=Paper=
{{Paper
|id=Vol-1353/paper_11
|storemode=property
|title=A Comparative Study of Graphical and Alphanumeric Passwords for Mobile Device Authentication
|pdfUrl=https://ceur-ws.org/Vol-1353/paper_11.pdf
|volume=Vol-1353
|dblpUrl=https://dblp.org/rec/conf/maics/AnwarI15
}}
==A Comparative Study of Graphical and Alphanumeric Passwords for Mobile Device Authentication==
https://ceur-ws.org/Vol-1353/paper_11.pdf
A Comparative Study of Graphical and Alphanumeric Passwords for
Mobile Device Authentication
Mohd Anwar and Ashiq Imran
Department of Computer Science
North Carolina A&T State University
manwar@ncat.edu, aimran@aggies.ncat.edu
Abstract Generally user authentication is based on three factors:
Mobile devices such as smartphones and tablets are widely used what the user knows; what the user has; and what the user
to perform security critical and privacy sensitive activities, such is. The authentication methods in our study are based on
as mobile banking, mobile health care, mobile shopping, etc. what the user knows (knowledge-factor). Based on
Screen locks are used in mobile devices to protect sensitive in- knowledge-factor, different types of authentication meth-
formation. Graphical password and alphanumeric password are
ods have been proposed over the years. Alphanumeric
two common types of screen locking schemes. The alphanumeric
password scheme has shown some security and usability draw- passwords are the most common but they have some draw-
backs. For example, a user may pick an easy to remember alpha- backs. Previous studies have shown that users tend to
numeric password that may also be easy to guess. On the contra- choose short alphanumeric passwords that are easy to re-
ry, if as user picks a password that is hard to guess it may also be member (Adams and Sasse 1999) but that password can be
hard to remember. Several alternative password mechanisms have easily guessed. On the other hand, if an alphanumeric
been introduced. Graphical password is one of them, and it is password is hard to guess, then it is often hard to remember
based on pictures or patterns. However, graphical password is al-
so vulnerable to certain types of attack. In this paper, we study an (Suo, Zhu, and Owen 2005). Since users can remember a
alphanumeric password method (i.e., PIN) and a graphical pass- limited number of alphanumeric passwords, they often
word method (i.e., pattern) in order to unravel security and usabil- write down their passwords or use same password for mul-
ity issues related to mobile device authentication. The study uses tiple accounts (Kotadia 2005). Graphical password has
observation and survey data to compare these two authentication been introduced as an alternative to alphanumeric pass-
methods on following criteria: creation time, memorability, and word. The motivation behind graphical password is that
login time and login success rate. In addition, we also measure
how the screen size of a mobile device affects usability and secu-
users can remember pictures better than text. Human psy-
rity aspects of screen locks by measuring differences on creation chology supports such assumption (Shepard 1967). Be-
time, memorability, login time, login success rate for Android cause of this memorability advantage, there is significant
smartphone and tablet. interest in graphical password (Everitt et al. 2009).
At present, digit lock or PIN is considered the most pop-
1. Introduction ular password among mobile device authentication meth-
ods. Approximately 88% mobile users set the PIN in their
Humans are often considered the weakest link for security devices (Jakobsson et al. 2009). This method is typically
in information and communication technology. Patrick, required to select four-digit personal identification number
Long, and Flinn (2003) identify three security areas for (PIN) that users memorize and enter using a virtual keypad
which human factor issues are very important: authentica- to unlock a locked phone. The PIN for screen lock pro-
tion (passwords), security operations (intrusion detection) vides 10000 different combinations. This method belongs
and developing secure systems (developing the security). to alphanumeric password scheme. In recent times, a
If a user misplaces a mobile device in which a screen lock graphical password scheme named pattern lock is getting
is not activated, then whoever finds it may have access to popularity amongst the Android OS users (Aviv et al.
sensitive information. Therefore, an authentication mecha- 2010). The Android pattern lock requires traversing an on-
nism is necessary to protect sensitive information on mo- screen 3 × 3 grid of contact points. Android pattern lock
bile devices. In order to build an efficient and feasible mo- provides 389112 distinct patterns for 9-point combination.
bile authentication there is a need to strike a balance be- This paper explores user behavior regarding these two
tween usability and security. password schemes and discusses security threats for mo-
�bile devices. We have done a survey study to get some time, and login success rate as the measurement criteria for
knowledge on user preference and feedback on both pass- usability. Chiang and Chiasson (2013) also described the
word schemes. We present a comparative study between password length and password strength as security criteria.
graphical (Pattern) and alphanumeric password scheme in Recall schemes require recreating drawings without a
terms of usability and security. Lastly, we analyze data to hint (e.g., Android Pattern Lock). Chiasson et al. (2009)
determine the performance of pattern and PIN with respect propose a recall based graphical password called the pass-
to screen size. point in which, users must select the same click-points in
This paper will provide an overview of various kinds of the same order to login. After comparing the pass-points
graphical password authentication systems and then do a with the alphanumeric password, they find that participants
comparison between graphical password and alphanumeric using pass-points have success rates approximately 99%,
password. We study android pattern lock as a graphical whereas participants have approximately 88% success rates
password scheme and PIN as an alphanumeric password for alphanumeric password.
scheme for our experiment. The remainder of this paper is Tao and Adams (2008) introduce a recall based pass-
structured as follows: Section 2 presents related works of word scheme called the pass-go. A user can either draw
our approach. We describe our experiment in section 3. In dots on intersection points or connect intersection points
section 4, we present results. We discuss result in section with strokes. Points and lines have to be drawn in the cor-
5. Section 6 describes the limitation and future work. This rect order for successful authentication. PassGo is a grid-
paper is concluded in section 7. based scheme, which is an improvement of Draw A Secret
(DAS) (Jermyn et al. 1999).
Chiasson et al. (2008) introduce a cued recall based
2. Related Works password where a sequence of points needs to be selected
Mobile devices contain various type of sensitive personal on a cue like an image. Another new technique, persuasive
information such as text messages, emails, notes, apps, app cued click points (PCCP), is proposed by Chiasson et al.
data, music, pictures, and so much more. Though it is real- (2012). They describe that graphical password is effective
ly a great convenience to have all of these information in in terms of memorability and provide benefits over alpha-
our mobile devices, it also allows security risk if all of the numeric passwords because images can be used as cues for
information is easily accessible. One way to avoid and pre- different passwords. They also point out graphical pass-
vent the security attacks is to set some sort of screen lock, words are easy to learn but typically require longer login
which provides authentication on our mobile devices. time.
Several types of authentication methods are proposed An extensive research has been done in the quest for re-
over the years. Alphanumeric password scheme is one of placing passwords for web authentication (Bonneau et al.
the most common methods for mobile authentication. 2012). This paper offers some benchmark for comparative
However, it has some security and usability drawbacks evaluation of authentication schemes. They enlist 11 types
such as: a difficult password is hard to remember, and a of alternative password methods, such as biometrics recog-
short password is easy to guess. Some researchers have de- nition, graphical password (PCCP), etc. that can be used to
veloped graphical passwords as an alternative way or an replace alphanumeric password. They categorize usability
extension to text password to address the drawbacks of benefits of an ideal authentication scheme into 8 proper-
guessing attacks and making it easy to remember. But ties: memorywise-effortless, scalable-for-users, easy-to-
graphical password may also be vulnerable for certain at- learn, efficient-to-use, infrequent-errors, etc. Furthermore,
tacks (Lashkari et al. 2009). A comprehensive research an ideal authentication scheme should have following se-
study is needed to find out which mobile authentication curity benefits: resilient to physical observation, resilient to
method serves the purposes better in terms of usability and guessing, resilient to theft as the measurement to compare
security. each password scheme with alphanumeric password.
Graphical password schemes can be categorized into Biddle, Chiasson, and Oorschot (2012) describe each
three groups: recognition based, recall based, and cued re- category and compare 9 different graphical password
call based (Chiang and Chiasson 2013). In a recognition- methods. They compare required login time and login suc-
based scheme, a set of images is given and the user needs cess rate in terms of usability. They also classified two
to identify correct images that the user had already set in types of security attacks, i.e., guessing attacks and capture
order to authenticate (e.g., Use Your Illusion (UYI)). In attacks. They list shoulder surfing attacks as a category of
UYI scheme, the login screen displays 9 images randomly capture attacks.
positioned in a 3 × 3 grid (Schaub et al. 2013). The user A comparative study is needed to determine advantages
needs to recognize and select a right image amongst trap and disadvantages between graphical and alphanumeric
images. Both of the papers provide creation time, login password schemes on mobile devices. In our study, we
compare Android pattern lock (graphical) and PIN (alpha-
�numeric) to find out usability issues such as creation time, The subjects performed these tasks in the campus of North
memorability, and duration of login and success rate of Carolina A&T State University. The recruited subjects
login. We explore whether screen size of the mobile devic- were volunteers from our university. We provided each
es has any impact on each usability criterion. In addition, subject with a smartphone and a tablet. We measured the
we try to figure out which of usability and security matters creation and login time using a stopwatch. For measuring
most to the users. We also studied user perception about
creation time of pattern password, we asked them to create
three methods of attack for pattern and PIN screen locks.
the pattern lock in the smartphone and tablet. We asked
whether the subject created the same pattern password in
3. Experiments both the devices or not. We asked them to login in the
Our experiment focuses on determining usability and secu- same order that they created the pattern. In the same man-
rity issues of pattern and PIN screen locks. In our study, ner, we measured the creation time of and login time with
usability is measured by password creation time, memora- PIN for both devices. We ask whether they create same
bility, login time, and login success rate. We also deter- PIN in both devices or not. We ran these experiments with
mine whether the size of the mobile device has impact on 33 participants. In addition, we calculated the average
the measurements. For security issues, we collect user per- length of both the screen locks and user behavior of creat-
ception data on three methods of attacks: guessing attacks, ing same screen lock for both the smartphone and the tab-
smudge attacks, and shoulder surfing attacks. In our study, let.
we used Android OS smartphone (HTC Smartphone Model
ADR6330VW) and tablet (Samsung Galaxy Tab 2 -10.1
GT- P5113), which provide PIN and pattern screen locks.
3.3 Survey
We deployed an online survey using Qualtrics toolkit. Af-
ter designing and adding survey questions, we launched the
survey and distributed the survey link in different social
3.1 Recruitment
media websites such as Facebook. The online survey gave
The study protocol, consent form, and recruitment flyer us the opportunity to gather more participants in a short
were approved by the Institutional Review Board (IRB) of time. It also provides more flexibility to collect and ana-
the University. Our study involved human subjects per- lyze data. Total number of questions in our survey is 29.
forming different screen lock tasks and participating in a The survey was anonymous. The participants’ information
survey. The recruitment flyer was disseminated through is kept confidential. The survey had some demographic
email and posted on social media sites. The flyer has two questions. For example, in which age group do you be-
parts. In the first part, the details of the project and tasks long? Some questions were on users’ security behavior.
are stated. In the second part, the eligibility of the partici- For example, how often do you change your password on a
pants was described. An inclusion criterion was set that a mobile device? The survey includes multiple 5-point likert
participant should have experience of using smartphones or scale items. For example, small screen devices
tablets. The consent form is a formal description of the (Smartphones) are more suitable for screen lock than big
survey. The type of the task and duration of the survey screen devices (Tablets). Some ranking type questions
were mentioned. A participant must be 17 years old to par- were in the survey. For example, rank different methods of
ticipate in the survey. We designed the online survey using attack (Guessing attacks, Smudge attacks, Shoulder surfing
Qualtrics toolkit. We launched and distributed the link to attacks etc.) for mobile devices? The survey also asks
survey site in different social media website such as Face- whether the subject will prefer a difficult screen lock to an
book. Online survey provides us the opportunity to gather easy screen lock.
participants in a short time. We recruited 33 participants in
the online survey. Among the participants, 25 of them are
male and 8 of them are female. Majority of participants
(61%) belongs to 22-26 age group and most of them are
graduate students. 4. Results
3.2 Task We analyzed data collected from user tasks and survey re-
The purpose of user tasks is to find out the creation time sponses to identify usability issues and user preferences
and login time of pattern lock and PIN for Android when using graphical passwords on mobile devices. We
smartphone and tablet. In addition, we want to know determined how screen size affects login performance by
whether device size has any effect on these two criteria. comparing differences between Android smartphone and
�tablet on creation time, login time, and login success rate PIN 88%
for each scheme. For the creation time and login time, we Pattern 83%
used t-tests to determine whether there are significant dif-
ferences for different devices. All the t-tests are performed
at 95% confidence interval (i.e., the α-value is set at 0.05).
Memorability
Most of the participants provide memorize screen lock for
Creation Time
login into mobile devices. From our survey, approximately
The password creation time is measured as the time be- 81% participants memorize their screen lock. Some partic-
tween first touch on mobile devices to touch the submit ipants (12%) write down their screen lock in a piece of pa-
button. An unpaired t-test showed some significant differ- per. According to the participants, about 39% of them nev-
ence between pattern password and PIN when we used tab- er forget their PIN whereas 56% of the participants never
let (p = 0.04). We compared pattern creation time and PIN forget their pattern. In our study, 80% participants create
creation time for both tablet and phone. We get significant same PIN and pattern passwords for both mobile devices.
result for only pattern creation time (p = 0.0007). We cal-
culated unpaired t-test of PIN creation time for both tablet
and phone. The result is not significant. Figure 1 shows the Screen Size Impact
box-and-whisker plot for the creation time of both PIN and In the survey, we asked the participants a 5-point likert
pattern on mobile devices. The pattern on the tablet takes scale question about screen size impacts on both PIN and
the highest time among other comparison. pattern screen locks. Figure 3 shows the result of that ques-
tion. For PIN, participants do not agree with: the screen
size can have an effect on usability. Most of the partici-
Login Time
pants agree that PIN is easier to use on phone than tablet
The login time is measured as the time for successful login (SD =1.3). On the contrary, most of the participants (SD =
into the mobile device. We run our task to compare both 1.02) support that pattern is easier to use on tablet than on
pattern and PIN in mobile device of different size. We run phone.
unpaired t-test for four cases. We calculate t-test of login
time of pattern and PIN for separately and together with
tablet and phone. When measuring login time, we treated Observation of attacks
user reset as fail attempts. We get no significant result for We observe users and noted relevant behaviors and feed-
login time between pattern and PIN schemes. Figure 2 back. Most of the users create same PIN and same pattern
shows the box-and-whisker plots for login time of both for both tablet and phone. About 20% of them create dif-
PIN and pattern on different size mobile devices (phone ferent PIN and pattern password for different mobile de-
and tablet). The pattern takes slightly less time to log in on vices. The majority of the participants (75%) choose to
phone, and PIN takes slightly less time on tablet. create difficult pattern points (e.g., 1->4->5->8->9) instead
Login Success Rate of easy pattern points (e.g., 1->2->3->6). For PIN, 87% of
participants choose a difficult PIN (e.g., 1928). According
Table 1 shows the login success rate of both PIN and
to participants shoulder surfing attacks has 43% chance to
screen lock. From 31 participants 29 participants can enter
be a threat for PIN. On the other hand, smudge attacks has
successfully correct PIN 18 times out of 20. On the contra-
50% chance for pattern.
ry, 23 participants think that they can enter 18 times out of
20 successful patterns.
Table 1 Login success rate
Type of screen lock Login Success rate
� Observation 2: The creation time of pattern password is
quicker than the creation time of PIN in Android mobile
phone.
Observation 3: People who used same pattern/PIN for dif-
ferent devices take slightly less time to log in than people
who use different pattern/PIN.
Observation 4: Login time is dependent on the length of
pattern password. Longer (7-8) pattern takes more time
than shorter pattern. Since PIN has fixed length of 4 digits,
the login time is consistent.
Figure 1: Comparison of creation time of pattern and Among the study participants, 87% want to have a difficult
PIN. PIN, and 75% want to have strong pattern password.
Therefore, the majority of the participants preferred securi-
ty to usability.
One indicator of the security strength of a password
scheme is the total number of possible passwords, also
known as possible password space. A brute-force attack
against a specific password would involve exhaustively
searching the password space. The possible password
space for PIN is 10000 (a PIN is 4-digit long, which results
in total 104 possible PINs), whereas a 9-point pattern has
389112 distinct patterns (Kaseorg 2013).
6. Limitations and Future Work
Figure 2: Comparison of login time of pattern and
PIN. Our paper studied alphanumeric and graphical password
schemes by comparing two screen lock methods in An-
droid devices: PIN and pattern password. Screen lock pro-
tects Android phones and tablets from unauthorized access.
Our study explored usability and security issues with two
screen lock methods: PIN (alphanumeric password) and
pattern (graphical password).
The purpose of the study on screen lock of mobile de-
vices was to look into the usability and security issues
through observing user behavior. Since user behavior has
security implications on mobile devices, we examined user
behavior for two different attacks on mobile devices:
smudge attacks and shoulder surfing. Smudge attacks can
be a threat for capacitive touch based smart phones and
Figure 3: Smaller size factor of pattern and PIN. tablets. Our study focuses on comparison between two
popular screen locks. Our study is limited to 33 partici-
pants and three usability criteria. We also limit our study to
5. Discussions two attacks. In the future, we want to conduct a large-scale
We measured creation time and login time for PIN and pat- study with more usability criteria and attack schemes. Fu-
tern password in two different sizes of mobile devices to ture studies will also be informed by lessons we have
find out whether the size of the device has any effect. Our learned from the screen locking study.
observations are drawn from user tasks and survey results.
7. Conclusions
Observation 1: The creation time of both PIN and pattern-
based screen locks in mobile phone is less than that in tab- In this paper, we compared the usability and security of
let. pattern and PIN passwords for Android devices. We con-
ducted a user survey on usability and security issues of pat-
tern and PIN. We gathered data about creation time, login
�time, and login success rate of each of the methods in both Chiang, H.-Y., and Chiasson, S. 2013. Improving user authentica-
tablet and phone. Our survey results show that 75% of par- tion on mobile devices: A touchscreen graphical password. In
ticipants prefer strong pattern screen locks, while 87% pre- Proceedings of the 15th international conference on Human-
fer strong PIN. We also collected user perception about se- computer interaction with mobile devices and services, 251-260,
cure screen locks and related attacks such as guessing at- Munich, Germany: ACM press.
tacks, smudge attacks and shoulder surfing attacks for each Schaub, F., Walch, M., Könings, B., and Weber, M. 2013. Ex-
password scheme. ploring the design space of graphical passwords on smartphones.
The pattern password for mobile devices is vulnerable to In Proceedings of the Ninth Symposium on Usable Privacy and
security attacks such as smudge attacks and shoulder surf- Security (SOUPS), 1-14, Newcastle, UK: ACM Press.
ing attacks. Further research is needed to address security Chiasson, S., Forget, A., Stobert, E., van Oorschot, P.C., and
issues with Android pattern locks. The users also need to Biddle, R. 2009. Multiple password interference in text pass-
create strong pattern passwords or PINs as well as make ef- words and click-based graphical passwords. In Proceedings of the
forts to protect them. 16th ACM conference on Computer and communications security,
500-511, Chicago, IL: ACM Press.
Tao, H., and Adams, C. 2008. Pass-go: A proposal to improve the
usability of graphical passwords. IJ Network Security 7(2): 273-
References
292.
Patrick, A.S., Long, A.C., Flinn, S. 2003. HCI and security sys- Jermyn, I., Mayer, A.J., Monrose, F., Reiter, M.K., and Rubin,
tems. In Proceedings of the CHI 2004, 1056-1057, New York, A.D. 1999. The design and analysis of graphical passwords. In
NY: ACM Press. Proceedings of the 8th USENIX Security Symposium. 1-14, Wash-
Adams, A., and Sasse, M.A. 1999. Users are not the enemy. ington D.C.: Usenix Security.
Communications of the ACM 42(12): 40-46. Chiasson, S., Forget, A., Biddle, R., and van Oorschot, P.C. 2008.
Suo, X., Zhu, Y., and Owen, G.S. 2005. Graphical passwords: A Influencing users towards better passwords: Persuasive cued
survey. In Proceedings of Annual Computer Security Applications click-points. In Proceedings of the 22nd British HCI Group An-
Conference (ACSAC), 463-472, Tucson, AZ: IEEE Press. nual Conference on People and Computers: Culture, Creativity,
Kotadia, M. 2005. Microsoft: Write down your passwords. ZDNet Interaction Volume 1, 121-130, Liverpool, UK: ACM Press.
Australia, May, 23. Chiasson, S., Stobert, E., Forget, A., Biddle, R., and Van
Everitt, K.M., Bragin, T., Fogarty, J., and Kohno, T. 2009. A Oorschot, P.C. 2012. Persuasive cued click-points: Design, im-
comprehensive study of frequency, interference, and training of plementation, and evaluation of a knowledge-based authentica-
multiple graphical passwords. In Proceedings of the SIGCHI tion mechanism. Dependable and Secure Computing, IEEE
Conference on Human Factors in Computing System (CHI), 889- Transactions on 9(2): 222-235.
898, Boston, MA: ACM Press. Bonneau, J., Herley, C., Van Oorschot, P.C., and Stajano, F.
Shepard, R.N. 1967. Recognition memory for words, sentences, 2012. The quest to replace passwords: A framework for compara-
and pictures. Journal of verbal Learning and verbal Behavior tive evaluation of web authentication schemes. In Proceeding of
6(1): 156-163. Security and Privacy (SP) IEEE Symposium on, 553-567, San
Francisco, CA: IEEE Press.
Jakobsson, M., Shi, E., Golle, P., and Chow, R. 2009. Implicit au-
thentication for mobile devices. In Proceedings of the 4th USE- Biddle, R., Chiasson, S., and Van Oorschot, P.C. 2012. Graphical
NIX conference on Hot topics in security, 9-9, Montreal, Canada: passwords: Learning from the first twelve years. In ACM Compu-
USENIX Association. ting Surveys (CSUR) 44(4): 1-41.
Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., and Smith, J.M. Kaseorg, A. 2013. How many combinations does Android 9 point
2010. Smudge attacks on smartphone touch screens. In WOOT, unlock have?. In Quora. Retrieved February 25, 2015, from
10, 1-7, Berkeley, CA: USENIX Association. http://www.quora.com/How-many-combinations-does-Android-
9-point-unlock-have.
Zakaria, N.H., Griffiths, D., Brostoff, S., & Yan, J. 2011. Shoul-
der surfing for recall-based graphical passwords. In Proceedings Qualtrics: Online Survey Software & Insight Platform. 2014.
of the Seventh Symposium on Usable Privacy and Security Qualtrics [software]. Retrieved February 25, 2015, from
(SOUPS),1-12, Pittsburgh, PA: ACM Press. http://www.qualtrics.com.
Lashkari, A.H., Farmand, S., Zakaria, D., Bin, O., and Saleh, D. Passfaces Corp. 2009. The Science behind passfaces. White Paper
2009. Shoulder surfing attack in graphical password authentica- http://www.passfaces.com/published/The%20Science%20Behind
tion. International Journal of Computer Science and Infor- %20Passfaces.pdf
mation Security 6(2): 145–154.
�