{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T17:05:18Z","timestamp":1767373518935,"version":"3.38.0"},"reference-count":0,"publisher":"SAGE Publications","issue":"4","license":[{"start":{"date-parts":[[2011,6,20]],"date-time":"2011-06-20T00:00:00Z","timestamp":1308528000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2011,6,20]]},"abstract":"<jats:p> We provide an in-depth study of the security of click-based graphical password schemes like PassPoints (Weidenbeck et al., 2005), by exploring popular points (hot-spots), and examining strategies to predict and exploit them in guessing attacks. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, the other a field test of 223 user accounts. We provide empirical evidence that hot-spots do exist for many images, some more so than others. We explore the use of \u201chuman-computation\u201d (in this context, harvesting click-points from a small set of users) to predict these hot-spots. We generate two \u201chuman-seeded\u201d attacks based on this method: one based on a first-order Markov model, another based on an independent probability model. Within 100 guesses, our first-order Markov model-based attack finds 4% of passwords in one image's data set, and 10% of passwords in a second image's data set. Our independent model-based attack finds 20% within 2<jats:sup>33<\/jats:sup> guesses in one image's data set and 36% within 2<jats:sup>31<\/jats:sup> guesses in a second image's data set. These are all for a system whose full password space has cardinality 2<jats:sup>43<\/jats:sup>. We evaluate our first-order Markov model-based attack with cross-validation of the field study data, which finds an average of 7\u201310% of user passwords within 3 guesses. We also begin to explore some click-order pattern attacks, which we found improve on our independent model-based attacks. Our results suggest that these graphical password schemes (with parameters as originally proposed) are vulnerable to offline and online attacks, even on systems that implement conservative lock-out policies. <\/jats:p>","DOI":"10.3233\/jcs-2010-0411","type":"journal-article","created":{"date-parts":[[2016,5,18]],"date-time":"2016-05-18T07:41:41Z","timestamp":1463557301000},"page":"669-702","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":36,"title":["Exploiting predictability in click-based graphical passwords"],"prefix":"10.1177","volume":"19","author":[{"given":"P.C.","family":"van Oorschot","sequence":"first","affiliation":[{"name":"School of Computer Science, Carleton University, Ottawa, ON, Canada."}]},{"given":"Julie","family":"Thorpe","sequence":"additional","affiliation":[{"name":"Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, ON, Canada."}]}],"member":"179","published-online":{"date-parts":[[2011,6,20]]},"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-2010-0411","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-2010-0411","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,10]],"date-time":"2025-03-10T13:11:03Z","timestamp":1741612263000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-2010-0411"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,6,20]]},"references-count":0,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2011,6,20]]}},"alternative-id":["10.3233\/JCS-2010-0411"],"URL":"https:\/\/doi.org\/10.3233\/jcs-2010-0411","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"type":"print","value":"0926-227X"},{"type":"electronic","value":"1875-8924"}],"subject":[],"published":{"date-parts":[[2011,6,20]]}}}