Purely Automated Attacks on PassPoints-Style Graphical Passwords


We introduce and evaluate various methods for purely automated attacks against PassPoints-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., $5$ points all along a line). Some of our methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds $7$-$16\%$ of passwords for two representative images using dictionaries of approximately $2^{26}$ entries (where the full password space is $2^{43}$). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately $2^{35}$ entries, allowing attacks that guessed $48$-$54\%$ of passwords (compared to previous results of $1\%$ and $9\%$ on the same dataset for two images with $2^{35}$ guesses). These latter attacks are independent of focus-of-attention models, and are based on image independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat to basic PassPoints-style graphical passwords.

In IEEE Transactions on Information Forensics and Security.