Towards Secure Design Choices For Implementing Graphical Passwords

Julie Thorpe
Carleton University
Canada

Paul van Oorschot
Carleton University
Canada

We study the impact of selected parameters on the size of the password space for "Draw-A-Secret" (DAS) graphical passwords, introduced by Jermyn et al. (1999). We examine the role of and relationships between the number of composite strokes, grid dimensions, and password length in the DAS password space. We show that a very significant proportion of the DAS password space (and thus presumably its strength against brute-force guessing attacks) depends on the assumption that users will use long passwords with many composite strokes. We examine the security implications of this assumption, showing that if users choose passwords having 4 or fewer strokes, the size of the DAS password space (with passwords of length 12 or less on a 5 by 5 grid), is over 99.9% less than if they choose up to the maximum 12 possible strokes. Additionally, we found a similar reduction when users choose no strokes of length 1 in their passwords. We believe these results are significantly more important than those recently presented by Thorpe et al. (2004, USENIX Security) related to "memorable" DAS passwords, where "memorable" is taken to correspond to passwords with visual symmetry. We examine the seemingly obvious compensatory measure of increasing the grid dimensions and show this to have low security pay-back unless user passwords are composed of a large number of strokes. In response, we propose a technique to gain approximately 16 more bits of security with an expected negligible increase in input time. Our results can be directly applied to determine secure design choices, graphical password parameter guidelines, and in deciding which parameters deserve focus in graphical password user studies.

Keywords: Authentication, Graphical Passwords, Passwords

Read Paper Read Paper (in PDF)