School of Computing Science
A Comprehensive Study of the Usability of multiple
Graphical Passwords
SoumChowdhury (Presenter)
Ron Poet
Lewis Mackenzie
1
PhD Researcher
An organism that converts caffeine and sandwiches/pizza
into PhD thesis
+
=
2
School of Computing Science
Motivation
text passwords
1. Writing down the passwords;
2. Reusing the same passwords;
3. Sharing them with others
School of Computing Science
A potential solution: Images as password
‘M’ number of images = 1 password
Research Problem
Limitation of existing work:
•focused on the usability of a single password
•Users need to remember and use multiple passwords
School of Computing Science
Objectives
which image type (s) performs best in terms of usability, when multiple
passwords are used?’
Compare the usability of 4 image types: Mikon, doodle, art and
everyday object, when used as passwords
School of Computing Science
Registration
1: Username
selection
2: Password image selection (4
images)
Select 4 images
4: Registration
completion
3: Password
confirmation
4 images = 1 password
6
School of Computing Science
Authentication
Four step login = 1 * 4 images (T)
Each step:
1 target+ 15 decoys = 1 challenge set
Select 1 image (target) and move to next step
Result:
Displayed at the end of the 4th (final) step
7
School of Computing Science
IMAGE TYPES USED AS PASSWORD
(1)Mikon: These are icon-like images which have been drawn by users using a tool called the
Mikon engine developed by Mikons.com
(2) Doodle: These images are drawn by users using pen on paper
8
School of Computing Science
Image types used in our research
(3) Art: These images were collected from a range of free websites and comprised of paintings
from different styles such as cubism, abstract and modernism
(4) Object: These images comprised of pictures of food and drinks, sculpture and buildings as
well as sports and leisure activities, again collected from a range of free websites
Why use these image types?
most of the existing usability studies have been done with them
Since this is the first study of its kind, we did not concentrate in examining more image types
9
School of Computing Science
Experimental design / User Study
INDEPENDENT MEASURES
Conditions
Mikon
Doodle
Art
# users
25 users
25 users 25 users
Object
25 users
TASK OF EACH USER IN A CONDITION
1. Create 4 passwords (a survey with sample users)
2. login with 4 passwords every week
3. Frequency of login was varied
10
School of Computing Science
Frequency of login in each week
Number of login sessions with 1
password in a week
25
20
20
20
15
10
10
5
4
2
3
2
0
1
2
3-4
5
6
7
8
Week
week 1 is the training week; participants would get used to the system
11
School of Computing Science
User Demographics
100 participants of age 19-24 for a period of eight weeks
Grounded theory framework for pre-study survey
12
School of Computing Science
Result 1: Memorability
Mean Login Success percentage
from week 2 to 8
Mean successful login percentage: It examined the mean successful login
percentage for in each condition :
90
80
77.4
74.22
67.4
70
Shapiro-Wilk test – Normal Distribution
54.9
60
ANOVA– Significant difference in all conditions
50
40
Tukey Post hoc test- Significant difference in
each pair of condition except Mikon and Object
30
20
10
0
Mikon
Doodle
Art
Conditions
Object
Object passwords are the most memorable whereas art passwords are the least
13
School of Computing Science
Weekly Login Success Percentage
90
average weekly login success
80
70
60
w2
50
w3-4
40
w5
w6
30
w7
20
w8
10
0
mikon
doodle
art
object
Image types
The memorability decreases with time and less frequent usage
14
School of Computing Science
Mean Registration time (seconds)
Result 2: Registration time
140
120
100
80
mikon
60
doodle
40
art
object
20
0
p1
p2
p3
p4
Passwords
decreases from p1- first registered password to p4- last registered password
decreases as users get used to the system
15
School of Computing Science
Mean login time in seconds
Result 3: Login time
30
24.56
25
20
22.16
19.52
18.28
15
10
5
0
Mikon
Doodle
Art
Object
Conditions
differences between the average login time of Mikon and doodle as
well as Mikon and object passwords is not significant
16
School of Computing Science
Post Study: Strategy to create and remember password
60
52
50
46
Participant %
42
39
40
33
32
30
36
29
mikon
doodle
20
10
16
5
18
art
13
11 10
13
0
0
0
0
0
story/patterns
object
5
personal likings
visual appeal
caption/verbal tag
Password creation strategy
Mikon and doodle: story/pattern or personal likings
Art: personal likings or visual appeal
Object: personal likings or story
random
School of Computing Science
First study that compares the usability of multiple image passwords using 4
different images types- Mikon, doodle, art and objects
CONCLUSION-1
Results demonstrated that

object passwords are most usable in the sense of being more memorable
and less time-consuming to employ;

Mikon images are close behind (without any significant difference);

but doodle and art images are significantly inferior
18
School of Computing Science
CONCLUSION-2
Do users find it difficult to remember multiple image passwords?
•Users do have problems remembering many image passwords.
•Hence they will face the same password memorability/ management
problems as that of text passwords, when the number of image
passwords increases.
19
School of Computing Science
REMARKS- 1

If a system is not usable, then the users will engage into insecure practices,
which may compromise the security.

Solving the memorability problem of the passwords could prevent insecure
coping mechanisms.
ONGOING WORK

A solution to address the memorability problem

Provide adequate security
‘Hint based authentication’
20
School of Computing Science
REMARKS-2
In the absence of any related study of this kind, it is impossible to produce a
flawless experimental design.
There is no standard procedure to design experiments for studying multiple
image passwords.
(Major limitation of our field)
The use of different experimental framework, dependant variables and image
types makes it difficult to allow systematic comparison of our results with
them.
21
School of Computing Science
REMARKS-3
We believe that the experimental design in our user studies is:
 valid as it answers the research question through the data we collected;
reliable as it can be reproduced by the research community;
most importantly, such a study for the stated research problem has not been
conducted in the past.
22
School of Computing Science
Learn – Unlearn – Relearn
23