A Second Look at the Usability of Click-Based Graphical Passwords
July 19, 2007 by Richard ConlanAwarded SOUPS 2007 Best Paper
http://cups.cs.cmu.edu/soups/2007/proceedings/p1_chiasson.pdf
PassPoints is a system where the user clicks five points on an image instead of entering a textual password. The original studies were undertaken by Susan Wiedenbeck, et al. (click here for more info). They found that entry was slower than text but equally memorable and that the smallest acceptable tolerance was 14×14 pixels.
Today’s paper extended this work with a new lab study and a field study. The lab study sought to confirm the initial results and re-examine the impact of image choice. The field study sought to expand this further by examining whether it still worked when a user had multiple click-based passwords.
Users in the lab got to interact with a range of images, and universally disliked those with few obviously clickable points. In the lab study vs. field study it took users 33 vs. 25-30 seconds to choose their PassPoints, and 7 vs 5 seconds to login, respectively. Users in the field study had a significantly harder time logging in when they had more than one image for which to remember clicks. Each study ended with a 10-point Likert-style survey, with most responses in the 6-8 range. Both groups said the preferred text passwords over graphical passwords, largely out of concern about shoulder surfing.
Lab results were more positive than field results, which suggests a general need for complimentary field studies to back up lab results.
Concerns:
- type of image does influence success rates
- users had trouble handling multi-PassPoint image
- attackers often able to guess PassPoints due to image “hotspots”