{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:49:08Z","timestamp":1763459348120,"version":"3.45.0"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2018,3,30]],"date-time":"2018-03-30T00:00:00Z","timestamp":1522368000000},"content-version":"vor","delay-in-days":365,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100014037","name":"NDSEG","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100014037","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1228777"],"award-info":[{"award-number":["1228777"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Interact. Mob. Wearable Ubiquitous Technol."],"published-print":{"date-parts":[[2017,3,30]]},"abstract":"<jats:p>Touchscreens, the dominant input type for mobile phones, require unique authentication solutions. Gesture passwords have been proposed as an alternative ubiquitous authentication technique. Prior security analysis has relied on inconsistent measurements such as mutual information or shoulder surfing attacks.We present the first approach for measuring the security of gestures with guessing attacks that model real-world attacker behavior. Our major contributions are: 1) a comprehensive analysis of the weak subspace for gesture passwords, 2) a method for enumerating the size of the full theoretical gesture password space, 3) a design of a novel guessing attack against user-chosen gestures using a dictionary, and 4) a brute-force attack used for benchmarking the performance of the guessing attack. Our dictionary attack, tested on newly collected user data, achieves a cracking rate of 47.71% after two weeks of computation using 109 guesses. This is a difference of 35.78 percentage points compared to the 11.93% cracking rate of the brute-force attack. In conclusion, users are not taking full advantage of the large theoretical password space and instead choose their gesture passwords from weak subspaces. We urge for further work on addressing this challenge.<\/jats:p>","DOI":"10.1145\/3053331","type":"journal-article","created":{"date-parts":[[2017,3,30]],"date-time":"2017-03-30T16:49:17Z","timestamp":1490892557000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":16,"title":["Guessing Attacks on User-Generated Gesture Passwords"],"prefix":"10.1145","volume":"1","author":[{"given":"Can","family":"Liu","sequence":"first","affiliation":[{"name":"Electrical 8 Computer Engineering Building, Rutgers University, Piscataway, New Jersey"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gradeigh D.","family":"Clark","sequence":"additional","affiliation":[{"name":"Electrical 8 Computer Engineering Building, Rutgers University, Piscataway, New Jersey"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Janne","family":"Lindqvist","sequence":"additional","affiliation":[{"name":"Electrical 8 Computer Engineering Building, Rutgers University, Piscataway, New Jersey"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2017,3,30]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663204.2663246"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2628363.2628388"},{"volume-title":"Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT \u201910)","author":"Aviv Adam J.","key":"e_1_2_1_3_1","unstructured":"Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge Attacks on Smartphone Touch Screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT \u201910). USENIX Association, Berkeley, CA, USA, 1--7. https:\/\/www.usenix.org\/conference\/woot10\/smudge-attacks-smartphone-touch-screens"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2333112.2333114"},{"key":"e_1_2_1_5_1","unstructured":"Joseph Bonneau. 2012. Guessing human-chosen secrets. Ph.D. Dissertation. University of Cambridge. https:\/\/www.cl.cam.ac.uk\/techreports\/UCAM-CL-TR-819.pdf"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.49"},{"key":"e_1_2_1_7_1","unstructured":"Joseph Bonneau. 2014. Guessing passwords with Apple\u2019s full-device encryption. https:\/\/freedom-to-tinker.com\/2014\/10\/08\/guessing-passwords-with-apples-full-device-encryption\/. (2014)."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4471-0515-2_27"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-009-0080-7"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/MPRV.2015.6"},{"volume-title":"Proceedings of the 13th Conference on USENIX Security Symposium (USENIX Security \u201904)","author":"Davis Darren","key":"e_1_2_1_11_1","unstructured":"Darren Davis, Fabian Monrose, and Michael K. Reiter. 2004. On User Choice in Graphical Password Schemes. In Proceedings of the 13th Conference on USENIX Security Symposium (USENIX Security \u201904). USENIX Association, Berkeley, CA, USA, 1. https:\/\/www.usenix.org\/legacy\/events\/sec04\/tech\/full_papers\/davis\/davis_html\/usenix04.html"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2207676.2208544"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2470654.2481330"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242661"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the Tenth Symposium on Usable Privacy and Security (SOUPS \u201914)","author":"Harbach Marian","year":"2014","unstructured":"Marian Harbach, Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It\u2019s a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception. In Proceedings of the Tenth Symposium on Usable Privacy and Security (SOUPS \u201914). USENIX Association, Menlo Park, CA, 213--230. https:\/\/www.usenix.org\/conference\/soups2014\/proceedings\/presentation\/harbach"},{"volume-title":"Proceedings of the 8th Conference on USENIX Security Symposium (USENIX Security \u201999)","author":"Jermyn Ian","key":"e_1_2_1_16_1","unstructured":"Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The Design and Analysis of Graphical Passwords. In Proceedings of the 8th Conference on USENIX Security Symposium (USENIX Security \u201999). USENIX Association, Berkeley, CA, USA, 1--1. https:\/\/www.usenix.org\/legacy\/events\/sec99\/full_papers\/jermyn\/jermyn.pdf"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.38"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10115-004-0154-9"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1982.1056489"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2015.134"},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of Fifth Berkeley Symposium on Mathematical Statistics and Probability. http:\/\/projecteuclid.org\/euclid.bsmsp\/1200512992","author":"MacQueen James","year":"1967","unstructured":"James MacQueen. 1967. Some methods for classification and analysis of multivariate observations. In Proceedings of Fifth Berkeley Symposium on Mathematical Statistics and Probability. http:\/\/projecteuclid.org\/euclid.bsmsp\/1200512992"},{"key":"e_1_2_1_22_1","volume-title":"Proceedings of the 25th Conference on USENIX Security Symposium (USENIX Security \u201916)","author":"Melicher William","year":"2016","unstructured":"William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. In Proceedings of the 25th Conference on USENIX Security Symposium (USENIX Security \u201916). USENIX Association, Austin, TX, 175--191. https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/melicher"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/359168.359172"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1981.tb00272.x"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2470654.2466145"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1054972.1055101"},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of BSDCan \u201909","author":"Percival Colin","year":"2009","unstructured":"Colin Percival. 2009. Stronger key derivation via sequential memory-hard functions. In Proceedings of BSDCan \u201909. Ottawa, ON, Canada."},{"key":"e_1_2_1_28_1","unstructured":"Chotirat Ann Ratanamahatana and Eamonn Keogh. 2004. Everything you know about dynamic time warping is wrong. In ThirdWorkshop on Mining Temporal and Sequential Data (TDM \u201904). Citeseer 53--63. http:\/\/wearables.cc.gatech.edu\/paper_of_week\/DTW_myths.pdf"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1016\/0377-0427(87)90125-7"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2207676.2208543"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/TASSP.1978.1163055"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516659"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2500423.2500434"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594368.2594375"},{"key":"e_1_2_1_35_1","first-page":"273","article-title":"Pass-Go: A Proposal to Improve the Usability of Graphical Passwords","volume":"7","author":"Tao Hai","year":"2008","unstructured":"Hai Tao and Carlisle Adams. 2008. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. International Journal of Network Security 7, 2 (2008), 273--292.","journal-title":"International Journal of Network Security"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.5555\/1251375.1251385"},{"volume-title":"20th Annual Network 8 Distributed System Security Symposium (NDSS \u201913)","author":"Tian Jing","key":"e_1_2_1_37_1","unstructured":"Jing Tian, Chengzhang Qu, Wenyuan Xu, and Song Wang. 2013. KinWrite: Handwriting-Based Authentication Using Kinect. In 20th Annual Network 8 Distributed System Security Symposium (NDSS \u201913). http:\/\/www.internetsociety.org\/sites\/default\/files\/10_2_0.pdf"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516700"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831173"},{"key":"e_1_2_1_40_1","unstructured":"Paul C van Oorschot and Julie Thorpe. 2005. On the security of graphical password schemes. Technical Report. Carleton University Ottawa ON USA. http:\/\/service.scs.carleton.ca\/sites\/default\/files\/tr\/TR-05-11.pdf"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2010-0411"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2493190.2493231"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866327"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.8"},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the 25th Conference on USENIX Security Symposium (USENIX Security \u201916)","author":"Wheeler Daniel Lowe","year":"2016","unstructured":"Daniel Lowe Wheeler. 2016. zxcvbn: Low-Budget Password Strength Estimation. In Proceedings of the 25th Conference on USENIX Security Symposium (USENIX Security \u201916). USENIX Association, Austin, TX, 157--173. https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/wheeler"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijhcs.2005.04.010"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294211.1294238"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2013.6638079"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/PERCOMW.2015.7134097"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2858036.2858270"}],"container-title":["Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3053331","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3053331","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3053331","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:43:43Z","timestamp":1763459023000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3053331"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,3,30]]},"references-count":50,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,3,30]]}},"alternative-id":["10.1145\/3053331"],"URL":"https:\/\/doi.org\/10.1145\/3053331","relation":{},"ISSN":["2474-9567"],"issn-type":[{"type":"electronic","value":"2474-9567"}],"subject":[],"published":{"date-parts":[[2017,3,30]]},"assertion":[{"value":"2016-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-01-01","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-03-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}