Modeling User Choice in the PassPoints Graphical Password Scheme
July 19, 2007 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2007/proceedings/p20_dirik.pdf
More on PassPoints!
Studies on visual attention and eye movements show that most images contain a few portions that humans typically focus on - so-called image “hotspots”. This study seeks to device a model that enables the prediction of the entropy in a given image. Such a model would enable the design of automatic “dictionary” attacks or to automatically reject images with low entropy.
There are various methods of image segmentation available that divide an image into discrete regions. The study hypothesized that users will tend to click on the center of image segments, with which segments the user is likely to choose based on color, intensity, and shape. There is then a quantization function which estimates the probability of attention for each click-point.
The researchers developed a Java-based PassPoints authentication system that they used for testing, with over one hundred users participating. The researchers found that their model was rather accurate for the two images tested. They then used their model to attack the users’ chosen logins, which was successful in the majority of cases once the search space was set high enough.