Comments on: Furkan Tari, A. Ant Ozok, and Stephen H. Holden: Comparison of Perceived and Real Shoulder-Surfing Risks http://usablesecurity.com/2006/07/13/furkan-tari-a-ant-ozok-and-stephen-h-holden-comparison-of-perceived-and-real-shoulder-surfing-risks/ Every system has a user. Thu, 20 Nov 2008 23:18:08 +0000 http://wordpress.org/?v=abc By: Richard M. Conlan http://usablesecurity.com/2006/07/13/furkan-tari-a-ant-ozok-and-stephen-h-holden-comparison-of-perceived-and-real-shoulder-surfing-risks/#comment-5749 Richard M. Conlan Thu, 13 Jul 2006 18:57:36 +0000 http://usablesecurity.com/2006/07/13/furkan-tari-a-ant-ozok-and-stephen-h-holden-comparison-of-perceived-and-real-shoulder-surfing-risks/#comment-5749 I have trouble with the study's conclusion that non-dictionary passwords are more vulnerable to shoulder surfing than dictionary passwords. It sounds like for the purposes of the study non-dictionary passwords were typed slower than dictionary words since it was stated that people were able to pick out every character for the non-dictionary password but were unable to for the dictionary word. Since they did not time password entry we do not know the speed difference and it is hard to comment on how realistic the entry speeds were and hence to draw conclusions. It also does not appear that they considered a situation allowing for sophisticated guesses. If a shoulder-surfer is able to get a few characters of a dictionary word they can compare them against a dictionary file and reduce the search space to relatively few possibilities. Surely with each non-dictionary character learned the search space is also reduced, but in most cases it would likely be reduced much less per letter known. I am interested in the shoulder surf strength of keyboard-entered Passfaces. Do these results hold if a person is able to shoulder-surf multiple password entries? I suspect the surfer may be able to recognize common faces after seeing enough sessions. A more sophisticated notion of shoulder-surfing allowing for a video camera would surely pose an increased danger since an attacker could find common faces across sessions at their leisure and thereby discern the Passfaces without needing to watch the keyboard. I have trouble with the study’s conclusion that non-dictionary passwords are more vulnerable to shoulder surfing than dictionary passwords. It sounds like for the purposes of the study non-dictionary passwords were typed slower than dictionary words since it was stated that people were able to pick out every character for the non-dictionary password but were unable to for the dictionary word. Since they did not time password entry we do not know the speed difference and it is hard to comment on how realistic the entry speeds were and hence to draw conclusions.

It also does not appear that they considered a situation allowing for sophisticated guesses. If a shoulder-surfer is able to get a few characters of a dictionary word they can compare them against a dictionary file and reduce the search space to relatively few possibilities. Surely with each non-dictionary character learned the search space is also reduced, but in most cases it would likely be reduced much less per letter known.

I am interested in the shoulder surf strength of keyboard-entered Passfaces. Do these results hold if a person is able to shoulder-surf multiple password entries? I suspect the surfer may be able to recognize common faces after seeing enough sessions. A more sophisticated notion of shoulder-surfing allowing for a video camera would surely pose an increased danger since an attacker could find common faces across sessions at their leisure and thereby discern the Passfaces without needing to watch the keyboard.

]]>