{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,6]],"date-time":"2025-11-06T00:51:49Z","timestamp":1762390309103,"version":"3.41.0"},"reference-count":47,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2008,1,1]],"date-time":"2008-01-01T00:00:00Z","timestamp":1199145600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2008,1]]},"abstract":"<jats:p>\n            In commonplace text-based password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask whether other types of passwords (e.g., graphical) are also vulnerable to dictionary attack because of users tending to choose memorable passwords. We suggest a method to predict and model a number of such classes for systems where passwords are created solely from a user's memory. We hypothesize that these classes define weak password subspaces suitable for an attack dictionary. For user-drawn graphical passwords, we apply this method with cognitive studies on visual recall. These cognitive studies motivate us to define a set of\n            <jats:italic>password complexity factors<\/jats:italic>\n            (e.g., reflective symmetry and stroke count), which define a set of classes. To better understand the size of these classes and, thus, how weak the password subspaces they define might be, we use the \u201cDraw-A-Secret\u201d (DAS) graphical password scheme of Jermyn et al. [1999] as an example. We analyze the size of these classes for DAS under convenient parameter choices and show that they can be combined to define apparently popular subspaces that have bit sizes ranging from 31 to 41\u2014a surprisingly small proportion of the full password space (58 bits). Our results quantitatively support suggestions that user-drawn graphical password systems employ measures, such as graphical password rules or guidelines and proactive password checking.\n          <\/jats:p>","DOI":"10.1145\/1284680.1284685","type":"journal-article","created":{"date-parts":[[2008,2,8]],"date-time":"2008-02-08T15:32:16Z","timestamp":1202484736000},"page":"1-33","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":50,"title":["On predictive models and user-drawn graphical passwords"],"prefix":"10.1145","volume":"10","author":[{"given":"P. C. van","family":"Oorschot","sequence":"first","affiliation":[{"name":"Carleton University, Ottawa, Ontario, Canada"}]},{"given":"Julie","family":"Thorpe","sequence":"additional","affiliation":[{"name":"Carleton University, Ottawa, Ontario, Canada"}]}],"member":"320","published-online":{"date-parts":[[2008,1,22]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.2307\/1418892"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1037\/h0043921"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2006.879305"},{"key":"e_1_2_1_4_1","unstructured":"Blonder G. 1996. Graphical passwords. United States Patent 5559961.  Blonder G. 1996. Graphical passwords. United States Patent 5559961."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.3758\/BF03212900"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1037\/h0071176"},{"volume":"773","volume-title":"Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology. Lecture Notes In Computer Science;","author":"Daemen J.","key":"e_1_2_1_7_1"},{"volume-title":"13th USENIX Security Symposium.","author":"Davis D.","key":"e_1_2_1_8_1"},{"volume-title":"9th USENIX Security Symposium.","author":"Dhamija R.","key":"e_1_2_1_9_1"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1037\/h0061098"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/506443.506639"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1060745.1060815"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.3758\/BF03203221"},{"key":"e_1_2_1_14_1","doi-asserted-by":"crossref","unstructured":"Jansen W. Gavrilla S. Korolev V. Ayers R. and R. S. 2003. Picture password: A visual login technique for mobile devices. NIST Report - NISTIR7030.  Jansen W. Gavrilla S. Korolev V. Ayers R. and R. S. 2003. Picture password: A visual login technique for mobile devices. NIST Report - NISTIR7030.","DOI":"10.6028\/NIST.IR.7030"},{"volume-title":"8th USENIX Security Symposium.","author":"Jermyn I.","key":"e_1_2_1_15_1"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1037\/h0068244"},{"volume-title":"The 2nd USENIX Security Workshop. 5--14","year":"1990","author":"Klein D.","key":"e_1_2_1_17_1"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143129"},{"key":"e_1_2_1_19_1","unstructured":"Madigan S. 1983. Picture Memory. In Imagery Memory and Cognition J. C. Yuille Ed. Lawrence Erlbaum Mahwah NJ. 65--89.  Madigan S. 1983. Picture Memory. In Imagery Memory and Cognition J. C. Yuille Ed. Lawrence Erlbaum Mahwah NJ. 65--89."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.2307\/1422726"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISIT.1994.394764"},{"key":"e_1_2_1_22_1","unstructured":"Menezes A. J. van Oorschot P. C. and Vanstone S. A. 1996. Handbook of Applied Cryptography. CRC Press Boca Raton FL. 290--291. Note 8.8.   Menezes A. J. van Oorschot P. C. and Vanstone S. A. 1996. Handbook of Applied Cryptography. CRC Press Boca Raton FL. 290--291. Note 8.8."},{"key":"e_1_2_1_23_1","unstructured":"Monrose F. 1999. Towards Stronger User Authentication. Ph.D. thesis NY University.   Monrose F. 1999. Towards Stronger User Authentication. Ph.D. thesis NY University."},{"key":"e_1_2_1_24_1","first-page":"147","article-title":"Graphical passwords. In Security and Usability, L. Cranor and S. Garfinkel, Eds. O'Reilly Media Inc., Sebastopol, CA","volume":"9","author":"Monrose F.","year":"2005","journal-title":"Chapter"},{"key":"e_1_2_1_25_1","unstructured":"Muffett A. 2004. Crack password cracker. http:\/\/ciac.llnl.gov\/ciac\/ToolsUnixAuth.html site accessed Jan. 12 2004.  Muffett A. 2004. Crack password cracker. http:\/\/ciac.llnl.gov\/ciac\/ToolsUnixAuth.html site accessed Jan. 12 2004."},{"key":"e_1_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Nakajima J. and Matsui M. 2002. Performance analysis and parallel implementation of dedicated hash functions. In Advances in Cryptology -- Proceedings of EUROCRYPT 2002. 165--180.   Nakajima J. and Matsui M. 2002. Performance analysis and parallel implementation of dedicated hash functions. In Advances in Cryptology -- Proceedings of EUROCRYPT 2002. 165--180.","DOI":"10.1007\/3-540-46035-7_11"},{"volume-title":"Tech. Report TR-04-01, School of Computer Science","year":"2004","author":"Nali D.","key":"e_1_2_1_27_1"},{"key":"e_1_2_1_28_1","unstructured":"Openwall Project. 2004a. John the Ripper password cracker. http:\/\/www.openwall.com\/john\/ site accessed Jan.7 2004.  Openwall Project. 2004a. John the Ripper password cracker. http:\/\/www.openwall.com\/john\/ site accessed Jan.7 2004."},{"key":"e_1_2_1_29_1","unstructured":"Openwall Project. 2004b. Wordlists. http:\/\/www.openwall.com\/passwords\/wordlists\/ site accessed Jan.7 2004.  Openwall Project. 2004b. Wordlists. http:\/\/www.openwall.com\/passwords\/wordlists\/ site accessed Jan.7 2004."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.2307\/1415350"},{"volume-title":"International Workshop on Cryptographic Techniques and E-Commerce. 131--138","author":"Perrig A.","key":"e_1_2_1_31_1"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586133"},{"volume-title":"Proceedings of the USENIX Annual Technical Conference.","author":"Provos N.","key":"e_1_2_1_33_1"},{"key":"e_1_2_1_34_1","unstructured":"Real User Corporation. 2004. About passfaces. http:\/\/www.realuser.com\/cgi-bin\/ru.exe\/_\/ homepages\/technology\/passface.htm site accessed May 25 2004.  Real User Corporation. 2004. About passfaces. http:\/\/www.realuser.com\/cgi-bin\/ru.exe\/_\/ homepages\/technology\/passface.htm site accessed May 25 2004."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1948.tb01338.x"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/63526.63527"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1016\/0167-4048(92)90207-8"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.27"},{"key":"e_1_2_1_39_1","unstructured":"Tao H. 2006. Pass-Go a New Graphical Password Scheme. M.S. thesis School of Information Technology and Engineering University of Ottawa Canada.  Tao H. 2006. Pass-Go a New Graphical Password Scheme. M.S. thesis School of Information Technology and Engineering University of Ottawa Canada."},{"volume-title":"13th USENIX Security Symposium (Aug. 9--13)","author":"Thorpe J.","key":"e_1_2_1_40_1"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.44"},{"key":"e_1_2_1_43_1","unstructured":"Tyler C. 1996. Human symmetry perception. In Human Symmetry Perception and Its Computational Analysis C. Tyler Ed. VSP The Netherlands. 3--22.  Tyler C. 1996. Human symmetry perception. In Human Symmetry Perception and Its Computational Analysis C. Tyler Ed. VSP The Netherlands. 3--22."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/1178618.1178619"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1038\/nature02447"},{"volume-title":"Human Symmetry Perception and its Computational Analysis","author":"Wagemans J.","key":"e_1_2_1_46_1"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijhcs.2005.04.010"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/508171.508194"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1284680.1284685","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1284680.1284685","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T14:58:16Z","timestamp":1750258696000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1284680.1284685"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,1]]},"references-count":47,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2008,1]]}},"alternative-id":["10.1145\/1284680.1284685"],"URL":"https:\/\/doi.org\/10.1145\/1284680.1284685","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2008,1]]},"assertion":[{"value":"2005-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2007-06-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-01-22","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}