Exploring the memorability of multiple recognition-based graphical passwords and their resistance to guessability attacks

Chowdhury, Soumyadeb (2015) Exploring the memorability of multiple recognition-based graphical passwords and their resistance to guessability attacks. PhD thesis, University of Glasgow.

Full text available as:
Download (47kB) | Preview
Download (9MB) | Preview
Printed Thesis Information: https://eleanor.lib.gla.ac.uk/record=b3098411


Most users find it difficult to remember traditional text-based passwords. In order to cope with multiple passwords, users tend to adopt unsafe mechanisms like writing down the passwords or sharing them with others. Recognition-based graphical authentication systems (RBGSs) have been proposed as one potential solution to minimize the above problems. But, most prior works in the field of RBGSs make the unrealistic assumption of studying a single password. It is also an untested assumption that RBGS passwords are resistant to being written down or verbally communicated.
The main aim of the research reported in this thesis is to examine the memorability of multiple image passwords and their guessability using written descriptions (provided by the respective account holders). In this context, the thesis presents four user studies. The first user study (US1) examined the usability of multiple RBGS passwords with four different image types: Mikon, doodle, art and everyday objects (e.g. images of food, buildings, sports etc.). The results obtained in US1 demonstrated that subjects found it difficult to remember four RBGS passwords (of the same image type) and the memorability of the passwords deteriorated over time. The results of another usability study (US2) conducted using the same four image types (as in US1) demonstrated that the memorability of the multiple RBGS passwords created by employing a mnemonic strategy do not improve even when compared to the existing multiple password studies and US1. In the context of the guessability, a user study (GS1) examined the guessability of RBGS passwords (created in US1), using the textual descriptions given by the respective account holders. Another study (GS2) examined the guessability of RBGS passwords (created in US2), using descriptions given by the respective account holders. The results obtained from both the studies showed that RBGS passwords can be guessed using the password descriptions in the experimental set-up used.
Additionally, this thesis presents a novel Passhint authentication system (PHAS).The results of a usability study (US3) demonstrated that the memorability of multiple PHAS passwords is better than in existing Graphical authentication systems (GASs). Although the registration time is high, authentication time for the successful attempts is either equivalent to or less than the time reported for previous GASs. The guessability study (GS3) showed that the art passwords are the least guessable, followed by Mikon, doodle and objects in that order. This thesis offers these initial studies as a proof of principle to conduct large scale field studies in the future with PHAS. Based on the review of the existing literature, this thesis identifies the need for a general set of principles to design usability experiments that would allow systematic evaluation and comparison of different authentication systems.
From the empirical studies (US1, US2 and US3) reported in this thesis, we found that multiple RBGS passwords are difficult to remember, and the memorability of such passwords can be increased using the novel PHAS. We also recommend using the art images as the passwords in PHAS, because they are found to be the least guessable using the written descriptions in the empirical studies (GS1, GS2 and GS3) reported in this thesis.

Item Type: Thesis (PhD)
Qualification Level: Doctoral
Additional Information: Portions of Chapter 2, 3, 4, 5 and 6 have been published as research papers. This has been acknowledged in the Section 1.8 (Origins of the Material) in the thesis.
Keywords: Graphical authentication, human factors, usable-security, memorability, guessability
Subjects: Q Science > QA Mathematics > QA76 Computer software
Colleges/Schools: College of Science and Engineering > School of Computing Science
Supervisor's Name: Poet, Dr. Ron and Mackenzie, Dr. Lewis
Date of Award: 2015
Depositing User: Mr Soumyadeb Chowdhury
Unique ID: glathesis:2015-6210
Copyright: Copyright of this thesis is held by the author.
Date Deposited: 17 Mar 2015 14:17
Last Modified: 23 Mar 2015 15:03
URI: http://theses.gla.ac.uk/id/eprint/6210

Actions (login required)

View Item View Item


Downloads per month over past year