Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.

Authentication, Graphical passwords, Usable security
International Journal of Information Security
School of Computer Science

Chiasson, S, Forget, A. (Alain), Biddle, R, & Van Oorschot, P. (2009). User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security, 8(6), 387–398. doi:10.1007/s10207-009-0080-7