Educated Guessing Attacks on Culturally Familiar Graphical Passwords Using Personal Information on Social Networks

Abstract

Recognition-based graphical passwords are common alternatives to alphanumeric passwords for user authentication. Previously, we proposed culturally familiar recognition-based graphical passwords using pictures that relate to users' backgrounds. This scheme showed a high level of memorability, especially for users who created their graphical password from culturally familiar pictures [1]. This paper aims to study this scheme further by examining its security against educated guessing attacks. This study was also the first attempt to investigate the risk of using personal information shared by users on social networks to guess their graphical passwords.Friends and family members of the owners of graphical passwords were asked to make three attempts at attacking their graphical passwords. Each graphical password consisted of both culturally familiar and unfamiliar pictures. The attackers were advised to use two sources of information to help them in guessing: the victims' accounts on social networks and direct experience with the victims.The results of this within-subject study showed that the attackers correctly guessed the culturally familiar pictures more often than unfamiliar ones. Also, culturally familiar pictures were easier to guess than unfamiliar pictures when the attackers used information from social networks.