ABSTRACT
We propose an effective pattern lock strength meter to help users choose stronger pattern locks on Android devices. To evaluate the effectiveness of the proposed meter with a real world dataset (i.e., with complete ecological validity), we created an Android application called EnCloud that allows users to encrypt their Dropbox files. 101 pattern locks generated by real EnCloud users were collected and analyzed, where some portion of the users were provided with the meter support. Our statistical analysis indicates that about 10% of the pattern locks that were generated without the meter support could be compromised through just 16 guessing attempts. As for the pattern locks that were generated with the meter support, that number goes up to 48 guessing attempts, showing significant improvement in security. Our recommendation is to implement a strength meter in the next version of Android.
Supplemental Material
- Adams, A., and Sasse, M. A. Users are not the enemy. Communications of the ACM 42, 12 (1999). Google ScholarDigital Library
- Amitay, D. Most Common iPhone Passcodes. http://amitay.us/blog/files/most_common_iphone_ passcodes.php, 6 (2011).Google Scholar
- Andriotis, P., Tryfonas, T., and Oikonomou, G. Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method. Springer, (2014).Google ScholarDigital Library
- Biddle, R., Chiasson, S., and Van Oorschot, P. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys 44, 4 (2012), 1--41. Google ScholarDigital Library
- Bonneau, J. Guessing human-chosen secrets. PhD thesis, University of Cambridge, (2012).Google Scholar
- Bonneau, J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of Security and Privacy (SP), IEEE (2012). Google ScholarDigital Library
- Castelluccia, C., Dürmuth, M., and Perito, D. Adaptive password-strength meters from markov models. In Proceedings of Network and Distributed Systems Security Symposium (2012).Google Scholar
- Davis, D., Monrose, F., and Reiter, M. K. On user choice in graphical password schemes. In Proceedings of USENIX Security Symposium (2004). Google ScholarDigital Library
- de Carné de Carnavalet, X., and Mannan, M. From very weak to very strong: Analyzing password-strength meters. In Proceedings of Network and Distributed System Security Symposium (2013).Google Scholar
- De Luca, A., Langheinrich, M., and Hussmann, H. Towards understanding atm security: a field study of real world atm use. In Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS), ACM (2010). Google ScholarDigital Library
- Dirik, A. E., Memon, N., and Birget, J.-C. Modeling user choice in the passpoints graphical password scheme. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS), ACM (2007). Google ScholarDigital Library
- Dunphy, P., and Yan, J. Do background images improve draw a secret graphical passwords? In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS), ACM (2007). Google ScholarDigital Library
- Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., and Herley, C. Does my password go up to eleven? the impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (HFCS), ACM (2013). Google ScholarDigital Library
- Gao, H., Guo, X., Chen, X., Wang, L., and Liu, X. Yagp: Yet another graphical password strategy. In Proceedings of Computer Security Applications Conference (ACSAC), IEEE (2008). Google ScholarDigital Library
- Golle, P., and Wagner, D. Cryptanalysis of a cognitive authentication scheme. In Proceedings of Security and Privacy (SP), IEEE (2007). Google ScholarDigital Library
- Jermyn, I., Mayer, A. J., Monrose, F., Reiter, M. K., Rubin, A. D., et al. The design and analysis of graphical passwords. In Proceedings of USENIX Security Symposium (1999). Google ScholarDigital Library
- Kim, H., and Huh, J. H. PIN selection policies: Are they really effective? Computers & Security 31, 4 (2012), 484--496. Google ScholarDigital Library
- Massey, J. L. Guessing and entropy. In Proceedings of Information Theory, IEEE (1994).Google ScholarCross Ref
- Narayanan, A., and Shmatikov, V. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the 12th ACM conference on Computer and Communications Security (CCS), ACM (2005). Google ScholarDigital Library
- Shannon, C. E. A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review 5, 1 (2001), 3--55. Google ScholarDigital Library
- Song, Y., Kim, H., and Mohaisen, A. A private walk in the clouds: Using end-to-end encryption between cloud applications in a personal domain. In Proceedings of Trust, Privacy, and Security in Digital Business. Springer, 2014, 72--82.Google Scholar
- Standing, L., Conezio, J., and Haber, R. N. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science 19, 2 (1970), 73--74.Google ScholarCross Ref
- Tao, H., and Adams, C. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. International Journal of Network Security 7, 2 (2008), 273--292.Google Scholar
- Thorpe, J., and van Oorschot, P. C. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proceedings of USENIX Security Symposium (2007), 103--118. Google ScholarDigital Library
- Uellenbeck, S., Dürmuth, M., Wolf, C., and Holz, T. Quantifying the security of graphical passwords: the case of android unlock patterns. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), ACM (2013). Google ScholarDigital Library
- Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? the effect of strength meters on password creation. In Proceedings of USENIX Security Symposium (2012). Google ScholarDigital Library
- Varenhorst, C., Kleek, M., and Rudolph, L. Passdoodles: A lightweight authentication method. Research Science Institute (2004).Google Scholar
- von Zezschwitz, E., Dunphy, P., and De Luca, A. Patterns in the wild: A field study of the usability of pattern and pin-based authentication on mobile devices. In Proceedings of the 15th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI), ACM (2013). Google ScholarDigital Library
- Zakaria, N. H., Griffiths, D., Brostoff, S., and Yan, J. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security (SOUPS), ACM (2011). Google ScholarDigital Library
Index Terms
- On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks
Recommendations
A Video-based Attack for Android Pattern Lock
Pattern lock is widely used for identification and authentication on Android devices. This article presents a novel video-based side channel attack that can reconstruct Android locking patterns from video footage filmed using a smartphone. As a ...
Boosting the Guessing Attack Performance on Android Lock Patterns with Smudge Attacks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityAndroid allows 20 consecutive fail attempts on unlocking a device. This makes it difficult for pure guessing attacks to crack user patterns on a stolen device before it permanently locks itself. We investigate the effectiveness of combining Markov model-...
A pilot study on the security of pattern screen-lock methods and soft side channel attacks
WiSec '13: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networksGraphical passwords that allow a user to unlock a smartphone's screen are one of the Android operating system's features and many users prefer them instead of traditional text-based codes. A variety of attacks has been proposed against this mechanism, ...
Comments