Security analysis of Game Changer Password System

Abstract

Abstract In the paper we present the results of security analysis of the Game Changer Password System, proposed by McLennan et al.—a mnemonic variant of password security that uses game positions as passwords. The idea is that several different games are graphically presented on the screen, allowing users to select the game first and then to enter his or her password in the game selected in the form of putting pieces on a board. For example, a user first selects chess, then puts four chess figures on the chessboard. A password is represented by the fact that chess was used and figures’ locations. The first issue with the proposed system is a small search space—the number of possible combinations of passwords, enabling relatively simple and quite inexpensive brute force attacks. The second issue is that users prefer specific locations and figures over others, further reducing the search space and thus enabling attackers to speed up the attacks with high probabilities of success. Based on the issue of non-uniformity of locations and figures attackers can build special dictionaries to launch dictionary-based attacks. We elaborate on the weaknesses and propose a solution that produces stronger passwords. However, the tradeoff between memorability and attack resilience must be taken into the account.