Graphical Passwords -- A Discussion

Abstract

Authentications, on web applications and service platforms such as the ones that enable collaborative information sharing and resource management, are typically handled via text based passwords. From a security usability perspective, text based passwords are easy to use and familiar to users. Text based passwords however, are prone to attacks that stem from challenges that users' face with memorability. Text-based password memorability issues pose problems for service providers on platforms where identity management is a key concern. Application examples emerge in social media, online commerce, and also in the management of critical infrastructure such as smart micro-grids. A further concern is that, large volumes of sensitive information are made available and shared on these applications and so constitute an attractive target for obtaining data in adversarial ways in order to provoke impersonation and inferential attacks, for instance. In this paper, we discuss the pros and cons of using graphical passwords instead of text-based passwords on information sharing platforms. We support our discussion by considering two graphical password schemes based on the principles of recall and cued-recall respectively which are philosophically similar to text-based passwords. Results from our proof-of-concept implementation indicate that, in comparison to text-based and recall graphical passwords, cued-recall graphical passwords are a better authentication mechanism in terms of memorability and password security.