Graphical Passwords: A Survey

crumcasteAI and Robotics

Nov 17, 2013 (3 years and 4 months ago)


Graphical Passwords: A Survey

Based Graphical Password Authentication Method

İbrahim Bumin KARA

Department of Computer Science Engineering

Isik University

stanbul, TURKEY


As known, the most common computer
uthentication method is to use alphanumerical
usernames and passwords, which requires a
significant amount of human involvement. It has
been shown that this method suffers from many
weaknesses. Users tend to choose either very short

which are e
asy to beak

or long
passwords that are hard to remember. In addition,
they commonly choose the passwords that can be
easily guessed or they choose the ones which are
hard to guess; but have problems remembering
them afterwards. Computer scientists have c
ome up
with different techniques in order to address this
problem. One of those techniques is to use images
as passwords and it’s called “Graphical
Passwords”. There are different kinds of Graphical
Password Techniques, classified in two categories:
based and recall
based approaches. In
our survey, we conducted a research on this topic,
more specifically Recognition Based Authentication
Methods with Graphical Passwords. In this paper
we discussed advantages and drawbacks of those
Graphical Passw
ord Techniques. Moreover
different types of applications were assessed as well
as our own application “Concept

1. Introduction

Most of the security architectures that are being
used in computational world suffer from human
based factors.
g to Patrick, ET al. [1] there
are three areas in computational

systems that human
factors are involved

authentication, security
operations and developing secure systems.

The widely common authentication method is to use
usernames and textual passwords w
hich is a
alphanumerical based technique. Since the
vulnerabilities of alphanumeric based techniques
are well known such as security and remembering

, they have been trying to overcome those
weakness problems by designing graphical
password techn
iques. Researchers have studied on
various graphical password techniques in order to
create an alternative authentication system to
alphanumeric based techniques. The reason of
seeing graphical password methods as an alternative
is based on an assumption;
humans can memorize
images easier than alphanumerical characters. Some
psychological studie
s agree with this assumption

In this survey we focused on authentication
methods. We can classify the current authentication
methods in three categories: toke
n based

the user has
), biometrics based

(something the user
) and knowledge based

(something the user
) authentication. In the preceding parts of
this paper

we will first introduce the current
authentication techniques and define the dr
of them individually
, the
n we will have a

more focused look at graphical passwords

their applications and security issues .

Finally we will introduce our recognition based
conceptual graphical password application called

. Categorizing Current Authentication

2.1. Biometrics Based Authentication

Biometrics based systems are

authentication systems

recognizing human based
upon one or more physical or behavioral traits.
Biometrics allows

systems to validat
e users with
questions “who she is” instead of “what she

5]. According to the survey
conducted by Zhu, et al. biometrics provides the
highest level of security among all other techniques
[6]. One of the two characteristics of this method is

related to the shape of the body.
Common examples of physiological characteristics
are fingerprints, face recognition, iris recognition
and DNA. The other characteristic is behavioral
related to the behavior of a person with the common
les; typing rhythm, gait and voice.

Although providing the highest level of security

biometrics still cannot be used widespread because
of its high costs. This bleeding edge technology
involves device cost, deployment cost and the
support cost. All of th
ese costs cut companies back
the usage of biometrics as well as some
environmental issues. For example

it is not reliable
to use a sound recognition based technique in a
noisy environment.[7]

2.2. Token Based Authentication

based authentication i
s a two
authentication technique. It needs to be combined
with knowledge based methods in order to achieve a
greater level of security. Users should have an
external device like ATM cards or smartcards
which should be used together with a password or
PIN code. They are used to prove one’s identity
electronically. The token is used in place of a
rd or more generally with


order to prove that the custome
rs are

who they
claim to be.

Although token
based authentication is a strong
entication technique, it has important

suggested in a Microsoft article.
Authentication software must be installed on a
centralized database and the software needs to be
deployed on each user’s external device. Moreover
users may lose the device

and replacing it can be
costly for the company. [8]

2.3. Knowledge Based Authentication

Users need to memorize a piece of information (e.g.
usernames, passwords) which they learned during
the registration and submit it in order to authenticate
with know
ledge based systems. This authentication
technique has been the most dominant one which

d for daily needs

in computer and network
security. The main reason

which makes it more
eligible then the other authentication technique

its less cost.

ledge based systems can be classified in two
categories: text based and picture

based. Text based authentication requires the use of
alpha numerical methods and distinctly

have a wider use. However textual passwords have
important drawbacks due to the impo

amount of human involvement in them.

3. Background and Related Work

Graphical passwords are classified under two
categories: Recognition Based and Recall Based.

3.1. Recognition Based Techniques

In recognition based techniques, users are suppo
to pick and memorize several images

a set of
pictures in order to create their password Figure1.
Since the password consists of images, during the
authentication session user has to identify the
correct images that they have picked earlier.

. A graphical password scheme (


There have been
developed methods for this

3.1.1. Dhamija and Perrig algorithm

Dhmija and Perrig [9]
developed a graphical
authentication scheme, called “
Déjà vu”,
with non
describable abstract images
by exploiting hash
visualization technique [10]. The purpose of using
these kind

of images rather than photographs is that
they can be produced by a method


using small initial seeds which

authentication require less memory.

Figure 2. Random images generated in the application of
Dhmija and Perrig

User selects certain number of images from a set of
random pictures


by this method Figure2.
Afterwards they are asked to identify the images

selected during registration

to be authenticated. A
user study with 20 participants was conducted and it
showed that %90 of the participants attempt

succeeded while

rate of success was
%70 in which they

try textual passwords. A
weakness of this system is that the password space
is much smaller than that of textual passwords. And
the average log
in time is longer than the traditional
methods, which can be tedious
and time consuming
for the user. Also the seeds of portfolio images have
to be stored in the server for each user. Akula and
Devisetty introduced another technique similar to

Déjà vu”. The main difference is that they used
1 hash which helped the meth
od be more
secure and cost less memory [11].

3.1.2. Sobrado and Birget algorithms

Sobrado and Birget developed several numbers of
graphical passwords techniques focusing on solving
the sholder
surfing attacks which is one of the main
problems of most of
the graphical password
techniques. They have developed 3 different
schemes in order to overcome the shoulder
attacks [12]. In the first scheme called “triangle
scheme” user is shown a wide number of objects,
which were shown during the registration
, and
asked to identify the pass
objects pre
selected by
user. Then the user is required to click inside the
convex hull formed by all pass
objects which

contains decoys Figure3.

Figure 3. The first scheme of Sobrado and Birget
“Triangle Scheme”

n the “triangle scheme” they display 1000 objects in
order to make the password space large enough and
this distinctly crowded screen makes the user lose
more time to find the pass
objects while log
session. Also the probability of successful login by
clicking on randomly may occur because the size of
the convex
hull can be large and this obviously makes
the system less secure.

The second scheme called “movable frame scheme”

has al
so the same registration method

in which the
user chooses

the pass
ects among all. But this time,
only three pass
objects are involved and one of them
is placed in a movable frame Figure 4. For
authentication; the user needs to move and rotate the
frame until all the pass
objects, which constitute their
password, are loca
ted in form of a straight line. In
order to achieve reasonable security, it is suggested
that this process should be repeated several times.
This method may seem confusing and time consuming
for many users because of too many non
pass objects.

Figure 4.

The second scheme of Sobrado and Birget
“Movable Frame Scheme”

The last scheme called “intersection scheme” works
similar to the movable frame scheme. This time
four pass
objects are displayed each time, and the
user should click near the intersection of

invisible lines, which are formed by the four pass
objects which were pre
selected by user Figure 5.


Figure 5. The last scheme of Sobrado and Birget
“Intersection Scheme”

There are two common drawbacks in the schemes

developed by Sobrado and Bi
rget. They all require
at least 1000 objects to be displayed on the screen in
order to have reasonable security so users might
have trouble finding the pass
objects from that kind
of crowded screen with tiny objects on. Secondly
they all require the proces
s to be run several times
so the authentication process is significantly slow
and time consuming.

3.1.3. Man, et al. algorithm

They have developed a shoulder
surfing resistant
algorithm like Sobrado and Birget [13]. In this

the user is suppose
d to pick a certain
number of images as their pass
objects. Each object
on the screen has several variants which have their
own individual unique codes. Authentication
consists of several scenes and each scene contains
several pass
objects and lots of deco
ys Figure 6.
ccording to the variant of the pass

that are

he user is supposed to input a string of textua
characters in the right order.

Figure 6. The Shoulder Surfing Resistant Method of Man,
et al. [13]

The main advantage of thi
s method is that it is
distinctly hard to crack this kind of passwords even
if the whole log
in process is recorded by camera,
because there is no mouse clicking to give away
your password information. However, this method
is not purely a picture based met
hod because it still
involves alphanumerical characters. Hong, et al.
[14] improved this approach. Their method allows
the user assign their own codes to pass
variants. Still, this method requires memorizing
many text strings and therefore the user

the drawbacks of text
based passwords.

3.1.4. Jansen at al. algorithm

Jansen et al. [15] developed an authentication
system based on “picture password”. This scheme is
specially designed for PDA’s. To create the
password, firstly the user sel
ects a theme (e.g.
seashore, cat, dog and so on) which consists of
thumbnail photos. Then user selects a sequence of
thumbnail photos to form their password Figure 7.
After all, in order to be authenticated the user needs
to recognize and identify the pre
selected thumbnail
photos in the same order as in the registration
session. In this method

the password space is quite
poor comparing the text based passwords because
the number of thumbnail images is limited only to

Figure 7. The scheme of Jansen
“picture password”

3.1.5. Takada and Koike

Their technique is an image
based authentication
technique which allows user to use their own
favorite images for authentication [16]. The users
first register their favorite images as pass
with the serv
er then they will be asked to recognize
and identify them among many decoy images in the
authentication session. The authentication consists
of several rounds of verification to ensure the
security Figure 8. In each round, users have to
select a pass

or choose nothing in the case
that there is not any pass
image displayed. The
system would authorize a user if they succeed all
the verifications. The main point of this method is
allowing users to choose their own images
them to remember their p
images later on.

Figure 8. The image
based authentication scheme of
Takada and Koike

3.1.6. Passface algorithm


is a commercial application, which is one
of the most popular ones that uses “face scheme”,
introduced by Real User Corporatio
n [17]. It was
built based on the assumption that human can
memorize human faces easier than other pictures.
The process starts with creating a graphical
password consisting of four human face images.
Then the user is required to recognize and identify

selected human face images from a grid of
nine face pictures which one of the faces is the pre
selected and the rest is decoy faces Figure 9. This
step is repeated until all the four faces is identified
individually in each step. In the case that user

identify all the pre
selected faces successfully
authentication succeed.

Figure 9.

grid of nine faces [17]

Valentine proposed that

Passfaces are very
memorable even after long time intervals [18, 19].

Another study conducted by Brostof
f and Sasse [20]
states that the failure rate in

authentication is three times less compared to the
textual password systems. Davis, et al. [21] studied
the Passface techniques and such kind of others then
found some common patterns among these
The statistics show that most of the
users choose the faces of people from the same race
and this increases the predictability of the
passwords. Following statements are some of the
feedbacks Monrose and Reiter [21], received in


“I chose

the images of the ladies which appealed the

“I picked her because she was female and Asian and
being female and Asian, I thought I

could remember that.”

“I started by deciding to choose faces of people in
my own race ... specifically, people that

ooked at least a little like me. The hope was that
knowing this general piece of information

about all of the images in my password would make
the individual faces easier to remember.”

“... Plus he is African
American like me.”

Davis et al. [21] suggested

a similar scheme called
“story scheme”
. In the method user picks a
sequence of
images (any meaningful images as
well as human faces) to make a story

help them to remind the password images
later in
Figure 10.

Figure 10.

The scheme of
Davis et al. [21] “story scheme

In order to study and compare these two schemes,
Davis et al. made a survey on 154 computer
engineering and computer science students from
two universities. The result shows that in

most of the user’s choice is
highly affected by race,
the gender of the user, and the attractiveness of the
faces on the pictures.

For the “story scheme”, they
found out that %75 of the incorrect entries includes
correct images with the wrong order. In order to
prevent this, they sugg
ested a more flexible scheme,
in which the order of identifying the image is not

In our paper we propose another face scheme
technique namely “concept

scheme” similar to the “story scheme”. We
developed Concept
Based application and
imented on a group of users. We will explain
and analyze Concept
Based in preceding chapters.

3.2. Recall Based Techniques

Although our main focus is on recognition based
techniques we find it convenient to take a

glimpse at recall based techniques too.

There are
mainly two types of recall
based techniques.

Reproduce a Drawing

In this technique user is asked to draw a painting he
or she produced in the registration phase.

A well known method is “draw

secret” (DAS),
introduced by Jermyn, et al [22].


the user draws a figure on a 2D grid platform. Using
a grid as a background has several advantages. First,
it eliminates the need to store a graphical database
on the server side. Algorithm stores the coordinates
and the sequence of the drawing. Se
cond, as a grid
is a simple object, the quality requirement for
display is minimized with such schemes. In
addition, grid
based schemes do not limit the
password length unlike many other schemes.

In the authentication stage, the user can log
in if
they can

redraw the
picture, drawn in the
registration, by using the same sequence of strokes
in the same coordinates. According to the research
of Jermyn,

et al password space is larger than those
of the text
based password space; given

that the
password drawn (o
n a 5x5 grid) is long enough.

Thorpe and van Oorschot [23] analyzed the security
of DAS method and proposed that

DAS is more invulnerable to the brute force attacks
than the traditional text
based passwords.

They introduced the graphical dictionaries in o
to measure the strength of DAS against

dictionary attacks and concluded that a graphical
password with length 8 or greater on a 5x5

grid is less susceptible to the dictionary attacks [23].
Nali and Thorpe [24] further studied the

impact of statistical

factors as a complexity property
of DAS. In their research users were

asked to reproduce the drawings on paper in order
to find out whether there are predictable

characteristics or not. Although predictable
characteristics were not discovered in the start

end strokes, another important point was discovered
which reduces the size of the password

space. Most of the users tend to produce more
“memorable” drawings which contain certain level
of symmetries. Another algorithm was introduced
by Syukri, et al.

[25]. This method requires users to
draw a signature with mouse. Signature is than
rescaled, normalized and stored in a database. User
is required to redraw the signature in the
authentication. Although it is hard to fake
signatures, users may not be comf
ortable using
mouse as drawing tool. So it is suggested that this
method should be used in mobile devices with pen
like tools.

Repeat a Sequence of Actions

In this method users required to click on the pre
defined locations on a picture. Based on

nt approaches in the studies of Blonder [26]
and Passlogix [27] the image can assist the

user or not. Some other works of Passlogix, like v
Go, summons creative graphical password

ideas. In some of those methods user is required to
up the ingredients o
f his or her own

cocktail or picking a hand at cards. However there
is no easy way to prevent people to pick

poor passwords or to prevent the password space to
shrink. It was found out that people tend

to pick the winning hands in such an application
full house, flush etc.

Another method that falls into this category is pass
points. In the PassPoint application

the user needs to click on the same points with the
ones they clicked in the registration. User finds it
easy to use according to [28]. Howev
er Memon, et
al. in his [29], suggested a prediction algorithm for
PassPoint, and claimed that their model
predict %70 to 80 user clicked points.

4. Concept
Based: Graphical Password

We developed a graphical password scheme, called
Based that is similar to the “story scheme”
Davis et al. [21]
. Concept
Based is a recognition
based method where user recognizes the images for

registration, user is shown x
category names and asked to pick n of them in order
create their password. Each category has y
images stored in the database which are related to
them. For example; for the category “Basketball”

pictures of famous basketball players,
basketball, basket court etc. Once they choose their
password ch
oosing n categories they are trained by
seeing possible combinations of their password.
User has a dynamic password which will consist of
pictures randomly chosen from the database
according to pre
selected categories. In the training
session, randomly sel
ected pictures which belong to
selected categories are shown to the user in
order to give them an idea about the possible
combinations of


passwords. After the training
process is completed they are able to log
in to the
system with specific login

name and a dynamic
password which is composed by the categories
selected in the registration phase. Since user picks n
categories there are total n rounds in the logging
session and in each round user is required to click
on the correct image ,among p pic
tures, which is
related to the categories they picked while
registration. User i
s authenticated if they identify

the correct image in each round.

4.1. Concept
Based scheme vs Story scheme

The main difference between our method and “story
scheme” is that

our method is based on concept
based recognition and provides dynamic passwords.
In story scheme they use random pictures that are
not related with any concepts mentioned. The user
chooses the pictures and makes a story about them

aiming it to remind the
m the pictures they have
picked. Afterward

they are required to identify the
selected images in order to authenticate
successfully. However, our method is just based on
the concepts and it doesn’t require the user to
memorize any specific images. The
user is just
required to memorize the concept names
(categories). User can choose specific concepts that
is based on their hobbies like football, basketball,
formula1 and etc. or interests such as animals,
flowers, space and so on. For instance; if the use
selects “basketball” as one of their concepts then
during authentication he is just required to click on
a picture, which is related to the concept
“basketball”, such as famous players, a basketball, a
basketball court and so on. User also can choose the

concepts to make a story like in “story scheme”. As
long as they remember the story they have made,
the authentication will be done easily. In the “story
scheme” remembering the story may not be enough
in order to authenticate because the user is also
uired to remember the specific images picked to
make the story. This could be confusing because
there might be some similar pictures in the database
which match with their story but there is only one
combination of those pictures which can
authenticate the
m successfully. Unlike “story
scheme”, in the Concept
Based scheme if the user
chooses their categories (concepts) making a story
with them they just have to remember the story later
on in order to authenticate. There is no need to
remember any specific pi
ctures. During the
authentication, the user will be showed only one
correct picture, from the categories they have
picked before, in each round and the rest of the
pictures showed in the grids are randomly chosen
from different other categories.

, “story scheme” uses nine pictures for
each round and k rounds in total. If

it uses more than nine faces and increase the
number of rounds, then user may not easily identify
its password among many pictures in many rounds
because user sees those pictures
first time in their
life and more rounds may make the recognition
complex. However, in our method many pictures
and rounds could be integrated into the system
because there is no requirement to remember a
specific picture, user is just supposed to recogniz
the pictures based on the concepts chosen by them.
That means the pictures, which they are supposed to
identify, are meaningful for the user and can easily
be recognized among others. Increasing the number
of random pictures and rounds reduces the chance

of attacker guessing of the password and so
increases the security.

There are also some drawbacks of this method. One
of the drawbacks is that guessing

could be easy because people tend to choose
concepts that they are very related. For

instance; if a u
ser is highly interested in football
,they would choose the category “football” more
likely than others so the people, who knows the user
in person, might predict the password easily
because people tend to choose concepts that are
very related with their l
ife style. This problem also
shows up in the “story scheme” based on the same

4.2. Methodology

4.2.1. Experimental Design

This experiment is designed for authentication with
graphical passwords in the concept
based method.
A Concept
Based de
mo is implemented for the
graphical password condition
. The technologies
used are php coding, Dreamweaver, phpMySql.
There are

four rounds and nine images for each
round. Sixteen categories are generated for user to
pick their password among. The table of
categories is showed in the figure 11.

Figure 11.
Based Performance Demo

Table Of

There are total four steps for Concept
experiment; creating the password, training,
entering the password and entering the password
one m
ore time in order to see the impact of dynamic
passwords. First

user creates their password by
picking four categories among sixteen of them from
the table. Second
, they go to training session and
see some examples of possible combinations for
their pa
ssword Figure 12.

Figure 12.
Based Performance Demo


Then they are asked to enter their password. Since
their length of the password is four, they enter their
password in total four rounds. In each round they
are supposed to

click on the correct picture, among
nine random images, which belongs to the
categories of their password in order to login
successfully Figure 13. After the first trial

user is
asked to login one more time in order to measure
the effect of the dynamic p
asswords on success rate.

The overall test is designated to evaluate the user's
recognition performance with

dynamic graphical password .

Figure 13.
Based Performance Demo

Session Rounds

4.2.2. Participants

In order to test our Con
Based method and text
based password method we have targeted an
experiment group who are using computers
regularly. We designated the experiment members
to be from different environments (universities,
business and so on) to get a general idea about t
users. The number of participants was 146.

4.2.3. Procedure

We put our experiment methods on the Web that
users connect to the site with given URL.

After they have connected, first they are asked to
create a password. Then they are routed to the
ing section. After training

they are asked to
enter their passwords two times one after the other


we aimed to check the usability of dynamic

4.2.4. Experiment Results

146 participants have attended to the experiment. In
the first try

total 66% of the participants succeeded.
In the second try

the success rate increased and
became 75%. The success and failure rates of first
and second tries are shown in the chart below
Figure 14.

Figure 14.
Ratio of success and failure for both trie

The rate of people who have succeeded in their both
tries is 60%. The ones who failed in the first try and
succeeded in the second try have 15% rate. %6 of
the participants succeeded in the first try

but failed
in the second one. And total 19% of them

failed in
their both tries Figure 15.

Figure 15.
Ratio for participants according to their first and
second try’s success.

We have collected comments from the
participants. Most of them have found the system
easy and useful.
, who have failed in
their first

and succeeded in the second one

that they were confused about

the steps. Some of
them mentioned that they were confused about the
categories. Some computer science engineers
commented that the application could have a wide

area with some improvements and it might be
also used as a pre
password which allows user to
connect to the page which they enter their additional
constant password for the systems which requires
high level of security.

5. Discussion

5.1. Evaluating the p
assword space

Password space of the recognition based techniques
heavily depend

on the size of the content.

In most
of the techniques the order of imaging is not taken
into consideration. They usually

involve many
rounds of
authentication scenes [30, 31,


Data Definition variable


Number of pictures in each page


Number of scenes/rounds for


Number of categories


Figure 5

variables to define the password space [evaluating]

The password space of the recognition ba
algorithms is a function of number of

scenes and number of pictures on each of these

Password Space =f( p * n)

In Concept
Based scheme; since the
pictures are meaningful for the user
, they

can ea
be recognized among others; thus,

the password
space would be much larger than most of the
graphical password schemes by increasing the
number of pictures in each page and number of

Also increasing the number of categories,
which the user picks their password from, will
increase the password space.

5.2. Vulnerability against the attacks

Since graphical passwords are not widely used there
is not enough research on its security issues.
However; Suo, Zhu and Owen [6] examined some
of the major security problems on both tex
and graphic based techniques and proposed a
performance result for each problem. For brute
force attack, graphic
based technique performs
more resistance than the text
based. Because the
password space of the graphical passwords is larger
than the
text based one. Moreover in order to make
a brute force attack, hacker needs to generate mouse
motion in o
rder to imitate the user input, w
hich is
particularly difficult. More specifically recall based
techniques are more resistant to this kind of attacks.

Text based systems are more vulnerable to the
dictionary attacks than the graphical


Graphical password schemes use


which makes dictionary attacks


based method is relatively secure against
the spyware. Most of

the spyware

applications use keyboard listeners. Even if they use
mouse action listeners, it may still not be

possible to break graphi
cal password scheme
because fea
tures like window size, image

places are applicatio
n specific, besides all these,
timing s
hould be taken into consideration.

One of the most important faults of the textual
system was that the users tend to write

their passwords down or share it in a social
environment. Since they are recognition or recall

based it is hard to share it over a s
environment. In conclusion, based on those major
security problems evaluation the graphic methods
seem to more secure and stronger than the text
based methods [6]. However more research should
be done in this field in order to draw an exact

6. Conclusion

As known, text
based passwords are still
dominating the security systems. However this

system has its own drawbacks, like
retaining the password. Because people cannot

remember the random generated long textual
d, they tend to choose short and easy textual
passwords which are open to attacks.

The main motivation behind the graphical
passwords is that the people can recall or

recognize graphical objects easier. It is observed
that with traditional attacks it is ha
rd to


the graphical security systems.

Based method which is based on the user’s
concept preference allow

users to correlate
themselves with the passwords by which they can
easily remember their passwords later in time. Also
making a story wi
th the categories they pick during
registration would help the users to remember the
password later on. In addition the probability of the
guessing attacks could be lowered by increasing the
number of rando
m pictures shown in each round,
number of rounds a
number of


[1] A. S. Patrick, A. C. Long, and S. Flinn, "HCI and Security
Systems," presented at CHI, Extended Abstracts (Workshops).

Ft. Lauderdale, Florida, USA., 2003

M. Kotadia, "Microsoft: Write down your passwords,"

DNet Australia, May 23
, 2005.

[3] R. N. Shepard, "Recognition memory for words,

sentences, and pictures,"
Journal of Verbal Learning

and Verbal Behavior
, vol. 6, pp. 156
163, (1967).

[4] Jain, A.K.; Ross, A.; Prabhakar, “An introduction to biometric
ition”,S. Circuits and Systems for Video

Technology, IEEE Transactions on Volume 14, Issue 1, Jan. 2004
Page(s): 4

20 Digital Object Identifier


[5] Jain, A.K.; Ross, A.; Pankanti, S.; “Biometrics: a tool for
information security
”, Information Forensics and Security,

IEEE Transactions on Volume 1, Issue 2, June 2006 Page(s):125


[6] X. Suo, Y. Zhu, G. Scott. Owen, “Graphical Passwords: A

[7] Biometrics for network security Author: Paul Reid Edition:
illustrated Publis
her: Prentice Hall PTR, 2004

ISBN 0131015494, 9780131015494

[8] Microsoft : Using Certificates for Mobile Device Authentication

on july 15, 2009

[9] R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images
for Authentication," in
Proceedings of 9th USENIX

Security Symposium
, 2000.

[10] A. Perrig and D. Song, "Hash Visualization: A New Technique
to Improve Real

Security," in

Proceedings of the 1999 International Workshop on

Cryptographic Techniques and E
, 1999.

S. Akula and V. Devisetty, "Image Based Registration

and Authentication System," in
Proceedings of Midwest

Instruction and Computing Sympos
, 2004.

[12] Sobrado, L and Birget, J.
“Graphical Passwords,”

The Rutgers Scholar , An Electronic Bulletin of

Undergraduate Research, Rutgers University, Camden

New Jersey , Vol. 4, (2002).

[13] S. Man, D. Hong, and M. Mathews, "A shouldersurfing resis
graphical password scheme," in
Proceedings of

International conference on security and management
. Las Vegas,
NV, 2003.

[14] D. Hong, S. Man, B. Hawes, and M. Mathews, "A

password scheme strongly resistant to spyware," in

Proceedings of International
conference on security

and management
. Las Vergas, NV, 2004.

[15] Jansen, W., Gavrila, S., Korolev, V., Ayers, R., and Swanstrom,
R. Picture Password: A Visual Login Technique for Mobile Devices.

, (2003).

[16] T. Takada and H. Koike
, "Awase
E: Image

Authentication for Mobile

Phones using User’s Favorite Images," in

Computer Interaction with Mobile

Devices and Services
, vol. 2795 / 2003: Springer

GmbH, 2003, pp. pp. 347


[17] Real User Corporation, Passfaces

site accessed on August 01, 2009.

[18] T. Valentine, "An evaluation of the Passface personal
authentication system," Technical Report, Goldsmiths College,

University of London 1998.

T. Valentine, "Memory for Passfaces after a Long Delay,"
Technical Report, Goldsmiths College, University of London


[20] S. Brostoff and M. A. Sasse, "Are Passfaces more usable than
passwords: a field trial investigation," in
People and

Computers XIV


Usability or Else: Proceedings of HCI
. Sunderland,
UK: Springer
Verlag, 2000.

[21] D. Davis, F. Monrose, and M. K. Reiter, "On user choice in
graphical password schemes," in
Proceedings of the 13th

Usenix Security Symposium
. San Diego, CA, 2004.

[22] I.

Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D.
Rubin, "The Design and Analysis of Graphical Passwords," in

Proceedings of the 8th USENIX Security Symposium
, 1999

[23] J. Thorpe and P. C. v. Oorschot, "Graphical Dictionaries and the
Memorable Space
of Graphical Passwords," in

Proceedings of the 13th USENIX Security Symposium
. San Deigo,
USA: USENIX, 2004.

[24] D. Nali and J. Thorpe, "Analyzing User Choice in Graphical
Passwords," Technical Report, School of Information

Technology and Engineering, Uni
versity of Ottawa, Canada May 27

[25] A. F. Syukri, E. Okamoto, and M. Mambo, "A User
Identification System Using Signature Written with Mouse," in

Third Australasian Conference on Information Security and Privacy
: Springer

Verlag Lecture No
tes in Computer

Science (1438), 1998, pp. 403

[26] G. E. Blonder, "Graphical passwords," in
Lucent Technologies,
Inc., Murray Hill, NJ
, U. S. Patent, Ed. United States,


[27] Passlogix,
e accessed on August 07,

[28] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N.
Memon, "PassPoints: Design and longitudinal evaluation of

a graphical password system,"
International Journal of Human
Computer Studies

[29] M. Kotadia, "Micr
osoft: Write down your passwords," in
Australia, May 23
, 2005.

] R. N. Shepard, "Recognition memory for words, sentences, and
Journal of Verbal Learning and Verbal

, vol. 6, pp. 156
163, 1967.


G. Scott ; “Lecture
notes in computer science”, International Symposium on

Visual Computing N
2, Lake Tahoe NV , ETATS
UNIS (2006) 2006
, vol. 4292, pp. 741
749[Note(s) : 916, 906

p., ] [Document : 9 p.] (12 ref.)
3 ; 978
2 ; 978
8 ;

Dirik, A. E., Memon, N., & Birget, J
C. 2007. Modeling user
choice in the PassPoints graphical password scheme.