Usable Security » Blog Archive » Furkan Tari, A. Ant Ozok, and Stephen H. Holden: Comparison of Perceived and Real Shoulder-Surfing Risks

Furkan Tari, A. Ant Ozok, and Stephen H. Holden: Comparison of Perceived and Real Shoulder-Surfing Risks

July 13, 2006 by Ping

This study compared the real and perceived vulnerability of Passfaces (a graphical password system) to dictionary and non-dictionary passwords. There were four conditions: Passfaces with a mouse, Passfaces with the keyboard, a dictionary password, and a non-dictionary password.

The study confirmed that the concern about shoulder-surfing vulnerability of Passfaces with a mouse is justified; participants had a well-placed concern about this vulnerability. However, participants underestimated the vulnerability of non-dictionary passwords. Non-dictionary passwords were more vulnerable to shoulder-surfing than dictionary passwords, possibly because dictionary passwords can be typed faster.

Passfaces with keyboard entry was by far the least vulnerable to shoulder-surfing, possibly because the attacker had to look at both the screen and the keyboard at the same time.

This entry was posted on Thursday, July 13, 2006 at 10:10 under Authentication, General, Studies. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.

Richard M. Conlan wrote:
July 13th, 2006 at 10:57

I have trouble with the study’s conclusion that non-dictionary passwords are more vulnerable to shoulder surfing than dictionary passwords. It sounds like for the purposes of the study non-dictionary passwords were typed slower than dictionary words since it was stated that people were able to pick out every character for the non-dictionary password but were unable to for the dictionary word. Since they did not time password entry we do not know the speed difference and it is hard to comment on how realistic the entry speeds were and hence to draw conclusions.

It also does not appear that they considered a situation allowing for sophisticated guesses. If a shoulder-surfer is able to get a few characters of a dictionary word they can compare them against a dictionary file and reduce the search space to relatively few possibilities. Surely with each non-dictionary character learned the search space is also reduced, but in most cases it would likely be reduced much less per letter known.

I am interested in the shoulder surf strength of keyboard-entered Passfaces. Do these results hold if a person is able to shoulder-surf multiple password entries? I suspect the surfer may be able to recognize common faces after seeing enough sessions. A more sophisticated notion of shoulder-surfing allowing for a video camera would surely pose an increased danger since an attacker could find common faces across sessions at their leisure and thereby discern the Passfaces without needing to watch the keyboard.

Reply to this comment