Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32451
A Second Look at Gesture-Based Passwords: Usability and Vulnerability to Shoulder-Surfing Attacks

Authors: Lakshmidevi Sreeramareddy, Komalpreet Kaur, Nane Pothier


For security purposes, it is important to detect passwords entered by unauthorized users. With traditional alphanumeric passwords, if the content of a password is acquired and correctly entered by an intruder, it is impossible to differentiate the password entered by the intruder from those entered by the authorized user because the password entries contain precisely the same character set. However, no two entries for the gesture-based passwords, even those entered by the person who created the password, will be identical. There are always variations between entries, such as the shape and length of each stroke, the location of each stroke, and the speed of drawing. It is possible that passwords entered by the unauthorized user contain higher levels of variations when compared with those entered by the authorized user (the creator). The difference in the levels of variations may provide cues to detect unauthorized entries. To test this hypothesis, we designed an empirical study, collected and analyzed the data with the help of machine-learning algorithms. The results of the study are significant.

Keywords: Authentication, gesture-based passwords, machine learning algorithms, shoulder-surfing attacks, usability.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 494


[1] X. Suo and G. S. Owen, “Graphical Passwords : A Survey,” 21st Annu. Comput. Secur. Appl. Conf., no. Acsac, pp. 10 pp. – 472, 2005, doi: 10.1109/CSAC.2005.27.
[2] A. Paivio’s and J. C. Yuille, “Imagery, Memory and Cognition (PLE: Memory),” in Essays in Honor of Allan Paivio, London: Psychology Press, 1983, pp. 65–139.
[3] P. Jadhao and L. Dole, “Survey on Authentication Password Techniques,” Int. J. Soft Comput. Eng., vol. 3, no. 2, pp. 67–68, 2013.
[4] S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, “Multiple Password Interference in Text andClick-Based Graphical Passwords,” in Proceedings of the 2009 ACM Conference on Computer and Communications Security, 2009, pp. 500–511, doi:
[5] A. Y. Ng and M. I. Jordan, “On discriminative vs. generative classifiers: A comparison of logistic regression and naive bayes.,” Adv. neural Inf. Process. Syst., 2002.
[6] S. Keerthi and Sathiya, “A fast iterative nearest point algorithm for support vector machine classifier design,” IEEE Trans. neural networks 11.1, pp. 124–136, 2000.
[7] K. Chomboon, “An empirical study of distance metrics for k-nearest neighbor algorithm,” Proc. 3rd Int. Conf. Ind. Appl. Eng., 2015.
[8] D. C. Feldmeier and P. R. Karn, “UNIX Password Security - Ten Years Later,” in Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology, 1989, pp. 44–63.
[9] R. N.Shepard, “Recognition Memory for Words, Sentences, and Pictures,” J. Verbal Learning Verbal Behav., vol. 6, pp. 156–163, 1967, doi:
[10] L. Sreeramareddy, J. H. Feng, and A. Sears, “Poster : Preliminary Investigation of Gesture-Based Password : Integrating Additional User Behavioral Features,” pp. 4–5.
[11] I. Jermyn et al., “The Design and Analysis of Graphical Passwords,” in Proceedings of the 8th USENIX Security Symposium, 1999.
[12] D. Nali and J. Thorpe, “Analyzing user choice in graphical passwords,” Sch. Comput. Sci. Carlet. Univ. Tech Rep TR0401, pp. 1–6, 2004, doi:
[13] C. Varenhorst, M. Van Kleek, and L. Rudolph, “Passdoodles ; a Lightweight Authentication Method under the direction of,” 2004.
[14] D. Mejía V. and J. Doose, “Gesture Based Touchpad Security System.”
[15] A. De Luca, A. Hang, F. Brudy, C. Lindner, and H. Hussmann, “Touch me once and i know it’s you! Implicit authentication based on touch screen patterns,” Conf. Hum. Factors Comput. Syst. - Proc., no. January 2014, pp. 987–996, 2012, doi: 10.1145/2207676.2208544.
[16] N. Sae-Bae, K. Ahmed, K. Isbister, and N. Memon, “Biometric-rich gestures: A novel approach to authentication on multi-touch devices,” Conf. Hum. Factors Comput. Syst. - Proc., no. May, pp. 977–986, 2012, doi: 10.1145/2207676.2208543.
[17] L. Sreeramareddy, A. Janprasert, and J. Heidifeng, “Evaluating Gesture-Based Password And Impact of Input Devices,” in Proceedings of the International Conference on Security and Management (SAM), 2014.
[18] L. Sreeramareddy, S. Miao, and J. H. Feng, “Investigating gesture-based password: Usability and vulnerability to shoulder-surfing attacks,” Res. Adapt. Converg. Syst. RACS 2014, pp. 230–235, 2014, doi: 10.1145/2663761.2664207.
[19] L. Anthony and J. O. Wobbrock, “A lightweight multistroke recognizer for user interface prototypes,” Proc. - Graph. Interface, pp. 245–252, 2010.