Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.

, ,
International Journal of Information Security
School of Computer Science

Chiasson, S, Forget, A. (Alain), Biddle, R, & Van Oorschot, P. (2009). User interface design affects security: Patterns in click-based graphical passwords. International Journal of Information Security, 8(6), 387–398. doi:10.1007/s10207-009-0080-7