Securing Passfaces for Description
July 24, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p24Dunphy.pdf
Passfaces is a commercial graphical password system where the password is a sequence of face images. This leverages the fact that humans are typically rather good at facial recognition. Another motivation of Passfaces is supposedly that it is hard to write down your password to share, but are they? Often a single-sentence description seems to suffice.
The researchers conducted a study in which 18 participants were asked to describe 15 out of 45 faces (27 female & 18 male). The average description took 23 seconds to write. They found that female descriptions were typically longer than male descriptions. Females used 654 distinct words while males used 567. Hair was the most common thing described, followed by face shape, eyebrows, and nose.
They then had a completely separate group of users attempt to login to a mock passfaces system based on the descriptions provided in the first part of the study. This included 56 participants under three conditions:
- random decoys
- visually similar decoys (8 alternate faces of the same sex as the target face)
- descriptively similar decoys (8 alternate faces similar looking to the target face)
In each condition the participant was given either five descriptions written by a male or five descriptions written by a female. Across all trials, subjects were able to successfully login based on the descriptions 9% of the time (7 for random, 5 for visually similar, and 1 for descriptively similar). The study found that the both the visually similar decoys and descriptively similar decoys were significantly better than the random condition, though neither method of choosing similar decoys was obviously better than the other.