Cryptography Reference
In-Depth Information
choose passwords based on their own name), and information about gross
properties (words in the English dictionary are likely to be chosen).” What
is crucial is that “without knowledge of the distribution, an attacker would
be not better off than if users were in fact choosing uniformly.”
42
Given this fact, a measure of security of DAS may be derived from the
investigation of the scheme's “weak password subspaces,” classes of images
more likely to be chosen by users because of their memorability.
43
The
distribution of graphical passwords induced by such classes might inform
the “graphical dictionaries” necessary for a brute force attack on the
scheme. Although such distributions may not be determined with an
empirical certainty conducive to precise “formal” proof, Jermyn and col-
leagues suggest that they can nevertheless be estimated by modeling users'
choices. These estimates can then be used to construct “plausibility argu-
ments” for the security of graphical password schemes. For example, they
investigate the size of the memorable password space consisting solely of
rectangles, four connected strokes at right angles, that may be placed any-
where on the grid. Even with such a limited model, they calculate the space
to be equivalent to some of the dictionaries used against textual passwords.
Drawing from empirical findings in experimental psychology, Thorpe
and van Oorschot conjecture that two principles may drive user choices
of graphical passwords; on the one hand, because “people are more likely
to recall symmetric images and patterns, and people perceive mirror sym-
metry as having a special status, a significant subset of users are likely to
choose mirror symmetric patterns”; on the other hand, people are more
likely to recall drawings with low number of
components
, that is, visually
distinct parts of an image.
44
Based on these conjectures, they build two
distinct graphical dictionaries and provide an extensive analysis of the
attacks they might yield on graphical password schemes.
45
Perception
The perceptual system has always played a central role in the evaluation
of paper-and-ink security artifacts. From the visual examination of hand-
written signatures to the feel of a banknote's paper and the semiotics of
official documents, the security properties of such artifacts is evaluated,
with various degrees of formal expertise, through their tactile, visual, audi-
tory, and olfactory characteristics, as registered and compared through the
