Are Graphical Authentication Mechanisms As Strong As Passwords? Karen Renaud * , Peter Mayer † , Melanie Volkamer † and Joseph Maguire * * School of Computing Science, University of Glasgow † Center for Advanced Security Research Darmstadt, Technische Universit¨ at Darmstadt E-mail: karen.renaud@glasgow.ac.uk, {peter.mayer, melanie.volkamer}@cased.de Abstract—The fact that users struggle to keep up with all their (textual) passwords is no secret. Thus, one could argue that the textual password needs to be replaced. One alternative is graphical authentication. A wide range of graphical mechanisms have been proposed in the research literature. Yet, the industry has not embraced these alternatives. We use nowadays (textual) passwords several times a day to mediate access to protected resources and to ensure that accountability is facilitated. Con- sequently, the main aspect of interest to decision-makers is the strength of an authentication mechanism to resist intrusion attempts. Yet, researchers proposing alternative mechanisms have primarily focused on the users’ need for superior usability while the strength of the mechanisms often remains unknown to the decision makers. In this paper we describe a range of graphical authentication mechanisms and consider how much strength they exhibit, in comparison to the textual password. As basic criteria for this comparison, we use the standard guessability, observability and recordability metrics proposed by De Angeli et al. in 2005. The intention of this paper is to provide a better understanding of the potential for graphical mechanisms to be equal to, or superior to, the password in terms of meeting its most basic requirement namely resisting intrusion attempts. I. I NTRODUCTION O NE OF the most basic, everyday tasks of computer usage is authentication. Every user will, sooner or later, have to authenticate themselves. Their ability to do this effectively will impact on their ability to do their daily jobs and on their personal lives. The failure of the mechanism to resist intrusions will potentially have an impact on the user personally (e.g., in terms of ID theft or financial losses) or in professional environments on the organisation he or she works for. Nowadays, the most widely used authentication mechanism is the textual password. However, it is well known, that most users are frustrated by their experiences with these traditional passwords in general [1]. Even if they want to behave securely, they often do not understand what constitutes a “secure” password since guidelines for the creation of secure passwords are seldom adequate [2]. Even with good guidelines in place, human nature will lead users to prefer the path of least resistance e.g. choosing weak passwords, writing them down, storing them in plain text on their mobile phones or reusing them [3], [4]. This is understandable considering the findings of Ives, Walsh and Schneider [5]: users are expected to recall an average of 15 different passwords on a daily basis. Due to human cognitive limitations, four or five is normally the maximum a typical user can handle [3]. Password managers can help users to manage an unlimited number of passwords. However, they constitute a single point of failure and systems cannot be easily accessed from a device that does not have the manager installed. Thus, password man- agers are no substitution for a secure and usable authentication solution [6]. The same holds for single sign on solutions. To address the human inability to deal with large amounts of passwords, a new type of authentication system was con- ceived. The graphical password, first proposed by Blonder [7], required the person to verify their identity by clicking on positions within a picture. This is called a locimetric system. Other common types are searchmetric (pick a picture from a grid of images) and drawmetric (draw your secret) [8]. The most important motivator behind the use of a graphical authentication mechanism is that their memorability is superior to that of textual passwords. In the first place, there is what is called a “picture superiority effect”, as described by Paivio [9]. Paivio explained that pictures were encoded using a dual mechanism. So, a password, being textual has only one route whereby the human can reach it. If that route decays, and is forgotten, the password cannot be accessed. If the memory item is visual, there will potentially be multiple routes to access it, and the decay of one access route does not render the item unreachable. Numerous studies regarding the usability of graphical au- thentication schemes have been conducted. Yet, many of these sweep security concerns aside or deal with them in a desultory fashion [10]. However, very few graphical mechanisms are used in practice. Notable exceptions are the Windows 8 picture password and the Android lock-screen pattern. A number of reasons could be advanced. In this paper we will consider the elephant in the room: do these mechanisms provide the basic requirement namely resisting intrusion attempts at an equal or higher level than textual passwords do? In order to answer this question, we need to be clear about exactly what variation of the amorphous password we consider, since this impacts the resulting security-level. Hence, we consider textual passwords with a length of at least 8 characters and which are used in a system with a three-times-lockout technique. We will use the different categories of attacks proposed by De Angeli, Coventry, Johnson and Renaud [11] in 2005 as a starting point. In each case the mechanism will be compared to textual passwords. The remainder of this paper is structured as follows. First, we present the three types of attacks we Proceedings of the 2013 Federated Conference on Computer Science and Information Systems pp. 837–844 978-1-4673-4471-5/$25.00 c  2013, IEEE 837