Check out the new USENIX Web site.

USENIX Home . About USENIX . Events . membership . Publications . Students
13th USENIX Security Symposium — Abstract

Pp. 151–164 of the Proceedings

On User Choice in Graphical Password Schemes

Darren Davis and Fabian Monrose, Johns Hopkins University; Michael K. Reiter, Carneige Mellon University


Graphical password schemes have been proposed as an alternative to text passwords in applications that support graphics and mouse or stylus entry. In this paper we detail what is, to our knowledge, the largest published empirical evaluation of the effects of user choice on the security of graphical password schemes. We show that permitting user selection of passwords in two graphical password schemes, one based directly on an existing commercial product, can yield passwords with entropy far below the theoretical optimum and, in some cases, that are highly correlated with the race or gender of the user. For one scheme, this effect is so dramatic so as to render the scheme insecure. A conclusion of our work is that graphical password schemes of the type we study may generally require a different posture toward password selection than text passwords, where selection by the user remains the norm today.
  • View the full text of this paper in HTML and PDF.
    Click here if you have forgotten your password Until August 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
To become a USENIX Member, please see our Membership Information.

?Need help? Use our Contacts page.

Last changed: 27 July 2004 aw
Technical Program
Security '04 Home