We present and evaluate various methods for purely automated attacks against click-based graphical passwords. Our purely automated methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention. Our method results in a significantly better automated attack than previous work, guessing 8-15% of passwords for two representative images using dictionaries of less than 224.6 entries, and about 16% of passwords on each of these images using dictionaries of less than 231.4 entries (where the full password space is 243). Relaxing our click-order pattern substantially increased the efficacy of our attack albeit with larger dictionaries of 234.7 entries, allowing attacks that guessed 48-54% of passwords (compared to previous results of 0.9% and 9.1% on the same two images with 235 guesses). These latter automated attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, pose a significant threat.

24th Annual Computer Security Applications Conference, ACSAC 2008
School of Computer Science

Salehi-Abari, A. (Amirali), Thorpe, J. (Julie), & Van Oorschot, P. (2008). On purely automated attacks and click-based graphical passwords. Presented at the 24th Annual Computer Security Applications Conference, ACSAC 2008. doi:10.1109/ACSAC.2008.18