Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords
Although motivated by both usability and security concerns, the existing literature on click-based graphical password schemes using a single background image (e.g., PassPoints) has focused largely on usability. The authors examine the security of such schemes, including the impact of different background images, and strategies for guessing user passwords. They report on both short and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, and the other a field test of 223 user accounts. They provide empirical evidence that popular points (hot-spots) do exist for many images, and explore two different types of attack to exploit this hotspotting: a \"Human-seeded\" attack based on harvesting click-points from a small set of users, and an entirely automated attack based on image processing techniques.