2, MARCH/APRIL 2012
Abstract—This paper presents an integrated evaluation of the Persuasive Cued Click-Points graphical password scheme, including
usability and security evaluations, and implementation considerations. An important usability goal for knowledge-based authentication
systems is to support users in selecting passwords of higher security, in the sense of being from an expanded effective security space.
We use persuasion to influence user choice in click-based graphical passwords, encouraging users to select more random, and hence
more difficult to guess, click-points.
1 INTRODUCTION
TABLE 1
Summary of Eight Studies
TABLE 2
Parameters for Six Experimental Conditions and Number
of Users (N) in the PCCP Two-Week Recall Study
TABLE 3
Login and Recall Success Rates across the Eight Studies, as Percentages
Recall represents either at-home tasks or a second lab session. Values that are not applicable are identified with dashes.
TABLE 4
Create, Login, and Recall Times in Seconds
Recall represents either at-home tasks or a second lab session. Missing values are identified as na and values that are not applicable with dashes.
attempts, respectively, across the three studies. No statisti- 5.3.1 Success Rates
cally significant differences were found in either compar- Success rates were very high for login; participants could
ison. This suggests no evidence that logging in with PCCP successfully log in after a short time regardless of number of
is any different than with PP or CCP. click-points or image size. Success rates after two weeks
Participants had the most difficulty recalling passwords were much lower in all conditions, reflecting the artificial
after two weeks for all schemes. A closer look at the difficulty of the memory task—recalling six passwords
different conditions within the PCCP 2wk study is provided created in a short time and not accessed for two weeks. The
in Section 5.3. Here, only the S5 condition from the PCCP L7 condition had the lowest success rates, suggesting that
2wk study is compared to the PP 2wk and Text 2wk studies passwords using large images and seven click-points
since they have similar theoretical password spaces. Four combined were most difficult.
comparisons were made: login first and third attempts, and
recall first and third attempts. Kruskal-Wallis tests show no 5.3.2 Times
statistically significant differences in any of the compar- Mean times for each condition are generally elevated
isons. This result suggests no evidence that PCCP pass- compared to times in the studies with smaller theoretical
words are any harder to recall after two weeks than PP or password spaces. No clear pattern emerges in the times
text passwords at comparable levels of security. taken to create passwords. A general increase in times can
No statistical differences were found between web be seen in both the login and recall phases as more click-
studies (PCCP Web and Text Web) for login and recall points or larger images are used. As should be expected,
success rates. This is especially noteworthy because inspec- participants took much longer to reenter their passwords
tion of the text passwords revealed that 71 percent of after two weeks (recall), reflecting the difficulty of the task.
participants [3] reused identical or similar passwords across
5.4 Shuffles
accounts, whereas PCCP passwords were different by
design. This suggests that PCCP passwords offer additional During password creation, PCCP users may press the
security since reuse across systems is not possible, yet this shuffle button to randomly reposition the viewport. Fewer
did not affect success rates. shuffles lead to more randomization of click-points across
users. The shuffle button was used moderately. Table 5
5.2 Password Entry Times shows the number of shuffles per image. For example, since
Times are reported in seconds for successful password PCCP Lab passwords involved five images, the mean
entry on the first attempt. For login and recall, we also number of shuffles per password would be 3 5 ¼ 15.
report the “entry time”: the actual time taken from the first For the PCCP 2wk study, the mean and medians for all of
click-point to the fifth click-point. The analogous measure this study’s six conditions together (see the All column in
was not recorded for text passwords. Table 5) are higher than for S5 alone, indicating that for
more difficult conditions, there was more shuffling.
Table 4 presents password entry times for each study.
The effect of shuffling on success rates is summarized in
PCCP times are similar to other schemes in the initial lab
Table 6. Wilcoxon tests were used for statistical analysis;
studies. However, the general trend across the two-week
these are similar to independent sample t-tests, but make
recall (PCCP 2wk’s S5 condition) and web studies is that
no assumptions about the sample distributions. The tests
PCCP passwords take longer to enter than the other
were conducted on login and recall success rates on the
schemes when comparing schemes with similar password
third attempt.
spaces (i.e., PCCP 2wk S5 and PCCP Web). During password
PCCP Lab study users who shuffled a lot had higher login
creation, this can partially be explained by participants who
success rates than those who shuffled little, and the result was
used the shuffle mechanism repeatedly. During recall, this
may be because PCCP participants had to recall different statistically significant (W ¼ 91; p ¼ 0:005) (or p ¼ 0:015 with
passwords (since by design, it is impossible to reuse PCCP
passwords), whereas over half of Text participants reused TABLE 5
passwords or had closely related passwords, suggesting a Number of Shuffles per Image for Password
reduced memory load. Creation
TABLE 6
Effect of Shuffles on Success Rates (within Three Attempts)
Success rates are percentages. “Users” represents the number of users who fell into each shuffling category. n.s. indicates that the statistical test
was not significant. Values that are not applicable are identified with dashes.
Bonferroni correction). For the PCCP 2wk and PCCP Web The J-statistic [32] from spatial analysis was used to
studies, the same trend was apparent for login and recall, but measure clustering of click-points within data sets (the
the differences were not statistically significant. formation of hotspots). The J-statistic combines nearest-
Most participants used a common shuffling strategy neighbor calculations and empty-space measures for a
throughout their session. They either consistently shuffled a given radius r to measure the clustering of points. A result
lot at each trial or barely shuffled during the entire session. of J closer to 0 indicates that all of the data points cluster at
We interviewed participants to learn about their shuffling the exact same coordinates, J ¼ 1 indicates that the data set
strategy. Those who barely shuffled selected their click- is randomly dispersed, and J > 1 shows that the points are
point by focusing on the section of the image displayed in increasingly regularly distributed. For passwords, results
the viewport, while those who shuffled a lot scanned the
closer to JðrÞ ¼ 1 are desirable since this would be least
entire image, selected their click-point, and then proceeded
predictable by attackers. We examined clustering at Jð9Þ for
to shuffle until the viewport reached that area. When
the set of core images common across studies with at least
questioned, participants who barely shuffled said they felt
that the viewport made it easier to select a secure click- 30 click-points per image for each study. A radius of nine
point. Those who shuffled a lot felt that the viewport pixels approximates the 19 19 tolerance squares used by
hindered their ability to select the most obvious click-point the system during password reentry.
on an image and that they had to shuffle repeatedly in order To compare sets of J-statistics to each other, we employed
to reach this desired point. the following technique. Regarding the data as categorical,
six categories stemming from the possible orderings are
5.5 Summary of Usability Results identified: (PCCP-CCP-PP), (PCCP-PP-CCP), (PP-CCP-
We first summarize the studies with comparable theoretical PCCP), (PP-PCCP-CCP), (CCP-PP-PCCP), and (CCP-PCCP-
password spaces (i.e., including PCCP 2wk S5). Overall, PP). Fig. 4 shows the ordering for each of the 17 images. For
PCCP has similar success rates to the other authentication example, the bee image falls in the PCCP-CCP-PP category
schemes evaluated (CCP, PassPoints, and text). PCCP because J(9) for PCCP exceeds J(9) for CCP, which exceeds
password entry takes a similar time to the other schemes J(9) for PassPoints. A Fisher’s exact test between the observed
in the initial lab sessions, but the results indicate longer results and the expected results (equal probability for each
recall times for PCCP when recalling passwords beyond the category) was applied to measure the significance of the
initial session. Users who shuffled more had significantly association between the three categories. This test is similar
higher success rates in the PCCP Lab study, but the to a chi-square test, but used when values in the associated
difference in success rates between high and low shufflers contingency table are small.
was not statistically significant for the two-week or web
studies. Furthermore, users reported favorable opinions of 6.1.1 Lab Studies
PCCP in post-task questionnaires [2]. We first compared the three lab studies [2]. Results show that
Second, we compared conditions in the PCCP 2wk study. PCCP Lab approaches complete spatial randomness for all
A general trend indicates that larger images or more click- 17 images (near J ¼ 1) and is thus much more random than
points negatively impacts the password entry time. No clear
pattern emerges between the six conditions for success
rates, providing no evidence that either manipulation
affects success rates in a consistent manner. However, the
most difficult condition (L7) did have the lowest recall
success rates.
Fig. 5. Cumulative frequency distribution of hotspot coverage for PassPoints, CCP, and PCCP.
the CCP Lab and PP Lab data sets. Fisher’s exact test shows click-points to be contained in the most popular 50 percent
that the difference is statistically significant (p ¼ 0:0005). of hotspots if click-points were completely randomly
distributed. In the figures, this random distribution would
6.1.2 All Studies appear as a straight diagonal line. In comparison, the
For this paper, we also included data from the longer term PassPoints graph shows that in the worst case, half of all
studies. Fig. 4 shows that the distribution of PCCP click- click-points are contained within the most popular
points is more random than PassPoints, but with differences 1.3 percent of hotspots within the distribution, while in
smaller than in the lab studies. Fisher’s exact test shows that the best case, half are contained within the most popular
PCCP is more random than PassPoints and CCP (p ¼ 0:028). 16.8 percent. For PCCP, half of click-points fall within the
A line graph was used for clarity, but these are discontin- within the top 14.6 percent hotspots on the worst case
uous points. image. On the best image, half are contained within the top
41.4 percent for PCCP, approaching the ideal of 50 percent.
6.1.3 Varying Number of Click-Points
To test for significance in the differences between PP,
As detailed in an earlier paper [4], we examined the effects CCP, and PCCP, we looked at the dictionary data for the
of the number of click-points on clustering on the PCCP 2wk 17 images individually. Kruskal-Wallis three-way tests
data. Fisher’s exact test shows no significant differences
show strong significant differences between the distribu-
(p ¼ 0:358), providing no evidence that increasing the
tions (p < 0:00001) for each image. We further compared
number of click-points per password leads to more
only CCP and PCCP, to look at the effect of the viewport
clustering across users.
and shuffling mechanism specifically. Kruskal-Wallis two-
6.1.4 Varying Image Size way tests show strong significance for each image. This
We also used the PCCP 2wk data to examine clustering due indicates that PCCP click-points have a flatter distribution
to image size [4]. Fisher’s exact test shows a significant and thus an attack dictionary based on hotspots should be
difference (p ¼ 0:002), indicating significantly less cluster- less effective for PCCP than for the other schemes (see also
ing for larger images. This result suggests that PCCP’s Section 7.1). This analysis focused on individual click-
shuffle mechanism and viewport (if kept at the same pixel points, not entire passwords. However with the recom-
dimensions) are more effective in reducing clustering when mended implementation, attackers get no partial feedback
used with larger images. We believe that this is due to the on correctness partway through an offline guess, precluding
proportionally smaller area covered by the viewport in divide-and-conquer (piecewise) attacks on PCCP.
relation to the total size of the image making it less likely
6.3 Spatial Patterns
that known hotspots are available for selection.
We looked at several password characteristics to find
6.2 Hotspot Coverage whether known patterns exist that could help attackers
We summarize the hotspots per image using cumulative fine-tune an attack strategy. These patterns involve the
frequency distributions for the 17 core images. The distribu- spatial position of click-points relative to each other and do
tions contain all user-chosen click-points for the given not consider the background image. In earlier work [5], we
scheme for passwords that were, at minimum, successfully performed this analysis on a subset of the current data,
reentered at least once during login. In other words, all click- focusing primarily on data from lab studies. We now
points in the data set are represented (including “hotspots” perform similar analysis on all five-click-point password
consisting of only one user-chosen click-point). data on 451 331 pixel images collected to date for each
Fig. 5 shows cumulative frequency distributions for each scheme. Details are included in a technical report [33], but
image. Gray lines represent the click-point distributions for the analysis reveals similar results to the original paper [5].
the 17 images, for click-points collected across all studies The click-point distributions of PCCP along the x- and
for that particular scheme. One would expect half of the y-axes fell within the range for random distributions with
230 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012
analysis. Our best analysis in this direction involved using determine the user’s password. User interface manipula-
data on the 17 core images. For each of the 95 user tions such as reducing the size of the mouse cursor or
passwords involving solely these images, used as target dimming the image may offer some protection, but have not
passwords to find, we built a list of the 10 largest hotspots been tested. A considerably more complicated alternative is
for each of the 17 images, using all PCCP Lab and PCCP to make user input invisible to cameras, for example, by
2wk—S5 data. These hotspot lists were combined to form a using eye tracking as an input mechanism [35].
guessing dictionary containing 237 entries for the 17 images.
None of the 95 passwords appeared in the dictionary, 7.2.2 Malware
indicating that no password in our collected data consisted Malware is a major concern for text and graphical pass-
entirely of top-10 hotspots. We expect that this attack would words, since keylogger, mouse logger, and screen scraper
be similarly unfruitful for other images of similar complex- malware could send captured data remotely or otherwise
ity. We also note that this attack is infeasible unless an make it available to an attacker.
attacker has previous knowledge of which images belong to
a user’s password. 7.2.3 Social Engineering
We next consider a second hotspot attack strategy under For social engineering attacks against cued-recall graphical
the same assumption of all server-side information being passwords, a frame of reference must be established
known, and in this case, consider the level of effort required between parties to convey the password in sufficient detail.
for a three percent chance of guessing a target password. One preliminary study [36] suggests that password sharing
With the basic configuration of 19 19 pixel tolerance through verbal description may be possible for PassPoints.
squares, and 451 331 pixel images, there are approxi- For PCCP, more effort may be required to describe each
mately 400 tolerance squares per image. If no hotspots exist image and the exact location of each click-point. Graphical
and there are no patterns (i.e., if random and independent passwords may also potentially be shared by taking photos,
click-points are chosen), each tolerance square has an equal capturing screen shots, or drawing, albeit requiring more
1=400 chance of being part of the user’s password. effort than for text passwords.
However, from Fig. 5, we know that for the PassPoints PCCP and CCP have a security advantage over Pas-
data sets explored, on average, the largest 8.2 percent of sPoints: an attacker launching a phishing attack would need
hotspots cover 50 percent of user-chosen click-points. This
to retrieve many images from the server instead of only one.
means that for approximately a three percent (ð50=100Þ5 )
With a man-in-the-middle (MITM) attack, only one image
chance of guessing a password, a dictionary constructed of
per click-point would need to be retrieved, since the correct
all ordered sequences of five click-points, each click-point
image would be identified by the legitimate website when
being among the corresponding set of these hotspots from
the user’s click-point is entered. However, attackers who
the appropriate (assumed known) image, would contain 226
collect the images beforehand would need to gather all of
entries. In comparison, PCCP requires the top 24 percent of
them in order to display the correct next image when the
hotspots to achieve the same coverage, giving a dictionary
user enters a click-point (see Section 8.2 for discussion of the
of 233 entries for a three percent chance of guessing a
image selection algorithm). Attackers who make assump-
password comprised solely of hotspots.
tions about likely hotspots and only collect the correspond-
7.1.3 Hotspot Attack with Only Hashed Password ing images risk missing images if the user clicks elsewhere.
Suppose attackers gain access only to the hashed pass- Although social engineering remains a threat with PCCP,
words, for example, if the passwords and other information attacks require significantly more effort and have a lower
are stored in separate databases. Offline dictionary attacks probability of success than for text passwords or PassPoints.
become even less tractable. The best attack would seem to In light of these potential guessing and capture attacks,
involve building a guessing dictionary whose entries are PCCP is best deployed in systems where offline attacks are
constructed from the largest hotspots on random combina- not possible, and where any attack must involve an online
tions of images. system that can limit the number of guesses per account per
time period; this limit should include password restarts.
7.2 Capture Attacks Even with account locking after t failed login attempts,
Password capture attacks occur when attackers directly defences must throttle such online guessing attacks suffi-
obtain passwords (or parts thereof) by intercepting user- ciently to guard against system-wide attacks across
entered data, or by tricking users into revealing their W accounts since an attacker gets t W guesses per time
passwords. For systems like PCCP, CCP, and PassPoints window [37]. All client-server communication should be
(and many other knowledge-based authentication made securely (e.g., through SSL) to maintain the secrecy of
schemes), capturing one login instance allows fraudulent user click-points and images.
access by a simple replay attack. We summarize the main
7.3 Summary of Security Analysis
issues below; detailed discussion is available elsewhere [12].
Given that hotspots and click-point clustering are signifi-
7.2.1 Shoulder Surfing cantly less prominent for PCCP than for CCP and
All three cued-recall schemes discussed (PCCP, CCP, and PassPoints, guessing attacks based on these characteristics
PassPoints) are susceptible to shoulder surfing although no are less likely to succeed. Taking into account PCCP’s
published empirical study to date has examined the extent sequence of images rather than a single image offers further
of the threat. Observing the approximate location of click- reduction in the efficiency of guessing attacks. For capture
points may reduce the number of guesses necessary to attacks, PCCP is susceptible to shoulder surfing and
232 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012
malware capturing user input during password entry. position the grid and determine the acceptability of the each
However, we expect social engineering and phishing to be login click-point.
more difficult than for other cued-recall graphical password For each password PW , the system hashes the username
schemes due to PCCP’s multiple images. W , as a unique salt intended to force user-specific attack
dictionaries, and the following details for each click-point
Ci ði ¼ 1 . . . 5Þ: its grid offset ðGxi ; Gyi Þ, a tolerance area
8 RELEVANT IMPLEMENTATION ISSUES
identifier T xi ; T yi (indicating the exact square containing
The following discusses two prototype implementations of the click-point), and its image identifier Ii . The system also
PCCP and highlights issues relevant for a best practice stores the following additional information AW in the
implementation. The first prototype, intended for experi- clear: Gx; Gy for each click-point and a random seed SW
ments only, included design decisions which facilitated data used to determine the pool of images for a given user (see
gathering but would not be advisable in actual deployment. Section 8.2). These components are described as
The lab and two-week recall studies (Sections 4.1 and 4.2)
used a standalone J# application custom designed to guide Ci ¼ ðIi ; T xi ; T yi ; Gxi ; Gyi Þ
participants through the experimental process. This pro- PW ¼ hð½C1 . . . Ci ; W Þ
vided a controlled environment to gather initial data about AW ¼ ð½Gx1 ; Gy1 . . . Gxi ; Gyi ; SW Þ:
the usability and security of the schemes. Image selection
was done in such a way that all users saw a particular core The discretization grids and offsets are transparent and
set of images and all password information (e.g., click-point unknown to users. An attacker who gained access to this
coordinates and images) was stored in the clear, allowing information would not know the user’s password, but might
evaluation of characteristics like the effect of password try to use it to guess higher probability click-points, e.g., by
choice. overlaying corresponding grids onto images looking for
The second prototype moved toward an ecologically popular target points centered within grid squares. Whether
valid system taking into account implementation details this provides any attack advantage over trying to exploit
necessary for a real web-based authentication system. The hotspots without grid information remains an open question.
PCCP Web study (Section 4.3) was conducted with a web-
based authentication framework (MVP [28]) especially 8.2 Deterministic Image Sequencing
designed to be deployed and accessed by users in their Each image is displayed using a deterministic function
regular environments. The system is intended to allow Iiþ1 ¼ fðSW ; Ci Þ, based on the user-specific random seed SW
authentication to become a secondary task, by supporting and the previous user-entered click-point Ci ; I1 ¼ fðSW ; 0Þ.
primary tasks on real websites that require users to log in as SW is set during password creation and used to randomly
part of the process. The PCCP Web study used modified select images from the system-wide pool of images,
versions of Wordpress blogs and phpBB forums. The numbered from 0 to N. It is stored in the clear as part of
modifications were made to locally installed packages, AW , described above. During login, the sequence of images is
altering the authentication process. A button was included regenerated using f. This approach allows a different
rather than a textbox for password entry; pressing the sequence of images per each user while still guaranteeing a
button opened the authentication window and loaded the consistent mapping of click-points to images for each user. If
PCCP authentication module, which takes the userid from a password is changed, a new SW is generated.
the website, collects the user’s PCCP password, and returns Using this implementation, there is a possibility that
an encoded password string (see Section 8.1). The original images are reused for a given user. For example, a user
websites remained responsible for authentication, using the clicking on an incorrect location during login might, by
encoded string as they would use an entered text password. chance, see an image belonging somewhere else within their
The following sections describe several practical design password. While this poses a potential usability concern,
and implementation choices made in building the second the likelihood of this happening is correspondingly low
prototype, and the reasoning behind them. with enough images. There is no evidence this occurred in
any of our studies.
8.1 Discretization The image selection algorithm could be modified to
Discretization of click-points allows for approximately disallow all image reuse for a given user, albeit possibly
correct click-points to be accepted by the system without providing enough verifiable information to determine the
storing exact click-point coordinates in the clear. Our entire password to an attacker who learns only the last image:
second prototype implemented Centered Discretization [29], if each possible traversal of images is unique, knowing the
wherein an invisible discretization grid is overlaid onto the last image means that with effort, an attacker could find the
image, dividing the image into square tolerance areas, to unique password that ends with that particular image.
determine whether a login click-point falls within the same For usability, the minimum total number of images
tolerance area as the initial click-point. For each click-point, should be the number of tolerance squares in one grid (i.e.,
the grid’s position is set during password creation by 432 in the basic PCCP configuration). This avoids the
placing it such that there is a uniform tolerance area situation where multiple locations lead to the same next
centered around the original click-point, by calculating the image, breaking the implicit feedback property of PCCP and
appropriate ðx; yÞ grid offset (Gx; Gy) (in pixels) from a (0,0) likely confusing users. All images could be reused at each
origin at the top-left corner of the image. On subsequent stage in the password and for every user. This strategy has
user login, the system uses the originally recorded offsets to the highest probability of collision where a user clicks on
CHIASSON ET AL.: PERSUASIVE CUED CLICK-POINTS: DESIGN, IMPLEMENTATION, AND EVALUATION OF A KNOWLEDGE-BASED... 233
an incorrect click-point and unfortunately sees an image determine at which point to stop clicking and press the
belonging elsewhere in their password. This probability login button. Although most users would likely choose the
can be reduced or nearly eliminated if the overlap of minimum number of click-points, those concerned with
images is reduced between password stages, increasing the security and confident about memorability could select a
number of images in a user’s set. The tradeoff is between longer password.
usability problems of potential collisions during incorrect
logins and reducing the ease of password reconstruction
should an attacker learn some of the images in a user’s 9 CONCLUDING REMARKS
password. A related question to explore is the possibility of A common security goal in password-based authentication
collisions across systems if different deployments use the systems is to maximize the effective password space. This
same image sets.
impacts usability when user choice is involved. We have
An alternative to increasing the number of images is to
shown that it is possible to allow user choice while still
use larger images but crop them differently for each user.
increasing the effective password space. Furthermore, tools
Hotspot analysis would be more difficult for attackers
such as PCCP’s viewport (used during password creation)
because the coordinates of hotspots could not be directly
cannot be exploited during an attack. Users could be further
applied across accounts. If furthermore, each user receives a
different pool of images (perhaps as an overlapping subset deterred (at some cost in usability) from selecting obvious
of the overall set of images in the system, as determined by click-points by limiting the number of shuffles allowed
SW and f), an attacker would need to collect these data on a during password creation or by progressively slowing
per-user basis when launching an attack. system response in repositioning the viewport with every
shuffle past a certain threshold. The approaches discussed in
8.3 Viewport Details this paper present a middle ground between insecure but
The viewport visible during password creation must be memorable user-chosen passwords and secure system-
large enough to allow some degree of user choice, but small generated random passwords that are difficult to remember.
enough to have its intended effect of distributing click- Providing instructions on creating secure passwords,
points across the image. Physiologically, the human eye can using password managers, or providing tools such as
observe only a small part of an image at a time. Selecting a strength meters for passwords have had only limited success
click-point requires high acuity vision using the fovea, the [39]. The problem with such tools is that they require
area of the retina with a high density of photoreceptor cells additional effort on the part of users creating passwords and
[38]. The size of the fovea limits foveal vision to an angle of often provide little useful feedback to guide users’ actions. In
approximately 1 degree within the direct line to the target of PCCP, creating a less guessable password (by selecting a
interest. At a normal viewing distance for a computer click-point within the first few system-suggested viewport
screen, say 60 cm, this results in sharp vision over an area of positions) is the easiest course of action. Users still make a
approximately 4 cm2 . We chose the size of the viewport to choice but are constrained in their selection.
fall within this area of sharp vision. For the lab studies, Another often cited goal of usable security is helping
where we had control over the size of the screen and the users from accurate mental models of security. Through our
screen resolution, we chose a viewport of 75 75 pixels. questionnaires and conversations with participants in
However, for the web-based system, we used a slightly authentication usability studies, it is apparent that in
larger 100 100 pixel viewport since participants may be general, users have little understanding of what makes a
using a wide variety of system configurations. While the good password and how to best protect themselves online.
web-based prototype was designed primarily for standard Furthermore, even those who are more knowledgeable
size screens, it could be modified to accommodate smart usually admit to behaving insecurely (such as reusing
phones or smaller screens. The system could determine the
passwords or providing personal information online even
type of device (e.g., through browser settings data) and alter
when unsure about the security of a website) because it is
the size of the viewport dynamically.
more convenient and because they do not fully understand
The viewport positioning algorithm randomly placed the
the possible consequences of their actions.
viewport on the image, ensuring that the entire viewport
Guiding users in making more secure choices, such as
was always visible and that users had the entire viewport
using the viewport during password creation, can help
area from which to select a click-point. This design decision
foster more accurate mental models of security rather than
had the effect of deemphasizing the edges of the image,
vague instructions such as “pick a password that is hard for
slightly favoring the central area. A potential improvement
would be to allow the viewport to wrap around the edges of others to guess.” This persuasive strategy has also been
the image, resulting in situations where the viewport is split used with some success to increase the randomness of text
on opposite edges of the image. passwords [40].
Better user interface design can influence users to select
8.4 Variable Number of Click-Points stronger passwords. A key feature in PCCP is that creating
A possible strategy for increasing security is to enforce a a harder to guess password is the path of least resistance,
minimum number of click-points, but allow users to likely making it more effective than schemes where secure
choose the length of their password, similar to minimum behavior adds an extra burden on users. The approach has
text password lengths. The system would continue to proven effective at reducing the formation of hotspots and
show next images with each click, and users would patterns, thus increasing the effective password space.
234 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012
ACKNOWLEDGMENTS [19] J. Thorpe and P.C. van Oorschot, “Human-Seeded Attacks and
Exploiting Hot-Spots in Graphical Passwords,” Proc. 16th USENIX
The authors thank Chris Deschamps for his help in Security Symp., Aug. 2007.
[20] A. Salehi-Abari, J. Thorpe, and P. van Oorschot, “On Purely
implementing the framework used in the web-based studies.
Automated Attacks and Click-Based Graphical Passwords,” Proc.
The fifth author is Canada Research Chair in Authentication Ann. Computer Security Applications Conf. (ACSAC), 2008.
and Computer Security, and acknowledges NSERC for [21] P.C. van Oorschot, A. Salehi-Abari, and J. Thorpe, “Purely
funding the chair and a Discovery Grant. Funding from Automated Attacks on PassPoints-Style Graphical Passwords,”
IEEE Trans. Information Forensics and Security, vol. 5, no. 3, pp. 393-
NSERC ISSNet and the fourth author’s NSERC Discovery 405, Sept. 2010.
Grant is also acknowledged. Parts of this paper appeared [22] B. Fogg, Persuasive Technologies: Using Computers to Change What
earlier in publications [1], [2], [3], [4], [5]. We Think and Do. Morgan Kaufmann Publishers, 2003.
[23] J. Wolf, “Visual Attention,” Seeing, K. De Valois, ed., pp. 335-386,
Academic Press, 2000.
[24] D. Davis, F. Monrose, and M. Reiter, “On User Choice in
REFERENCES Graphical Password Schemes,” Proc. 13th USENIX Security Symp.,
[1] S. Chiasson, R. Biddle, and P. van Oorschot, “A Second Look at 2004.
the Usability of Click-Based Graphical Passwords,” Proc. ACM [25] PD Photo, PD Photo Website, http://pdphoto.org, Feb. 2007.
Symp. Usable Privacy and Security (SOUPS), July 2007. [26] D. Florencio and C. Herley, “Where Do Security Policies Come
[2] S. Chiasson, A. Forget, R. Biddle, and P. van Oorschot, “Influen- from?,” Proc. Symp. Usable Privacy and Security, 2010.
cing Users towards Better Passwords: Persuasive Cued Click- [27] M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing Metrics
Points,” Proc. British HCI Group Ann. Conf. People and Computers: for Password Creation Policies by Attacking Large Sets of
Culture, Creativity, Interaction, Sept. 2008. Revealed Passwords,” Proc. ACM Conf. Computer and Comm.
[3] S. Chiasson, A. Forget, E. Stobert, P. van Oorschot, and R. Biddle, Security (CCS), 2010.
“Multiple Password Interference in Text and Click-Based Graphi- [28] S. Chiasson, C. Deschamps, E. Stobert, M. Hlywa, B. Freitas
cal Passwords,” Proc. ACM Conf. Computer and Comm. Security Machado, A. Forget, N. Wright, G. Chan, and R. Biddle, “ [Short
(CCS), Nov. 2009. Paper] The MVP Web-Based Authentication Framework,” Proc.
[4] E. Stobert, A. Forget, S. Chiasson, P. van Oorschot, and R. Biddle, Financial Cryptography and Data Security (FC), LNCS, 2012.
“Exploring Usability Effects of Increasing Security in Click-Based [29] S. Chiasson, J. Srinivasan, R. Biddle, and P.C. van Oorschot,
Graphical Passwords,” Proc. Ann. Computer Security Applications “Centered Discretization with Application to Graphical Pass-
Conf. (ACSAC), 2010. words,” Proc. USENIX Workshop Usability, Psychology, and Security
[5] S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot, “User (UPSEC), Apr. 2008.
Interface Design Affects Security: Patterns in Click-Based Graphi- [30] P. Diggle, Statistical Analysis of Spatial Point Patterns. Academic
cal Passwords,” Int’l J. Information Security, vol. 8, no. 6, pp. 387- Press, 1983.
398, 2009. [31] A. Baddeley and R. Turner, “Spatstat: An R Package for Analyzing
[6] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “The Memor- Spatial Point Patterns,” J. Statistical Software, vol. 12, no. 6, pp. 1-
ability and Security of Passwords,” Security and Usability: 42, 2005.
Designing Secure Systems That People Can Use, L. Cranor and [32] M. van Lieshout and A. Baddeley, “A Nonparametric Measure of
S. Garfinkel, eds., ch. 7, pp. 129-142, O’Reilly Media, 2005. Spatial Interaction in Point Patterns,” Statistica Neerlandica, vol. 50,
[7] S. Chiasson, P. van Oorschot, and R. Biddle, “Graphical Password no. 3, pp. 344-361, 1996.
Authentication Using Cued Click Points,” Proc. European Symp. [33] S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. van Oorschot,
Research in Computer Security (ESORICS), pp. 359-374, Sept. 2007. “Persuasive Cued Click-Points: Design, Implementation, and
[8] L. Jones, A. Anton, and J. Earp, “Towards Understanding User Evaluation of a Knowledge-Based Authentication Mechanism,”
Perceptions of Authentication Technologies,” Proc. ACM Workshop Technical Report TR-11-03, School of Computer Science, Carleton
Privacy in Electronic Soc., 2007. Univ., Feb. 2011.
[9] L. O’Gorman, “Comparing Passwords, Tokens, and Biometrics for [34] P.C. van Oorschot and J. Thorpe, “Exploiting Predictability in
User Authentication,” Proc. IEEE, vol. 91, no. 12, pp. 2019-2020, Click-Based Graphical Passwords,” J. Computer Security, vol. 19,
Dec. 2003. no. 4, pp. 669-702, 2011.
[10] A. Jain, A. Ross, and S. Pankanti, “Biometrics: A Tool for [35] A. Forget, S. Chiasson, and R. Biddle, “Shoulder-Surfing Resis-
Information Security,” IEEE Trans. Information Forensics and tance with Eye-Gaze Entry in Click-Based Graphical Passwords,”
Security (TIFS), vol. 1, no. 2, pp. 125-143, June 2006. Proc. ACM SIGCHI Conf. Human Factors in Computing Systems
[11] D. Nelson, V. Reed, and J. Walling, “Pictorial Superiority Effect,” (CHI), 2010.
J. Experimental Psychology: Human Learning and Memory, vol. 2, [36] P. Dunphy, J. Nicholson, and P. Olivier, “Securing Passfaces for
no. 5, pp. 523-528, 1976. Description,” Proc. Fourth ACM Symp. Usable Privacy and Security
[12] R. Biddle, S. Chiasson, and P. van Oorschot, “Graphical Pass- (SOUPS), July 2008.
words: Learning from the First Twelve Years,” to be published in [37] B. Pinkas and T. Sander, “Securing Passwords against Dictionary
ACM Computing Surveys, vol. 44, no. 4, 2012. Attacks,” Proc. Ninth ACM Conf. Computer and Comm. Security
[13] A. De Angeli, L. Coventry, G. Johnson, and K. Renaud, “Is a (CCS), Nov. 2002.
Picture Really Worth a Thousand Words? Exploring the Feasi- [38] A. Duchowski, Eye Tracking Methodology: Theory and Practice,
bility of Graphical Authentication Systems,” Int’l J. Human- second ed. Springer, 2007.
Computer Studies, vol. 63, nos. 1/2, pp. 128-152, 2005. [39] D. Florencio and C. Herley, “A Large-Scale Study of WWW
[14] E. Tulving and Z. Pearlstone, “Availability versus Accessibility of Password Habits,” Proc. 16th ACM Int’l World Wide Web Conf.
Information in Memory for Words,” J. Verbal Learning and Verbal (WWW), May 2007.
Behavior, vol. 5, pp. 381-391, 1966. [40] A. Forget, S. Chiasson, P. van Oorschot, and R. Biddle, “Improv-
[15] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, ing Text Passwords through Persuasion,” Proc. Fourth Symp.
“PassPoints: Design and Longitudinal Evaluation of a Graphical Usable Privacy and Security (SOUPS), July 2008.
Password System,” Int’l J. Human-Computer Studies, vol. 63,
nos. 1/2, pp. 102-127, 2005.
[16] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon,
“Authentication Using Graphical Passwords: Effects of Tolerance
and Image Choice,” Proc. First Symp. Usable Privacy and Security
(SOUPS), July 2005.
[17] K. Golofit, “Click Passwords under Investigation,” Proc. 12th
European Symp. Research in Computer Security (ESORICS), Sept.
2007.
[18] A. Dirik, N. Menon, and J. Birget, “Modeling User Choice in the
Passpoints Graphical Password Scheme,” Proc. Third ACM Symp.
Usable Privacy and Security (SOUPS), July 2007.
CHIASSON ET AL.: PERSUASIVE CUED CLICK-POINTS: DESIGN, IMPLEMENTATION, AND EVALUATION OF A KNOWLEDGE-BASED... 235
Sonia Chiasson is an assistant professor in the Robert Biddle is a professor in the School of
School of Computer Science at Carleton Uni- Computer Science and Institute of Cognitive
versity in Ottawa, Canada. Her main research Science at Carleton University in Ottawa, Cana-
interests are in usable security: the intersection da. His research is in human-computer interac-
between human-computer interaction (HCI) and tion and software design. His current research
computer security. Current projects are on user projects are on usable security, especially
authentication, usable security for mobile de- authentication and security decision making,
vices, and computer games for teaching about and on large-scale multitouch devices, espe-
computer security. She is a member of the IEEE. cially environments for collaborative design and
visualization. He is a member of the IEEE.
Elizabeth Stobert received the BMath and BA Paul C. van Oorschot is a professor in the
degrees in 2008 and 2009, respectively, from School of Computer Science at Carleton Uni-
Carleton University, where she is working versity in Ottawa, where he is the Canada
toward the PhD degree in computer science. Research Chair in Authentication and Computer
She received the MA degree in psychology in Security. He was the program chair of USENIX
2011 from the same university. Her research Security 2008, Program cochair of NDSS 2001
interests are in the areas of HCI, security, and and 2002, and the coauthor of the Handbook of
cognition. She is a student member of the IEEE. Applied Cryptography (1996). He is on the
editorial board of IEEE TIFS and IEEE TDSC.
His current research interests include authenti-
cation and identity management, security and usability, software
security, and computer security. He is a member of the IEEE.
Alain Forget is currently a PhD candidate in
computer science. His thesis research is focus-
ing on various aspects of usable authentication, . For more information on this or any other computing topic,
including users’ mental models of passwords, please visit our Digital Library at www.computer.org/publications/dlib.
using persuasive technology to improve users’
mental models of authentication and computer
security, and exploring various solutions to the
challenges users have with contemporary text
passwords.