Challenge Set Designs and User Guidelines for Usable and Secured Recognition-Based Graphical Passwords

Abstract

Graphical passwords are a promising alternative to alphanumeric passwords for user authentication. Recognition-based schemes are commonly used. This paper aims to find the best ways to improve the usability and security of recognition-based graphical passwords using culturally familiar pictures. Two types of challenge sets (culturally familiar decoys/ unfamiliar decoys), along with/without user guidelines for graphical passwords, were examined in two between-subject user studies. The first user study examined the memorability of culturally familiar graphical passwords by asking participants to create a graphical password and log in twice: two weeks and six weeks after creating the password. The second user study investigated the robustness of a culturally familiar graphical password against an educated guessing attack by asking friends/family members of the participants to guess their graphical passwords in three attempts. The results showed that culturally familiar graphical passwords used with unfamiliar decoys were more memorable than culturally familiar graphical passwords with familiar decoys. Following the graphical password guidelines did not improve password memorability. However, the guidelines showed a significant impact on maintaining the password memorability rate over time, while the memorability rate for the users who were not given guidelines decreased over time. The study also found that culturally familiar graphical passwords used with unfamiliar decoys were more vulnerable to educated guessing attacks than graphical passwords with familiar decoys. However, the results showed that graphical passwords created according to provided guidelines were more secure, even if they were used with familiar decoys.