Click-based graphical passwords are a new method of authentication where passwords are created and entered by clicking in particular places on an image. This paper presents a study that investigated eye tracking as a potential threat to the security of such passwords. If the gaze data from people looking at an image resembles the click-points of other people's passwords, then covert eye tracking might be used to create dictionaries to effectively guess passwords. The study used an eye tracker to record the participants' gaze as they looked at images that had been used as the basis for passwords in an earlier study. We then compared the eye tracker data with the actual password click-points gathered during the earlier study, and conducted several forms of analysis to determine the likely success of guessing passwords. The eye tracker data did somewhat resemble the password click-points, and might offer attackers an advantage over guessing at random. The effectiveness shown for this approach was limited, however, although might allow improvement that would result in greater danger, especially if gaze data could be gathered without explicit interaction.
2010 8th International Conference on Privacy, Security and Trust, PST 2010
Department of Psychology

LeBlanc, D. (Daniel), Forget, A. (Alain), & Biddle, R. (2010). Guessing click-based graphical passwords by eye tracking. Presented at the 2010 8th International Conference on Privacy, Security and Trust, PST 2010. doi:10.1109/PST.2010.5593249