Abstract
We present an information-theoretic discussion of authentication via graphical passwords, and devise a model for entropy estimation. Our results make face-recognition based authentication comparable to standard password authentication in terms of uncertainty (Shannon-entropy) that an adversary is confronted with in both situations. It is widely known that cognitive abilities strongly determine the choice of alphanumeric passwords as well as graphical passwords, and we discuss various selected psychological aspects that influence the selection process. As a central result, we obtain a theoretical limit to the entropy of a face-recognition based authentication in the light of some social engineering techniques (dictionary attacks on graphical passwords). Remarkably, our results hold independently of any information that can be obtained from the internet or through other forms of social engineering. Thus, we obtain very general bounds on the quality of authentication through face-recognition that solely depend on the authentication mechanism.
Chapter PDF
Similar content being viewed by others
References
Brostoff, A.: Improving password system effectiveness. PhD thesis, University of London, Department of Computer Science (2004)
Duc, N.M., Minh, B.Q.: Your face is not your password - face authentication bypassing lenovo - asus - toshiba. Technical report, Security Vulnerability Research Team, Bach Khoa Internetwork Security (Bkis), Ha Noi University of Technology, Vietnam (2009)
Eljetlawi, A.M., Ithnin, N.: Graphical password: Comprehensive study of the usability features of the recognition base graphical password methods. In: Int. Conf. on Convergence Information Technology, vol. 2, pp. 1137–1143 (2008)
Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: 21st Annual Conf. on Computer Security Applications, p. 10 (2005)
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: SSYM’99: Proc. of the 8th conf. on USENIX Security Symposium, Berkeley, CA, USA, p. 1. USENIX Association (1999)
Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: Authentication using graphical passwords: effects of tolerance and image choice. In: SOUPS ’05: Proc. of the 2005 symposium on Usable privacy and security, pp. 1–12. ACM, New York (2005)
Li, Z., Sun, Q., Lian, Y., Giusto, D.: An association-based graphical password design resistant to shoulder-surfing attack. In: IEEE Int. Conf. on Multimedia and Expo., pp. 245–248 (2005)
Thorpe, J., van Oorschot, P.C.: Towards secure design choices for implementing graphical passwords. In: ACSAC ’04: Proc. of the 20th Annual Computer Security Applications Conf., Washington, DC, USA, pp. 50–60. IEEE Computer Society, Los Alamitos (2004)
Brostoff, S., Sasse, M.A.: Are passfaces more usable than passwords? a field trial investigation. In: Proc. of HCI (2000)
Real User Corporation: The science behind passfaces (September 2001), http://www.realuser.com/published/ScienceBehindPassfaces.pdf (last access January 7, 2010).
Dhamija, R., Perrig, A.: Déjà vu: A user study using images for authentication. In: Proc. 9th USENIX Security Symposium, pp. 45–58 (2000)
Takada, T., Koike, H.: Awase-e: Image-based authentication for mobile phones using user’s favorite images. In: Chittaro, L. (ed.) Mobile HCI 2003. LNCS, vol. 2795, pp. 347–351. Springer, Heidelberg (2003)
Li, S., Shum, H.Y.: Secure human-computer identification (interface) systems against peeping attacks: SecHCI. Cryptology ePrint Archive, Report 2005/268 (2005), http://eprint.iacr.org/
Rizzolatti, G., Sinigaglia, C.: Mirrors in the brain: How our minds share actions and emotions. Oxford University Press Inc., New York (2006)
Breuer, H.: Empathie – Streit um das soziale Hirn. Süddeutsche Zeitung, p.16 (2010) (issue from the 4th of January)
Huber, M., Kowalski, S., Nohlberg, M., Tjoa, S.: Towards automating social engineering using social networking sites. In: 2009 Int. Conf. on Computational Science and Engineering (CSE), August 2009, vol. 3, pp. 117–124. IEEE, Los Alamitos (2009)
Arnaud, E., Fauvet, B., Memin, E., Bouthemy, P.: A robust and automatic face tracker dedicated to broadcast videos. In: IEEE Int. Conf. on image processing, Genes Italy (2005)
An, K., Yoo, D., Chung, M.: An efficient fully automatic face tracking using binary template matching. In: Proc. of The Ninth Int. Symposium on Artificial Life and Robotics, Beppu, Japan, January 28-30, pp. 37–40 (2004)
Chen, C.H. (ed.): Handbook of pattern recognition and computer vision, 3rd edn. World Scientific, Singapore (2005)
Shannon, C.: A mathematical theory of communication. Bell System Technical Journal 27, 379–423 (1948)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: The memorability and security of passwords - some empirical results. Technical Report 500, University of Cambridge, Computer Laboratory (September 2000)
Wikipedia Foundation: Web 2.0 (2004), http://en.wikipedia.org/wiki/Web_2.0 (last access January 5, 2010).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rass, S., Schuller, D., Kollmitzer, C. (2010). Entropy of Graphical Passwords: Towards an Information-Theoretic Analysis of Face-Recognition Based Authentication. In: De Decker, B., Schaumüller-Bichl, I. (eds) Communications and Multimedia Security. CMS 2010. Lecture Notes in Computer Science, vol 6109. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13241-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-13241-4_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13240-7
Online ISBN: 978-3-642-13241-4
eBook Packages: Computer ScienceComputer Science (R0)