On Purely Automated Attacks and Click-Based Graphical Passwordse


We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method results in a significantly better automated attack than previous work, guessing $8$-$15\%$ of passwords for two representative images using dictionaries of less than $2^{24.6}$ entries, and about $16\%$ of passwords on each of these images using dictionaries of less than $2^{31.4}$ entries (where the full password space is $2^{43}$). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries of $2^{34.7}$ entries, allowing attacks that guessed $48$-$54\%$ of passwords (compared to previous results of $0.9\%$ and $9.1\%$ on the same two images with $2^{35}$ guesses). These latter automated attacks are independent of focus-of-attention models, and are based on image independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat.

In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC’08).