A New Version: gridWordX After the pilot study, to improve usability we reduce number of cells (words) to 104 (8 rows and 13 columns) and enlarge cell areas by almost four times while keeping the size of total grid area unchanged (certainly this choice has a corresponding security penalty). Another change is labeling each cell exploiting the fact that cell sizes now become large enough. Labeling with a word (alphabetically ordered to allow the user to make a quick scan over the grid) enables the user to recognize the words forming her password thus it leverages recognition memory instead of pure recall or cuedrecall memory. As a result, the new version, gridWordX, can be classified as a recognition-based authentication scheme [3]. D. Implementation and Parameterization for User Studies For desktop machines, a version of gridWordX was developed with PHP, JavaScript and HTML (Fig. 2) (together with text passwords for comparison purposes - not shown). Mobile versions of both text passwords (Fig. 3) and gridWordX (Fig. 4) were developed using Android SDK and Java programming language for Android smartphones. All development work was performed by the same programmer (first author) for the consistency but nevertheless
look and feel of mobile and desktop versions are not exactly the same. We note that for the user studies we have changed English words in gridWordX interface with Turkish words since all participants were native Turkish speakers. In gridWordX, we set the password length to 3 words. Hence, gridWordX with 104 cells provides around 20 bits of entropy [5]3 . To ensure similar levels of security in our comparison target i.e., text passwords, we consult to the NIST formula [15]. Eight-character human-generated text password is estimated to have around 18 bits of entropy therefore we set the minimum length requirement of text passwords as eight characters. In line with the suggestion for adopting a more scientific approach to usable security research [5], we make the source code of gridWordX for mobile devices available online to facilitate independent evaluation by others. Source codes of other implementations used in our study are also provided online [16]. IV.
H YPOTHESES AND M ETHODOLOGY
After the pilot study is finished and modifications to the interface are made, a more elaborate and formal user study is performed. We first provide our hypothesis with respect to usability of gridWordX to be tested in this study as follows. 1) 2) 3) 4)
Login times of gridWordX is shorter than those of text passwords on mobile devices having a soft keyboard. Login times of gridWordX is comparable to those of text passwords on desktop machines having a physical keyboard and a mouse. On mobile devices, most users prefer touching the grid over typing via soft keyboard to enter their gridWordX passwords. On desktop machines, most users prefer typing via keyboard over clicking on the grid to enter their gridWordX passwords.
•
They should pretend that their passwords were protecting important information.
•
Their text passwords should be consist of at least eight characters. There was no further restriction for text passwords.
•
They were supposed to use a password different than the passwords they already had.
•
They were supposed not to write down their passwords.
We also stated clearly that the purpose of our study is to test a new password scheme rather than the users themselves. Before using the systems, participants were given a presentation including a brief demo about gridWordX scheme, e.g., how they can create/confirm their passwords and how they login. We preferred a within-subject design. Half of the participants first used the text password system and then gridWordX scheme. Others followed the reverse order. The lab study is designed for the evaluation of gridWordX when input-limited devices are in use (users’ own smart phones are all in different sizes and models hence web study was considered to be more appropriate for the evaluation of desktop use). Samsung Galaxy Tab was preferred as the mobile device to be used. The screen resolution of Galaxy Tab is 600 × 1024, its diagonal length is 7 inches, and it has 170 dpi. Both schemes run as a full screen application (see Fig. 3 and Fig. 4). All participants used the same mobile device in the lab. The first session of lab study was consist of three phases for both schemes. These phases are explained as follows for gridWordX (phases for text passwords are similar hence their descriptions are omitted here): 1)
The last two hypothesis on preferred modes of operation are included because we consider it to be fundamental to the user performance of gridWordX based on our observations in the pilot study. 33 users participated in our study. All participants (6 females and 27 males) were students at TOBB University of Economics and Technology. Participants were regular computer and mobile device users and were comfortable with text passwords and touch-sensitive smartphone screens. They ranged in age between 18 and 29 years. The user study has two parts: lab study and web study. The methodology of these studies are described, next. A. Lab Study In a laboratory environment, participants completed two individual sessions three weeks apart (in this three week period, the web study was scheduled). Before the first session, users were given the following oral instructions: 3 20-bits passwords may withstand against online attacks if lockout rules are in place [10].
2) 3)
Password Creation & Confirmation Phase: Participants first enter their name, surname and username and then click on the button labelled Create Account. A password is suggested to the user in a new screen which is similar to the login screen in Fig. 4 but in which only the cells corresponding to the words of the suggested password are labelled. If users do not want to accept the suggested password, they can do shuffling in any number they want. Also, they can start over to create a new account by touching on Return Main Page. After touching on Accept Password button, the screen changes again for confirmation. Unlike password creation phase, all cells are labelled with the words during password confirmation. Participants should re-enter their password by touching on grid or typing via soft keyboard to confirm it. When participants touch on a cell, the cell is colored, filled with the order number (1, 2 or 3) and its corresponding word is displayed on the combo-box (and vice-versa). Password confirmation is completed when Confirm Password button is touched. MRT: Participants complete a Mental Rotation Test (MRT) puzzle. This visual task is performed to clear participants’ short term working memory. Login Phase: Participants log in with their passwords. If they make a wrong touch on grid, they can redo
(a) Times for Creation & Confirmation
(b) Login Times (Lab Study)
(c) Login Times (Web Study)
Fig. 5: Timing Information in lab and web studies.
their selection by touching on the same cell or can start over by touching on Restart button. For the second session of the lab study, participants were invited again after three weeks. They were asked to perform the login task again for both text password and gridWordX in the same order as they followed in the first session. At the end, a questionnaire was completed by all the participants. B. Web Study The objective of the web study is to evaluate usability of gridWordX when used on a desktop. We also would like to look at user performance in their own environment. This study was also consisted of two sessions. The first session was scheduled one week after the first session of lab study. Participants were notified via e-mail to log in to a web system via their desktop machine (same task as the one in second session of lab study except using a desktop machine). If participants could not enter their passwords correctly three times, they can ask for an e-mail containing their passwords (text password and/or gridWordX password). After another week, users were asked to repeat the same login task on desktops in the second and final session of our web study. V.
R ESULTS
This section presents the results of our lab and web studies. A. Collected Data The data collected in lab and web studies are presented as follows: Timing and Success Rates. We collected timing information (total time) of password creation & confirmation and login for both gridWordX and text passwords. Total time is started when a user first sees the screen4 and stopped when she clicks 4 For text-based passwords, password creation and confirmation are performed on a single screen. On the other hand, password creation and confirmation phases are carried out in two subsequent screens in gridWordX. We report the total time spent in two screens for gridWordX.
(or touches) on the button to finish the step. Total time is measured for only the users who complete a task successfully. A task is considered as successfully completed if at most three attempts are made. The times are cumulative, including the time spent for unsuccessful attempts. Success rates are defined as the ratio of number of trials completed with no more than three attempts to the number of total trials. Success rates for password creation & confirmation and logins were collected. Shuffles. Number of shuffles made during password creation were collected to examine its effect on success rates of gridWordX. Modes of Input in gridWordX. There are three modes of input for gridWordX; clicking (or touching) on the grid, typing using combo-boxes or using combination of these two modes. Number of times each of these modes were used was recorded to study the effects on timings and success rates. Questionnaire. Demographic questions were asked to collect information about participants. Questionnaire also contains questions about participant opinions on gridWordX. In the following part, a p-value less than 0.05 leads us to conclude that there is evidence against the null hypothesis. B. Timing and Success Rates Total times for password creation & confirmation and logins in lab and web sessions for gridWordX and text passwords are presented in Fig. 5. We remind that participants repeat the login task for four times using each scheme; first and last of these are in the lab using mobile devices and second and third logins are performed using desktops through the web. On mobile devices (in the lab study) there is a significant difference between login times of text passwords and gridWordX. We separately apply the paired-sample Wilcoxon test to the collected data in the first and last logins and see that the difference is significant in both of them (first login: V=56, p=0.000014, last login:V=429, p=0.001437). This supports hypothesis 1. On desktop machines (in the web study), no
TABLE I: Success rates of gridWordX and text-based passwords. gridWordX Success Rates Text-based Success Rates
Create & Confirm 33/33 100.00% 33/33 100.00%
Login (1st wk) 33/33 100.00% 33/33 100.00%
Login (2nd wk) 22/33 66.67% 26/33 78.79%
Login (3rd wk) 33/33 100.00% 33/33 100.00%
Login (4th wk) 32/33 96.97% 33/33 100.00%
TABLE II: Effects of shuffles on success rates for gridWordX. Number of Shuffles Low (0-5) High (> 5)
Number of Trials 23 (69.70%) 10 (30.30%)
Confirmation Success Rates 100.00% 100.00%
Login (1st wk) Success Rates 100.00% 100.00%
significant difference is seen between text passwords and gridWordX, which is consistent with hypothesis 2. Table I shows success rates of gridWordX and text passwords. Participants have no difficulty for password creation & confirmation in both schemes. Login success rates of gridWordX is lower than those of text passwords in the first desktop use and the second mobile device use but the difference is not significant (second login: χ2 =1.2222, df=1, p=0.2689, last login: χ2 =1.015, df=1, p=0.3136).
C. Shuffles Total number of shuffles in gridWordX has a mean of 5.15 and a median of 2.00. Ten participants shuffled more than 5 times. Note that shuffling is not applicable for text-based passwords. In Table II, the effects of number of shuffles on success rates are presented.
D. Modes of Input in gridWordX As Table III shows, most participants preferred touching or clicking on the grid as their primary input mode. Independent of the device type, only a few participants opt to enter their gridWordX passwords using combo-boxes or a combination of input modes. This supports hypothesis 3 but not hypothesis 4. As seen from Fig. 6, entering gridWordX password using the grid leads to a timing performance better than the other modes of input for both devices.
E. User Opinion and Perception Participants completed 10-point Likert-scale questionnaire where 1 indicates strong disagreement and 10 means strong agreement. User responses indicate positive perception for gridWordX; easy to create password, easy to use on both desktop and mobile device, at least as secure as text passwords. Although before the study we have explicitly asked participants to create and use a text password different than their passwords already in use, a closer analysis related to the last question reveals that 16 out of 33 participants have used text passwords which are as same as or similar to their old passwords.
Login (2nd wk) Success Rates 65.22% 70.00%
Login (3rd wk) Success Rates 100.00% 100.00%
Login (4th wk) Success Rates 95.65% 100.00%
TABLE III: Frequency of input modes for gridWordX.
Grid Combo-box Hybrid
Create & Confirm 27 4 2
Login 1st wk 28 2 3
Login 2nd wk 28 1 4
Login 3rd wk 30 1 2
Login 4th wk 28 3 2
TABLE IV: gridWord Questionnaire responses. Question 1. I easily created password with gridWordX 2. Logging on using gridWordX was easy on my laptop/desktop 3. Logging on using gridWordX was easy on Galaxy Tab 4. I like gridWordX at least as much as text passwords 5. gridWordX is at least as secure as text passwords 6. The text password I entered is similar to the one of the passwords I used previously
VI.
Mean 8.42 8.45 8.61 8.00 7.88 4.73
D ISCUSSION
Our first hypothesis, login times of gridWordX is shorter than those of text passwords on mobile devices having a soft keyboard, is supported based on the results of our user study. Our lab study shows that participants entered their gridWordX passwords significantly faster than text-based passwords during login when they use a mobile device. Our second hypothesis, login times of gridWordX is comparable to those of text passwords on desktop machines, is also supported (on desktops, the average login time with gridWordX is slightly shorter than the time with text passwords but the difference is not significant). A closer look at login times in each session (as shown in Fig. 7a) reveals that login times of gridWordX on desktops is shorter in the second session than the times in the first session (as opposed to text passwords). We do not know whether the apparent difference is real, but if it is, then it could be attributed to the fact that participants were confronted with the desktop interface of gridWordX for the first time in their first logins but they got more comfortable and became faster in their second trials. On the other hand, it could be of interest why a similar trend is not observed in the login times of mobile device. Fig. 7b shows that login times of both text passwords and gridWordX increases in the second session as compared to the first session. We speculate that since participants create and confirm their passwords before the first login, it took less time for them to login as compared to the second login. Nevertheless, we think the most important point
(a) Lab Study
(b) Web Study
Fig. 6: Timing performances as a function of input modes in gridWordX.
here is that gridWordX has login times comparable to those of text passwords on desktops (Fig. 5c presents the cumulative results), which supports our second hypothesis. Our third hypothesis, on mobile devices, most users prefer touching the grid over typing via soft keyboard to enter their gridWordX passwords, is supported (see Table III). Our forth and final hypothesis, on desktop machines, most users prefer typing via keyboard over clicking on the grid to enter their gridWordX passwords, is not supported. Users do not prefer typing via keyboard independent of which kind of device is in use (on desktops, only one participant preferred to enter gridWordX password using the combo-boxes). This user behavior is in contrast to the observation we had made in our pilot study. As mentioned, in the pilot study most users preferred entering their gridWord passwords with the keyboard. This behavior change could have two different reasons. First of all, we have made a couple of crucial changes in the interface which makes easier to click on the grid. But this is not the only change, unlike the pilot study, participants have used the mobile version of gridWordX before seeing the desktop version. This second factor may also play a role in user preference. Due to the limitations in the design of our user study, we cannot clearly distinguish which factor is more significant. Besides the results pertaining to our hypothesis, other results of the user study are also discussed as follows: As seen from Table I, success rates of gridWordX are lower than those of text-based passwords (the difference is not statistically significant). This result may be due to the fact that participants had to use completely new passwords for gridWordX whereas according to the results of the questionnaire almost half of participants reused their previous text passwords or created related ones. Moreover, when we examine user-chosen text passwords, we find weak passwords
such as “qwertyui”. This kind of user behavior leads to reduced memory load and cause more successful login rates for text passwords (in addition, it may also have an affect of reducing login times). We think that a future study which leverages the idea of persuasion also for text passwords or simply assigns system generated text passwords will provide a more ecologically valid comparison between text passwords and gridWordX in terms of password memorability. Table II shows success rates for gridWordX as a function of number of shuffles. We divide participants into two groups: who shuffle less than or equal to 5 and who shuffle more than 5. Participants who shuffle more than 5 have higher login success rates (the difference is not statistically significant). This result is consistent with the results for shuffling with PCCP scheme [2]. As Fig. 6 shows, other two modes of input for gridWordX have poorer performance than using the grid even on a desktop. This might be a result not expected by those who think using keyboard should be faster than using mouse. We think it is not possible to reach definite results on this aspect due to the limited number of users preferring using the keyboard. Limitations. We mention a couple of technical limitations in our user study in the above paragraphs. We end this section by presenting other known limitations of our user study. The study was done with a modest number of participants and the resulting measurements have fairly large variances. We used role-playing university students, not a representative sample of the general user population. In the questionnaire, we asked participants to agree/disagree with statements that are positive to the system under test. It is possible that participants wanted to please us by saying they agree.
(a) Desktop Login Times (Web Study)
(b) Mobile Login Times (Lab Study)
Fig. 7: Change in login times for gridWordX and text passwords.
Fig. 8: Frequency of cell selections in the user study.
VII.
S ECURITY A NALYSIS
To analyze how different this distribution from a random dataset, we generate 100 random datasets each of which consists of 33 pairs of (x, y) coordinates; the range of x is from 1 to 13 (corresponds to number of columns in gridWordX) and the range of y range is from 1 to 8 (corresponds to number of rows in gridWordX). Then, we calculate rough estimate values of password entropy for the collected dataset together with random datasets using the formula H(X) defined in [17]. Our rough estimate password entropy of collected dataset is 16.88, which is between maximum (17.34) and minimum (16.01) entropy values of simulated datasets. Since each random dataset represents a chance to include the observed data, with 99% probability, the user study dataset is a dataset occurred by chance. This analysis gives an evidence that hotspots does not skew the password distribution for gridWordX. It suggests that estimated entropy is lower than the theoretical value not because of user choices but due to the small number of passwords involved.
In this section we make a security analysis of gridWordX passwords and investigate user choice effects. The theoretical password space can be easily calculated (104 × 103 × 102 ≈ 220 ). However, two issues can reduce the effective password space [17]; hotspots and patterns. Below, we analyze gridWordX password collected in our user study with respect to these two issues by adapting the techniques previously used to analyze the security of different graphical password schemes [8], [9], [17].
To provide additional insight for user choice issues, the median value for each random dataset is calculated and maximum and minimum median values are determined. Figure 9 shows the distribution of collected dataset along the 2D grid together with random datasets’ max and min median values. We observe that the median value of real dataset do not fall outside of maximum and minimum median range of simulated datasets, hence it is not likely that the real dataset has exploitable patterns in this particular form.
For gridWordX, hotspots can be defined as the cells (words) which are more likely to be chosen by the users. Although the initial password suggestion is random in gridWordX, hotspots are still an issue and may reduce the password space due to use of the shuffle property. Fig. 8 shows the frequency of each cell being selected in the dataset collected in our user study. One of the cells was selected 4 times and 8 words showed up 3 times. 38.46% of the words was never selected.
As a third and final analysis, we examine length of segments in the collected dataset. Our motivation for this analysis is that if attackers have information about the distances between two cells then they may use this information to make an attack more successful than a random trial. In our data, there are three segments formed between two adjacent cells. First segment is constituted by first and second cells, second one is by second and third cells and the last one by third and
Fig. 9: Box plots of word (cell) distribution along x- and y- axis. Lines with circles and with triangles respectively represent the simulation datasets’ max and min median values. Origin (0,0) is the top-left corner of the grid.
first cells. Figure 10 presents the box plots of the Euclidean distances between two adjacent cells. The red mark (circle) and blue mark (triangle) represent the maximum and minimum median values for the simulated datasets, respectively. The median values of our observed dataset are between maximum and minimum median values of the simulated dataset. This means that segment lengths of gridWordX are equally distributed and it is indiscernible from the simulated datasets’ segment lengths. In our security analysis, we looked at several ways the password distribution might be skewed and conclude that these skews are nor present. We note the possibility that the distribution could be skewed in some other ways we have not analyzed.
VIII.
C ONCLUSION
Typing of passwords is unpleasant especially when small devices are in use. In this paper, we introduce gridWordX, a new knowledge-based authentication scheme accommodating users who alternately login from devices with, and without, full physical keyboards. The new scheme improves on the idea of multiword passwords by introducing dual modes of input which enables users to recognize and select each word displayed on a 2D grid with a single touch. Our user study, which involves lab and web sessions, shows that gridWordX has significantly shorter login times than text passwords on a mobile device. In addition, most users choose to enter gridWordX passwords by clicking on the grid rather than by typing via keyboard even on a desktop machine, which leads to login times comparable to those of text passwords on desktops. Based on user study findings, we conclude that gridWordX is a promising alternative to text passwords for those who access same sites from mobile devices and desktops. In the future, we intend to compare recall of gridWordX passwords with recall of text passwords in a long term study. ACKNOWLEDGMENT We would like to thank David Wagner (our shepherd), Paul C. van Oorschot and the anonymous referees for their helpful comments. R EFERENCES [1]
Fig. 10: Box plots of Euclidean distance (in number of cells) between adjacent cells. Lines with circles and with triangles represent the simulation datasets’ max and min median values, respectively.
C. Herley and P. Van Oorschot, “A research agenda acknowledging the persistence of passwords,” Security Privacy, IEEE, vol. 10, no. 1, pp. 28 –36, jan.-feb. 2012. [2] S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot, “Influencing users towards better passwords: persuasive cued clickpoints,” in Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 1, ser. BCS-HCI ’08. Swinton, UK, UK: British Computer Society, 2008, pp. 121–130. [Online]. Available: http: //dl.acm.org/citation.cfm?id=1531514.1531531
[3]
[4]
[5]
[6]
[7] [8]
[9]
[10]
[11]
[12]
[13]
[14] [15] [16] [17]
N. Wright, A. S. Patrick, and R. Biddle, “Do you see your password?: applying recognition to textual passwords,” in Proceedings of the Eighth Symposium on Usable Privacy and Security, ser. SOUPS ’12. New York, NY, USA: ACM, 2012, pp. 8:1–8:14. [Online]. Available: http://doi.acm.org/10.1145/2335356.2335367 I. S. Mackenzie, S. X. Zhang, and R. W. Soukoreff, “Text entry using soft keyboards,” Behaviour and Information Technology, vol. 18, no. 4, pp. 235–244, 1999. [Online]. Available: http: //www.tandfonline.com/doi/abs/10.1080/014492999118995 K. Bicakci and P. C. van Oorschot, “A multi-word password proposal (gridword) and exploring questions about science in security research and usable security evaluation,” in Proceedings of the 2011 workshop on New security paradigms workshop, ser. NSPW ’11. New York, NY, USA: ACM, 2011, pp. 25–36. [Online]. Available: http://doi.acm.org/10.1145/2073276.2073280 M. Chong and G. Marsden, “Exploring the use of discrete gestures for authentication,” in INTERACT 2009, Part II, Springer, LNCS 5727, 2009, pp. 205–213. M. Jakobsson, E. Shi, P. Golle, and R. Chow, “Implicit authentication for mobile devices.” in Proceedings of USENIX HotSec, 2009. S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. Van Oorschot, “Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism,” IEEE Trans. Dependable Secur. Comput., vol. 9, no. 2, pp. 222–235, Mar. 2012. [Online]. Available: http://dx.doi.org/10.1109/TDSC.2011.55 S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. van Oorschot, “Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism,” IEEE Trans. Dependable Sec. Comput., vol. 9, no. 2, pp. 222–235, 2012. D. Florˆencio, C. Herley, and B. Coskun, “Do strong web passwords accomplish anything?” in Proceedings of the 2nd USENIX workshop on Hot topics in security, ser. HOTSEC’07. Berkeley, CA, USA: USENIX Association, 2007, pp. 10:1–10:6. [Online]. Available: http://dl.acm.org/citation.cfm?id=1361419.1361429 M. Brians, “Lastpass potentially hacked, users urged to change master passwords,” http://thenextweb.com/apps/2011/05/05/, 2011, [Online; last accessed on 05-Feb-2013]. R. Biddle, M. Mannan, P. van Oorschot, and T. Whalen, “User study, analysis, and usable security of passwords based on digital objects,” Information Forensics and Security, IEEE Transactions on, vol. 6, no. 3, pp. 970 –979, sept. 2011. M. Mannan and P. van Oorschot, “Password for both mobile and desktop computers: Obpwd for firefox and android,” USENIX;login:, vol. 37, no. 4, pp. 28–37, 2012. M. Jakobsson and R. Akavipat, “Rethinking passwords to adapt to constrained keyboards,” in Mobile Security Technologies, 2012. W. Burr, “Electronic authentication guideline,” NIST special publication, vol. 800, p. 63, 2006. U. Cil, “Source code of gridwordx for android-based mobile devices,” http://bicakci.etu.edu.tr/gridwordx/readme.html, Feb. 2013. K. Bicakci, N. B. Atalay, M. Yuceel, and P. C. van Oorschot, “Exploration and field study of a password manager using icon-based passwords,” in Financial Cryptography Workshops, 2011, pp. 104–118.
