Combinatorics in Pattern-Based Graphical Passwords

Combinatorics in Pattern-Based Graphical Passwords

Freyr Sævarsson freyrsae@gmail.com Master’s thesis in Mathematics

May, 2012

Supervisors:

Jakob Jonsson, KTH G¨oran Selander, Ericsson

Mats N¨aslund, Ericsson

Abstract

Because of increased computing power it is necessary for modern pass- words to be very long and complex, this makes them hard to remember.

Research show that it might be easier for people to remember visual pass- words instead of textual ones. The goal of this project was to find a safe graphical password scheme which does not require any modification on the server side. A proposed solution is called the Abagram which is a system that transforms patterns on a grid into textual passwords. The main idea behind the scheme is to assign each cell in the grid a letter or a symbol. The users select some cells by passing their finger over them. The password becomes the letters of the cells in the order in which they are passed. The thesis consists of a study of the combinatorics of user-selected patterns, a theoretical security analysis of the Abagram, an analysis of a user study constructed for Android smartphones and methods for evalu- ating the strength of a given pattern. The Abagram does show promise, an average pattern from the study suggest a password space with entropy of about 68 bits which is comparable with a random 10 digit password.

The Abagram might be especially useful when used with a smartphone but there are still some usability and implementation aspects which must be analysed further.

Foreword

My name is Freyr Sævarsson and I am a master’s student at the department of Mathematics at KTH. I have been working on my master’s project from the beginning of January to the end of May 2012 at the Ericsson Research lab in Kista and this thesis is the last step of that project.

First of all I would like to thank my supervisors, G¨oran Selander and Mats N¨aslund at Ericsson and Jakob Jonsson at KTH, they have all been extremely helpful and made countless good suggestions and comments, this project would not have been possible without them.

Second, I would like to thank Ericsson for giving me the opportunity of working on this project, the whole security research department at Ericsson in Kista which it has been an honour to be a part of, Prajwol for his help on setting up the survey and all those who participated in the survey.

Finally I would like to thank my family and friends for their invaluable sup- port through the years.

May 2012, Stockholm, Sweden Freyr Sævarsson

Contents

1 Introduction 5

1.1 Background . . . 5

1.2 Graphical Assistance . . . 5

1.3 The Thesis Structure . . . 5

2 Problem Description 7 2.1 Password Security . . . 7

2.1.1 Brute Force Attacks . . . 7

2.1.2 Dictionary Attacks . . . 7

2.1.3 Eavesdropping . . . 8

2.1.4 Social Engineering . . . 8

2.2 Graphical Passwords . . . 8

2.2.1 Previous Work . . . 9

2.2.2 Hybrid Systems . . . 10

2.3 Problem Statement . . . 10

2.4 The Abagram . . . 11

2.4.1 Difference Between the Abagram and Other Graphical Password Systems . . . 11

3 Mathematical Analysis of Pattern-Based Authentication Sys- tems 13 3.1 Connection to the Security of the Scheme . . . 13

3.1.1 Entropy . . . 13

3.2 Different Approaches . . . 14

3.3 Connection Between Abagram Grids and Graphs . . . 15

3.4 No Continuity . . . 15

3.5 Continuous Walks . . . 16

3.5.1 Asymptotic Behaviour . . . 18

3.6 Continuous Walks Without Backtracking . . . 19

3.6.1 Asymptotic Behaviour . . . 20

3.7 Self-Avoiding, Continuous Walks . . . 21

3.7.1 Approximations . . . 22

3.7.2 Asymptotic Behaviour . . . 23

3.8 Paths Consisting of Multiple Strokes . . . 25

3.8.1 Approximative Formula . . . 26

3.9 Summary of the Mathematical Analysis . . . 26

4 Constructing the Abagram 29 4.1 Password Policies and Their Connection to Abagrams . . . 29

4.2 Filling in the Abagram . . . 29

4.2.1 A Single Character in Each Cell . . . 30

4.2.2 Multiple Characters in Each Cell . . . 32

4.2.3 Choosing an Abagram for a Given Pattern . . . 32

5 Implementation of the Abagram for a User Survey 34

5.1 The Reasons for the Survey . . . 34

5.1.1 Security Reasons . . . 34

5.1.2 Human Limitations . . . 34

5.1.3 Usability . . . 34

5.2 Structure of Survey . . . 34

5.3 Graphical Decisions . . . 36

5.4 Possible Improvements . . . 37

6 Survey Analysis 39 6.1 Pattern Analysis . . . 39

6.1.1 Pattern Length and Number of Strokes . . . 39

6.1.2 Grid Size . . . 40

6.1.3 Directions of Patterns . . . 41

6.1.4 Starting Positions . . . 42

6.1.5 Backtracking and Self-avoidance . . . 42

6.1.6 Global Structure of Patterns . . . 43

6.1.7 Difference Between Random Patterns and Human-Generated Patterns . . . 44

6.1.8 Other Notable Things . . . 44

6.2 Usability Analysis . . . 45

6.2.1 Drawing the Pattern . . . 45

6.2.2 Remembering the Pattern . . . 46

6.2.3 Guessing the Pattern . . . 46

6.2.4 Integration . . . 46

6.2.5 Usage for Different Services . . . 47

6.2.6 General Comments . . . 48

7 Evaluating patterns 50 7.1 Constructing a Graphical Password Strength Estimator . . . 50

7.1.1 Method Based on Statistical Randomness . . . 50

7.1.2 Evaluating One Step at a Time . . . 50

7.1.3 Folding the Patterns . . . 53

7.2 Pattern Policies . . . 54

8 Conclusions 55 A The Survey 58 A.1 First Email . . . 58

A.2 Second Email . . . 58

A.2.1 The Attachment with Second Email . . . 62

A.3 The Application . . . 64

B A Sample of Patterns from the Survey 70

1 Introduction

1.1 Background

Passwords play a big role in today’s society, they are used in many different situations such as logging into an internet account or unlocking a computer.

Due to various different types of attacks on these systems it is best if the user chooses strong passwords, i.e. passwords that are difficult for others to find, and uses different passwords for different services. Strong passwords are however hard to remember, especially when it is necessary to remember many different ones. This results in people writing down their passwords which is not ideal since if the piece of paper with the password falls into the wrong hands all the security of the password is lost.

1.2 Graphical Assistance

The problem of remembering passwords has led to the development of differ- ent types of password systems that might give passwords which are easier to remember. One idea is to use graphical passwords. Graphical passwords may be easier to remember since they stimulate the visual memory which research indicate might be better suited for the task than the verbal memory [20]. The problem with graphical passwords however is that most services which request a password do not support graphical passwords and implementing them would be costly for them. The idea described in this thesis, a password system called Abagram¹, is a system that creates regular passwords from graphical passwords.

This enables the users to use graphical passwords without any necessary support from the services they wish to log into.

1.3 The Thesis Structure

The goal of this thesis is to analyse graphical password schemes from a security point of view with a special emphasis on the Abagram and similar systems.

Section 2 gives a more detailed background of the problem, including short de- scriptions of various attack methods on passwords and discussion on previous work on graphical passwords.

Section 3 contains a theoretical analysis of pattern-based password systems. The main problem discussed in the section is counting the number of possible pat- terns under various restrictions and analysing what are the main factors when it comes to the number of possible patterns.

Section 4 is specific to the Abagram system and is about password policies, how they affect the Abagram and how to minimize this effect.

Sections 5 and 6 are about a user study that was implemented for Android smartphone users. Section 5 is about the survey itself and its implementation whereas in section 6 we analyse the results of the study.

1An abbreviation of Alphabetagram.

In section 7 we discuss methods for evaluating given patterns similarly to pass- word strength meters which are common practice with textual passwords.

2 Problem Description

Passwords are a common practice when it comes to security. The idea is simple, either users choose or are appointed a password. They memorize their password and the service provider stores a representation of the passwords in some man- ner. For the users to obtain access to the service they state their username and password. Then it is a simple matter for the service provider to check if the given password matches the stored one, if it does, access is granted but denied otherwise. When using proper security protocol for passwords over the internet things become a bit more complicated. The main difference is that instead of sending the password directly to the server, which would expose the password to eavesdropping, the user’s browser performs an irreversible computation using the password and a random number provided by the server. This value is then sent to the server who performs a corresponding computation and authenticates the user if the value received from the user matches its expectations.

2.1 Password Security

Because of the importance and widely spread usage of passwords there have been implemented many different attacks on them. Some of the most common ones are listed here.

2.1.1 Brute Force Attacks

Brute force attack is a naive approach to break a password. It simply consists of trying out lots and lots of passwords until by pure chance it finds the correct one. Because of attacks of this type it is necessary for a password system to have a large number of possible passwords since otherwise an attacker can simply try all of the possible passwords and one of them must be correct. Attacks of this type can sometimes be prevented by allowing only a certain number of tries, for example with PIN numbers it is common practice to lock the account after 3 failed attempts. The setback to this approach is that anyone can lock anyone else’s account, given his username, which can be a problem.

2.1.2 Dictionary Attacks

Dictionary attacks are similar to brute force attacks but a more intelligent ap- proach is taken in choosing which passwords to try out. The attacker starts by making a list of likely passwords. As an example an attacker trying to guess a password could start with checking all the words in a dictionary because a hu- man being is more likely to choose a password which consists of an actual word instead of a random sequence of characters. This makes the password easier to remember for the user but an attacker can use this to his advantage. In a study done by Klein[11] in 1990, 24.2% of all passwords could be guessed by using a list of only 62,727 words.

There do also exist attacks which are somewhere in-between brute force attacks

and dictionary attack. One such attack is based on using so-called rainbow tables. The attacker creates a precomputed table that helps reversing hash functions, this is then used to retrieve plaintext passwords given hashes of pass- words. This approach requires less computation than a brute force attack but more memory. There are also other similar attacks which have this time-memory tradeoff. These attacks can be made infeasible by using salts which are simply a collection of random bits. The service then assigns a salt to every password which is stored along with a hash of the salt and password combined. This makes it infeasible for an attacker to precompute hashes of popular passwords and thus increases the amount of time and computing power needed for the attacker substantially.

2.1.3 Eavesdropping

One example of eavesdropping is the so called shoulder surfing attack which is when the attacker watches the users as they sign in and gains information about the passwords in that manner. This is something that is more likely to be a problem using graphical passwords [12].

Another approach is to use specific software or hardware to gain secret informa- tion. Examples of such would be keyloggers where the attacker plants software or hardware on a computer and monitors everything that is typed on that com- puter. Another example is sniffers which are programs that log traffic over a network.

2.1.4 Social Engineering

There are many ways to trick the users into giving up their password, for instance by creating a bogus account site and hope that people use the same username and password for many different sites. A technique called phishing is also used but then the attacker creates a webpage that looks like the website of a real service and hopes that the user tries to log into the service but since the website is controlled by the attackers they can gain the required information for logging in.

2.2 Graphical Passwords

Because of the attacks stated earlier, especially brute force and dictionary at- tacks it is difficult for users to choose good passwords. If passwords are short but random, brute force will find them because there are not so many possibili- ties but if they are longer and use some words or other memorable things, they might be vulnerable to dictionary attacks. One possibility for choosing strong passwords is to have long strings consisting of random characters. Today it is recommended that a password contains at least 12 characters chosen at random from all possible symbols i.e. all letters, numbers and special characters avail- able on a keyboard [8]. The setback is that passwords of this type are extremely

difficult to remember and very cumbersome to type in on smartphones and sim- ilar devices.

Due to this much research has been done on graphical passwords for a few years now. There are various types of these graphical passwords but in general they depend on the user memorizing pictures or patterns instead of written words.

The appeal of graphical passwords is that it appears to be easier for people to remember pictures and patterns than text [20].

2.2.1 Previous Work

One of the first graphical password systems was proposed by Blonder [3] in which a picture is presented to the user who then has to click specific points in the picture in correct order.

Another possibility is the Draw-A-Secret method described by Jeremyn et al.

[10]. In this method the user draws a pattern on a 5 × 5 grid. The password consists of the grid-cells the pattern passes through and in which order it does so, it also measures if the pen is lifted up from the drawing grid. An example can be seen in figure 1, in this thesis we will mostly discuss graphical password systems similar to the Draw-A-Secret system and therefore most of the results apply to it as well.

Figure 1: An example of a Draw-A-Secret pattern [10]

.

Another type of methods are based on presenting the users with a large num- ber of symbols or pictures and the users then have to find the same subset of symbols as they did originally when choosing the password. Examples of imple- mentations based on this idea are for instance Passfaces [16] and scheme made by Hong et al. [9].

There are many other graphical password schemes out there. Most of them are based on similar ideas as the ones mentioned above, possibly with some improvements. This is still an active field and new graphical password schemes are being made. A more detailed discussion on existing graphical passwords can for instance be found in [21].

2.2.2 Hybrid Systems

Some password systems are a hybrid between graphical passwords and textual ones. One example is the PassLogic system in which a grid filled with random numbers is presented to the users who then type in the numbers in the positions they have chosen before as their password positions in the correct order, an example can be seen in figure 2.

Figure 2: An example of a PassLogic password.

Another hybrid system is called GPEX [23] which is an add-on for Firefox which enables users to use graphical passwords on websites using regular passwords.

The scheme is based on letting users click on various locations on a picture as a password. The locations clicked are then stored and along with the site URL are hashed in a specially made hash function which returns a string that becomes the password [2].

2.3 Problem Statement

One problem with graphical passwords is that not many companies or Internet services provide their users the option of using any type of graphical passwords.

Most services require a textual password from the user, often with some extra requirements on the password such as a minimum length or that it contains both digits and letters. The problem stated here is to make some sort of a system that helps users to reproduce textual passwords which satisfy all requirements using graphical aid. The passwords created using this system must be robust to regular attacks as well as that knowledge of this system does not help an attacker to gain information about the password².

Some of the questions addressed in this thesis are:

ˆ What is the security of graphical password schemes compared to textual password schemes?

ˆ What aspects of the graphical password scheme are most important in regards to security?

ˆ How complicated can a graphical password scheme be without becoming infeasible due to practical limitations such as human memory and cell- phone screen-sizes?

ˆ What is the difference between random graphical passwords and human generated ones?

2or at least to a minimal extent

2.4 The Abagram

One proposed solution to the problem stated earlier is the so called Abagram which is a system which generates regular passwords using graphical patterns.

The Abagram system works in a few steps. The initial step is that when the users decide to make a password, they are presented with some sorts of a grid.

The specifics of the grid can vary but as an example it could be a 6 × 6 grid as in figure 3. Then the user selects a pattern in the grid, one example is shown in figure 3. Now each area in the grid is assigned zero, one, or more characters, one

Figure 3: An example grid for the Abagram showing one possible password pattern.

possibility is shown in figure 4. The users can now see their regular password by following the pattern they chose and write up the characters in each area of their pattern, in the previous example the password would be =XnJ25. One goal of the Abagram is to create the passwords in such a way that the final password will satisfy the password policies given by the service³. There are many things that must be considered further in this scheme, for instance what is an appropriate grid and how to fill in the grid once the users have chosen their pattern. These questions will be discussed thoroughly throughout the paper.

2.4.1 Difference Between the Abagram and Other Graphical Pass- word Systems

Though many graphical password systems, such as the Draw a Secret system, are similar to the Abagram system, the main difference is in the authentication procedure. Most of the other systems require the authentication process to be aware of the use of graphical passwords. The aim of the Abagram on the other

3One example of a password policy would be that a password must contain both letters and numbers.

Figure 4: One possible way to fill the grid.

hand is to simply create valid, strong passwords and leaving the authentication procedure entirely to the services. This is a big difference since it is possible to use the Abagram with any service and no commitment is required from the service side to support the Abagram.

3 Mathematical Analysis of Pattern-Based Au- thentication Systems

When dealing with the Abagram and similar graphical password systems such as Draw a Secret [10] there are many interesting questions that arise, such as

ˆ How many patterns can be drawn in a grid of size n × m?

ˆ How does the number of patterns change as a function of grid size?

ˆ How does the number of patterns change as a function of pattern length?

ˆ How do restrictions on the structure of the patterns affect the number of possible patterns?

ˆ Are there some other important factors?

It turns out that some of these questions can be answered by counting walks in graphs and therefore a large part of this chapter will be devoted to that problem.

The counting methods described in the chapter can be used for any type of graph but special attention will be paid to graphs relevant to the Abagram.

3.1 Connection to the Security of the Scheme

The reason why it is important to count the number of patterns is because of its connection to the security of the scheme. To prevent brute force attacks it is necessary to have the possible password space big and since the password space in the Abagram consists of all possible patterns in a specific grid this question becomes essential.

3.1.1 Entropy

When talking about the security of passwords a key concept is the so-called entropy of the password space [19]. In an outcome space X = {x1, x2, . . . , xn} with the probability p(xi) of outcome xi the entropy of X is

−

n

X

i=1

p(xi) log p(xi)

using the logarithm to base 2. Note that the entropy is always positive since log p(xi) is negative. Using entropy is a standard way to evaluate a password space, the higher the entropy the better the password space.

In table 1 we can see the entropy for a few common types of passwords.

4The ASCII printable characters include all upper and lower case letters (A-Z, a-z), nu- merals (0-9) and some special characters. In total the ASCII printable characters consist of 95 characters.

Password space Entropy PIN number, 4 numeric characters (0-9): 13.3 6 letter password with only lower case letters (a-z): 28.2 8 letter password containing all letters and numerals: 47.6 8 letter password containing all ASCII printable characters⁴: 52.6 10 letter password containing all ASCII printable characters: 65.7 12 letter password containing all ASCII printable characters: 78.8

Table 1: The entropy of a few standard password systems.

3.2 Different Approaches

To make the security analysis of the Abagram as general as possible we will consider many different options. One thing that can vary a lot is the grid cho- sen for the Abagram. A very natural grid is some sort of a rectangular grid as shown in figure 5.

Even once it has been decided to use a rectangular grid of a certain size there are still many possibilities on how the grid cells are connected to one another.

We will consider three different types of movement on grids of size n × m. First

Figure 5: A possible grid for the Abagram.

there is the lattice movement where you can only move up, down, right and left as in figure 6a, then there is the diagonal lattice movement where you can also move diagonally as in figure 6b and finally the double diagonal lattice movement where you can as well move as a knight in chess as depicted in figure 6c.

Another important variation is what type of patterns will be used as passwords.

This is a very difficult question, especially when you take human preference into the mix. Later in this section is an analysis of a few different types of patterns.

(a) Lattice movement (b) Diagonal movement (c) Double diagonal move- ment

Figure 6: Different allowed movement in the grid.

3.3 Connection Between Abagram Grids and Graphs

For every type of grid we can look at the underlying graph which also shows what movement is allowed. For instance the graph for a diagonal 4 × 4 lattice grid is shown in figure 7. The nodes in the graph correspond to a cell in the grid and an edge between two nodes represents that movement between the corresponding cells is allowed.

•

@@

@@

@@

@ •



@@

@@

@@

@ •



@@

@@

@@

@ •



•

@@

@@

@@

@ •



@@

@@

@@

@ •



@@

@@

@@

@ •



•

@@

@@

@@

@ •



@@

@@

@@

@ •



@@

@@

@@

@ •



• • • •

Figure 7: The graph corresponding to a 4 × 4 grid where diagonal movement is allowed.

3.4 No Continuity

The first and easiest case is when the patterns are not assumed to contain any continuity, i.e. you can always choose any cell in the grid no matter what other cells have been chosen earlier to be in the pattern. Since you can always go from any cell to another a pattern of length k can be chosen in (n · m)^k ways.

If you add the condition that no cell is chosen more than once you can choose a pattern in (n · m)(n · m − 1) . . . (n · m − k + 1) = (n · m)!/(n · m − k)! different ways.

Even though this is a very natural and easy way to think about pattern-based passwords it might not be a good way. If users choose their own passwords it is unlikely they will choose k cells without thinking at all about continuity and if they do it is likely that it will be difficult for them to remember the pattern.

In figure 8 the entropy of these pattern spaces is compared to the entropy of the passwords in table 1. The grid sizes used for the figure are 3 × 3, 5 × 5, 7 × 7, 9 × 9 and 11 × 11.

Figure 8: The entropy of non-continuous patterns compared to the standard passwords in table 1.

3.5 Continuous Walks

The next thing we look at is continuous walks in the graph. To be more precise the pattern can start in any node in the graph but then it must always go next to a node connected to the current node.

Counting this type of walks is a well-known problem from graph theory [1]. The solution is based on the adjacency matrix of the graph. The adjacency matrix of a graph with N nodes is an N × N matrix where entry ai,j is equal to the number of edges from node i to node j, here ai,j is always 0 or 1 and ai,i= 0 since we have a simple undirected graph. There is a theorem from graph theory that states that the number of walks from node i to node j of length k in a

graph with adjacency matrix A is the (i, j)-th entry in the matrix A^k−1 (note that we define a walk of length k as a path through k not necessarily distinct nodes, i.e. we count the number of nodes in the path not edges as is sometimes the convention). Now we have that the total number of continuous walks of length k in a graph with adjacency matrix A is:

N

X

i=0 N

X

j=0

A^k−1(i, j)

where N is the number of nodes in the graph.

•¹

@@

@@

@@

@ •²

~~~~~~~

@@

@@

@@

@ •³

~~~~~~~

•⁴

@@

@@

@@

@ •⁵

~~~~~~~

@@

@@

@@

@ •⁶

~~~~~~~

•⁷ •⁸ •⁹

Figure 9: The graph corresponding to a 3 × 3 grid where diagonal movement is allowed with nodes numbered.

Let’s take a closer look at the graphs proposed for using in the Abagram. For an n × m grid the adjacency matrix will be an (n · m) × (n · m) matrix. If the nodes are numbered such that the first line is numbered first from left to right, then the second line and so on (depicted in figure 9), the adjacency matrix for a 3 × 3 diagonal lattice grid is:

A =





























0 1 0 1 1 0 0 0 0

1 0 1 1 1 1 0 0 0

0 1 0 0 1 1 0 0 0

1 1 0 0 1 0 1 1 0

1 1 1 1 0 1 1 1 1

0 1 1 0 1 0 0 1 1

0 0 0 1 1 0 0 1 0

0 0 0 1 1 1 1 0 1

0 0 0 0 1 1 0 1 0





























Since the number of walks is an important question in the development of the Abagram and similar graphical password schemes figure 10 shows the entropy for walks in grids of size 3 × 3, 5 × 5, 7 × 7, 9 × 9 and 11 × 11 compared to the standard passwords in table 1.

Figure 10: Comparison of entropy for continuous walks.

3.5.1 Asymptotic Behaviour

Using the power method [14] we can see that for a graph with n nodes and adjacency matrix A which has a leading eigenvalue λ1we have

n

X

i=1 n

X

j=1

A^k−1(i, j) = e^TA^k−1e ∼ e^Tb1λ^k−1₁ v1= λ^k−1₁ b1 n

X

i=1

v1(i)

as k becomes large, where e is a vector of all ones of a suitable size, e^T its transpose, λ1 is the leading eigenvalue of A, v1 the leading eigenvector and b1

comes from solving the equation e = b1v1+ b2v2+ . . . + bnvn where vi is the i-th eigenvector.

To sum this up the number of walks of length k in the graph is asymptotically c · λ^k−1₁ where c = b1Pn

i=1v1(i) is a constant and λ1 is the largest eigenvalue of A.

If A does not have a leading eigenvalue the number of walks of length k is still asymptotically c · λ^k−1₁ where c and λ₁ are constants but they can not be calculated using the power method, λ can still be estimated by dividing the number of walks of a certain length k with the number of walks of length k − 1, this λ can then be used to calculate c.

As the grid size increases the constant λ1 approaches the number of possible

directions in an infinite grid, i.e. 4 for the lattice grid, 8 for the diagonal grid and 16 for the double diagonal grid. The λ1-values for a few different graphs can be seen in table 2.

3.6 Continuous Walks Without Backtracking

Now we take a look at patterns very similar to the ones in the previous section with the exception that it is not allowed to go right back to the node you came from, for example if the walk has so far been as in figure 11 then it is not allowed to go back to cell x but all other neighbouring cells are allowed.

To count the number of walks of this type we use a similar method as last

Figure 11: Going back to cell x would be backtracking.

time. We try to find a series of matrices M_k such that M_k(i, j) is the number of walks of length k from node i to node j. To calculate M_k we do as follows:

ˆ M1= I where I is the identity matrix of suitable size.

ˆ M2= A where A is the adjacency matrix.

ˆ M3= A²−D where D is a diagonal matrix of suitable size with the degree of node i in the (i, i)-th entry.

ˆ Mk= Mk−1· A − Mk−2(D − I), if k > 3.

Let’s prove that this algorithm works. First of all it should be clear that M1and M2 are correct. To see that M3is correct we note that the only way to make a path with 3 nodes and backtrack is to start in a node, go to another node and then go right back to where we started, so all paths that do not end where they start do not include any backtracking and that is precisely what we calculate in M₃. At last to see the final equation we use a similar argument as in the last step. The term A · M_k−1 counts all walks which contain no backtracking except possibly in the last step so we need to subtract those. To make a walk that backtracks only in step k we must first make a path of length k − 2 which

ends in node i and contains no backtracking and make it go to a node different from the one it last came from (otherwise a backtracking happens in step k − 1) and then right back. This is possible to do in deg(i) − 1 ways so we have that Mk = Mk−1· A − Mk−2(D − I) if k > 3.

Similarly to the last section we take a better look at walks of this type in the graphs relevant to the Abagram, this can be seen in figure 12. As before the grid sizes used are 3 × 3, 5 × 5, 7 × 7, 9 × 9 and 11 × 11 and the comparison comes from table 1.

Figure 12: Comparison of entropy for non-backtracking continuous walks.

3.6.1 Asymptotic Behaviour

To find the asymptotic behaviour of non-backtracking walks in a graph G we create a new graph G⁰ which has 2|E| nodes where E is the number of edges in the original graph. G⁰ has two nodes corresponding to each edge in G, one for each direction, then the node (i, j) in G⁰ is connected to all nodes of type (j, k) except for (j, i). We can now see that there is a one-to-one and onto correspondence between non-backtracking walks of length k in G and regular walks of length k − 1 in G⁰. Now we can use the exact same argument as in section 3.5.1 for the graph G⁰ and see that the number of walks of length k is asymptotically cλ^k−2where c is a constant calculated in the same way as before and λ is the largest eigenvalue of G⁰.

Since the eigenvalue in some sense tells us in how many directions a walk can go in each step one might think that the eigenvalue calculated for non-backtracking walks is simply the corresponding eigenvalue for regular walks minus one but this is not the case. A comparison between a few eigenvalues can be seen in table 2. As the grid size increases the λ-values approach the number of possible directions for each step in an infinite grid, i.e. 3 in a lattice grid, 7 in a diagonal grid and 15 in a double diagonal grid.

Continuous walks Non-backtracking walks

3 × 3 2.8333 1.7500

Lattice 5 × 5 3.4643 2.3685

movement 7 × 7 3.6955 2.6229

9 × 9 3.8042 2.7497

11 × 11 3.8636 2.8217

3 × 3 4.8284 3.7183

Diagonal 5 × 5 6.4641 5.3540

movement 7 × 7 7.1097 6.0282

9 × 9 7.4223 6.3620

11 × 11 7.5957 6.5500

3 × 3 6.3639 5.3376

Double 5 × 5 10.5803 9.4859

diagonal 7 × 7 12.6483 11.5547

movement 9 × 9 13.7476 12.6687

11 × 11 14.3897 13.3252

Table 2: The λ-values for a few different types of walks.

It should also be noted that the method of creating the graph G⁰ can also be used to count the number of non-backtracking walks but the method used above is both simpler to implement and faster.

3.7 Self-Avoiding, Continuous Walks

The fourth case we look at is the case of continuous walks where we have com- plete self-avoidance, i.e. it is not allowed to visit the same node twice under any circumstances. This is by far the most complex case of the ones we discuss here.

There exist algorithms similar to the ones used earlier based on matrix multi- plication made by Ponstein [17] and Danielson [5] but these algorithms turned out to be too slow for the size of grid and length of walks analysed here. Even though these algorithms only require O(n³) matrix multiplications the matrix multiplication used is not completely as usual and when the number of walks becomes large the multiplication becomes very time consuming.

Much has been written on self-avoiding walks on an infinite lattice grid [13] and there have been developed powerful algorithms to calculate the number of these walks [4]. These algorithms are however complicated and it is not immediately clear how to change these algorithms such that they work on a finite grid or a

grid where diagonal movement is allowed.

Finally it is possible to simply do a depth first search to find every single valid walk but this also turned out to be too slow. Due to these difficulties it was finally decided to try to find a way to approximate the number of self-avoiding walks in the graph in a quick way.

3.7.1 Approximations

Let us look at a grid of size n × m where diagonal walks are allowed and try to approximate the number of self-avoiding walks. The other grids can be approximated in a similar manner.

The method is based on making a large number of random walks and counting how many of them are self-avoiding and within the grid. To make a random walk we start with choosing an initial point uniformly somewhere within the graph.

Then the next step is chosen uniformly from the 8 directions it is possible to walk in even though it is possible that a step can take the walk out of the grid.

When the walk reaches the desired length it is checked whether the walk is self- intersecting and if it has gone out of bounds, if it has done neither it is deemed valid and counted, otherwise it is not counted. Then the algorithm moves on to trying the next random walk. Using this algorithm we have that

# valid walks found

# walks tried −→ # self-avoiding walks in the graph

# walks the algorithm can possibly make (1) as the number of walks tried goes to infinity. This gives an approximation of the number of self-avoiding walks since the number of walks the algorithm can make can be easily seen to be n · m · 8^k−1where k is the length of the walk.

Proof of equation 1: Let S = {s₁, s₂, . . . , s_|S|} be the set of all self-avoiding paths in the grid of the desired length and let A be the set of all paths that the algorithm can possibly create. For a random w ∈ A we have that P (w ∈ S) =

|S|/|A|. Let us now note that the algorithm creates every single walk w ∈ A with equal probability since a walk is completely determined by its initial position and the directions it walks in afterwards and both are determined uniformly over all possibilities. So if w is any given walk in A and w1, w2, . . . , wN is an independent sequence of walks generated by the algorithm, the ratio

PN

i=1I_w(w_i) N

goes to P (w) as N goes to infinity, where I_w(w_i) = 1 if w_i= w but 0 otherwise.

Now we have that if w, w₁, w₂, . . . , w_N is an independent sequence of walks generated by the algorithm and then

PN

i=1IS(wi)

N =

PN

i=1Is₁(wi)

N + . . . + PN

i=1Is_|S|(wi) N

−→ P (w = s₁) + . . . + P (w = s_|S|)

= P (w ∈ S)

as N goes to infinity. Finally combining this with the fact that P (w ∈ S) =

|S|/|A| we have proven that equation 1 holds and we even have that the number of valid walks found is given by a binomial distribution B(N, p) where p is the actual fraction of valid walks.

To estimate how good these approximations are we can use some standard tech- niques from statistics to calculate confidence intervals for binomial distributions.

The simplest approach is to use normal approximation interval. The formula for the confidence interval of the ratio of valid walks is

p ± z_1−α/2

rp(1 − p) N

where p is the ratio of valid walks generated by the algorithm, z_1−α/2 is the 1−α/2 percentile of a standard normal distribution and α is the error percentile.

For example when calculating the number of self-avoiding walks of length 15 in a diagonal 5 × 5 grid 10⁸ walks were tried and 1648 of those were valid. If we set α to be 0.95, z_1−α/2 becomes 1.96 and we get that the percentile of valid walks is

1.648 · 10⁻⁵± 1.96 ·

r1.648 · 10⁻⁵(1 − 1.648 · 10⁻⁵)

10⁸ = 1.648 · 10⁻⁵± 7.957 · 10⁻⁷ and so the number of walks is with 95% certainty in the interval [1.725; 1.900]·10⁹ and the entropy is between 30.68 and 30.82.

The number of self-avoiding walks for graphs relevant to the Abagram can be seen in figure 13 below. As before the grid sizes used are 3 × 3, 5 × 5, 7 × 7, 9 × 9 and 11 × 11 and the comparison comes from table 1.

3.7.2 Asymptotic Behaviour

It is easy to see that once the walk length succeeds the size of the graph it is not possible to create a self-avoiding walk of that length and therefore the number of self-avoiding walks will be 0. It is still interesting to analyse the number of self-avoiding walks up until this point.

Using the approximation algorithm described above the number of self-avoiding walks was estimated for a number of different graphs related to the Abagram.

It seems to be that after a certain walk length the number of walks can be approximated pretty well using a formula of the type ak+1= (α · k + β)ak where ak is the number of walks of length k but α and β are constants. The constant α is negative but β positive and so α · k + β eventually becomes negative but we interpret this to be that there are no walks of length k + 1.

In figure 14 we can see ak+1/akas a function of k for two different graphs. From figure 14 we see that α = −0.110 and β = 5.587 are possible approximations for the 7 × 7 grid but α = −0.317 and β = 4.930 are possible approximations for the 4 × 4 grid. These values were found by taking a best line through the values for k = 5 and upwards.

By using this relation it is also possible to project the optimal walk length, i.e.

Figure 13: Comparison of entropy for self-avoiding continuous walks.

what length gives the highest number of self-avoiding walks. If the number of walks follows this relation the optimal walk length has to be the smallest k such that αk + β < 1.

Unfortunately I do not know of any better method to estimate α and β than to calculate the number of self-avoiding walks for the first few lengths and extrapolate, possibly making use of the fact that (α · k + β) should become 0 for k somewhere between n − 1 and n for a graph with n nodes.

A very simple non-rigorous method to estimate these values can be found by noting the following: After k steps there are n − k cells that have not been used so far so the odds that a neighbouring cell of the k-th cell (excluding current cell and the cell which the pattern just came from) has not been used already can be estimated by (n − k − 2)/(n − 2). Using this approximation and that in the next step there are d_k− 1 possible moves, where dkis the degree of the k-th node in the walk, we have that the number of possible directions for the walk is approximately ^n−k−2_n−2 (d_k− 1). Let’s call the average degree of the graph d, and use that in our approximation we have that the number of possible directions is roughly

n − k − 2

n − 2 (d − 1) = (d − 1) − d − 1 n − 2k

Figure 14: ak+1/ak as a function of k for 4 × 4 and 7 × 7 grids with diagonal movement.

so our estimation is α = −(d − 1)/(n − 2) and β = (d − 1). For the 7 × 7 grid this gives us α = −0.1142 and β = 5.3673 and for the 4 × 4 grid this gives us α = −0.3036 and β = 4.2500.

3.8 Paths Consisting of Multiple Strokes

Finally it is possible to add a bit of non-continuity into the walks mentioned earlier by using multiple strokes. The idea is that a walk can at any point suddenly go to any other cell in the grid by jumping there and thus starting a new stroke. An example containing two strokes is shown in figure 15, it starts in the upper right corner, goes down a couple of cells and then jumps to the left side and finishes the pattern in a regular manner.

Figure 15: An example of a walk containing two strokes.

Calculating the number of walks that include multiple strokes can be done in a similar way as before. For the first two types, the continuous walk and the continuous non-backtracking, it is possible to use a similar matrix multiplication

method using also an adjacency matrix that corresponds to valid jumps. If we say we can jump to any cell except for the current one, the jump adjacency matrix, let’s call it C becomes a matrix of 1’s everywhere except for the main diagonal where there are only 0’s. The number of walks of length k that start in node i and end in node j consisting of two strokes can now be seen to be

k−2

X

t=0

(A^tCA^k−2−t)(i, j)

If we have more than two strokes we need more terms but the idea of looking at each possible moment for the jumps and summing remains the same. If we are considering non-backtracking walks we substitute the A matrices for corresponding M matrices from the non-backtracking analysis.

For the self-avoiding walks in multiple strokes an approximate random walk method can be used.

Figure 16 shows the number of possible walks with multiple strokes. Here it is possible to jump to any cell in the grid except for the current one. The grid sizes used are 5 × 5, 7 × 7 and 9 × 9, the underlying graph is a diagonal lattice and the comparison comes from table 1. In figure 17 we have a corresponding figure for self-avoiding walks. From the user study which we will discuss in sections 5 and 6 we see that completely self-avoiding walks are perhaps not commonly chosen but it is pretty common to have each individual stroke self-avoiding and in figure 18 we count the number of walks of this type and can see that even partial self-avoidance does reduce the number of walks significantly. From these figures we can see that the number of strokes has a large impact on the total number of walks.

3.8.1 Approximative Formula

As discussed in sections 3.5.1 and 3.6.1 the number of continuous walks in a single stroke of length k can be approximated by c · λ^k−1 where λ and c are constants. If we use this approximation for every stroke in a multi-stroke pattern we have that the number of patterns of length k with s strokes is approximately

k − 1 s − 1

 c^sλ^k−s

because we can choose where to start s − 1 strokes out of k − 1 possibilities (the first stroke is forced to start in the first step).

3.9 Summary of the Mathematical Analysis

In this section we have looked at a number of different security analyses for the Abagram and similar systems. Still this is by no means a complete discussion;

there are still many factors to look at, the most important one probably being human preferences. It is a very simplified approach to assume that people would choose a pattern uniformly from all patterns of a certain type. Most likely some

Figure 16: Comparison of entropy for continuous walks consisting of multiple strokes.

patterns are more popular than others and this reduces the entropy.

Given the numbers we have calculated in this section we can ask if it is reasonable for users to create passwords with the entropy of a 12 character long password consisting of all ASCII characters as is recommended. One possible way to reach that goal is to have a 9 × 9 grid, a pattern of length 20 and 4 strokes, another to have a 5 × 5 grid and a pattern of length 21 in 5 strokes.

Figure 17: Comparison of entropy for self-avoiding walks consisting of multiple strokes. The lines for the 5 × 5 grid stop at 19 because of difficulties with computing the values for longer walks.

Figure 18: Comparison of entropy for walks where each individual stroke is self- avoiding, i.e. a stroke does not intersect itself but can intersect other strokes.

4 Constructing the Abagram

4.1 Password Policies and Their Connection to Abagrams

Due to poorly chosen passwords many internet services put special requirements on the passwords, such as that the passwords must contain both upper and lower case letters or that they must contain both letters and digits. There does not exist a standard password policy but a common one is that the password must have a certain minimum length (often 6 or 8), contains both upper and lower case letters and digits or symbols such as !,$ or +. Examples of passwords which satisfy these requirements are ytL$ iUk@, Password123 and ILike2Boogie!

whereas ytLSiUka, password123 and ILIKE2BOOGIE! do not.

These password policies create a problem for the Abagram since the idea of the Abagram is to create passwords from patterns that can be used without any changes done on the server side, therefore the Abagram must be constructed in such a way that the passwords created comply with the corresponding password policy. Since there is no standard password policy the Abagram should be able to acquire the policy for a certain site in some way and then be flexible enough to create valid passwords. Unfortunately, there is currently no standardized protocol for exchanging password policies. We will therefore need to set this issue aside, and simply assume we have such a protocol at our disposal.

4.2 Filling in the Abagram

When deciding what to put in each cell of the Abagram the ultimate purpose must be to do it in such a way that the number of possible passwords is as high as possible. When looking at filled out Abagrams it becomes clear that the password policies decrease the number of possible patterns which can be used as passwords. For example if the password policy is as before the pattern in figure 19 is not a possible secret pattern since the password it creates twLzTcJ does not contain any digits or special characters.

Figure 19: An example of a pattern which the password policies make unvalid.

4.2.1 A Single Character in Each Cell

We will start with looking at the case when there is exactly one character in each cell and then later take a look at what changes if we allow multiple characters in each cell.

Let us take a deeper look into this problem that not every pattern produces a password that satisfies the password policies. We will ignore the policy of a minimum length for a while since with a single character in a cell the only way to meet this requirement is to increase the pattern length.

A very natural way to fill in the Abagram is to simply add a character at ran- dom in each cell. This is of course very fast and easy to implement but perhaps it is possible fill in the Abagram in such a way that it has in general more valid walks.

The problem of filling in an Abagram in such a way that as many walks as pos- sible contain a character from each of the three sets (upper case, lower case and special characters/numbers) does have some similarities with graph colouring.

Graph colouring is the problem of finding out how many colours are needed to colour each node of a graph in such a way that neighbouring nodes (i.e. nodes connected by an edge) never share the same colour. If we consider the related problem of colouring a graph using only three colours with the minimum amount of clashes then that problem can be translated to the problem of filling in the Abagram by making each of the three colours correspond to each of the three different sets of characters. Since it is good for walks in the Abagram to go to a different set of characters in every step, a good colouring of 3 colours is probably also a good way to fill in the Abagram.

There is no easy way of doing an optimal graph colouring but Welsh and Powell describe a greedy algorithm for an approximate solution in [25]. The algorithm is based on ordering the nodes such that the degree of the nodes is decreasing.

The colours are also ordered. Then node 1 is coloured in colour 1, node 2 is coloured in colour 1 if it is not a neighbour to node 1 but colour 2 otherwise and so on. Node i is coloured in the first colour which none of its already coloured neighbours has.

To adjust this algorithm to the Abagram an ordering of the nodes is made and then node 1 is appointed a character from one of the three sets at random. In general node i is appointed a character from a set at random such that node i has a minimum number of neighbouring nodes from that set. As an example if node i has 2 neighbours with upper case characters and 2 neighbours with lower case characters but only one neighbour with a special character/number then node i receives a special character. However if node i has 3 neighbours with a special character/number then node i receives at random either an upper or lower case character. A few different orderings of the nodes were tried for the Abagram but the difference was minimal so the natural ordering described in section 3.5 was used.

Another possible way to fill in the Abagram is to use the algorithm described in [6] which is an iterative algorithm. This was not done here but could be interesting, especially if the graph was more complicated.

In figure 20 the difference between the random algorithm and the greedy algo- rithm is shown. The underlying grid is a 7 × 7 diagonal grid and the pattern is a continuous walk. The number of valid paths was estimated in a similar way as self-avoiding walks were counted. We can see that the difference becomes smaller as the pattern length increases.

Figure 20: The ratio of valid patterns as a function of pattern length.

Finally one might be interested in filling in the Abagram in an optimal way. Let us state this problem in a general way: ”Given a graph G, make a partition of the nodes of G into C sets in such a way that the number of paths of length k that visit a node in at least C⁰ ≤ C of the C sets is maximized.” We will now show that this generalized problem is NP-hard.

By setting the path length k = 2 and the number of sets visited to C⁰ = 2 we can see that if the optimal partition gives a partition such that every path of length 2 visits 2 different sets then this partition is indeed a C-colouring of G and otherwise there does not exist a C-colouring. Thus we have shown that graph colouring can be reduced to the problem of filling in the Abagram in an optimal way and since graph colouring is NP-hard then so is filling in the Abagram.

Note that this proof of the problem of filling in the Abagram is NP-hard is only valid for this general statement of the problem. It might be possible to use the special structure of the graph or more precise password policies to create better algorithms. Our belief is that even though more assumptions are made the problem is still difficult to solve and due to the good performance of the ap- proximative algorithms there is not much to be gained by solving this optimally.

4.2.2 Multiple Characters in Each Cell

By putting multiple characters in each cell the problem of patterns creating passwords which do not comply with the password policies becomes easier to manage. For example by putting three characters, one from each set of char- acters, in every single cell, every possible pattern (even of length 1) creates a password which contains a character from every set. This approach does on the other hand create longer passwords.

Let us take a closer look at the case where we have 2 characters in each cell.

We look at three different approaches, first where both characters are chosen at random, next where the characters are chosen at random with the extra condi- tion that each character in a single cell comes from a different set of characters (let us call this a half-random algorithm) and finally where both characters in a single cell come from a different set of characters and we use the greedy algo- rithm from above. The results can be seen in figure 21

Figure 21: The ratio of valid patterns as a function of pattern length when there are 2 characters in each cell.

4.2.3 Choosing an Abagram for a Given Pattern

If the users choose the pattern before the Abagram is filled, and then the al- gorithms described above are used to fill in the Abagram it might happen that the algorithms propose an Abagram which does not make the password gener- ated from the pattern a valid password, due to the password policies. Then we simply let the algorithms suggest a new Abagram until we get one that legalizes

the pattern, this should not have to take many tries since the probability of the password not complying with the password policies is small. Even though the user chooses the pattern first it is still important to have as many patterns as possible that make a valid password since that makes the pattern harder to guess for someone who has the Abagram.

5 Implementation of the Abagram for a User Survey

To gain a better understanding of the Abagram and similar graphical password systems the Abagram was implemented for a user survey as an Android appli- cation. There were various details that had to be decided for this survey and this section tries to describe those whereas the next section will deal with the results of the survey.

5.1 The Reasons for the Survey

5.1.1 Security Reasons

To gain a better understanding of the security of the system it is important to see what types of patterns users choose. It is not enough to have a large password space if users only use a small portion of the password space. Are users prone to draw symmetrical patterns or to draw straight lines? What are the main differences between a computer-generated pattern and a human generated one?

These are some of the problems we hope to gain insight into.

5.1.2 Human Limitations

When dealing with graphical password systems there are many human limita- tions which are not completely known. For example how long and complicated can the patterns be before people can’t remember them any more? What is a convenient grid-size for regular cellphone displays?

5.1.3 Usability

Finally we also wanted to receive feedback on the usability of the Abagram. Is this something that users find helpful and in what circumstances they would use it? Do users think this approach is safe enough to manage their passwords?

How must the Abagram be integrated into services for users to be interested in using it?

5.2 Structure of Survey

First an email was sent out to numerous people, mostly Ericsson employees.

Those in possession of an Android phone were asked to participate in the study.

Those who replied interest were sent further instructions and the application.

Those who participated in the study were first required to read instructions in an email, then go through the application and finally answer a questionnaire about the test. Both of the emails and a part of the application can be seen in appendix A.

Both the email and the first steps of the application contain some introduction to the Abagram. Then the user gets to try out the Abagram on a 5 × 5 grid.

The user does not have to do anything special, only play around and get used

to the Abagram.

Next up is the first round of three that make the main part of the test. Each round represents a certain level of security, and therefore difficulty of patterns.

In the first round the users are asked to create patterns with entropy of about 28, which is the same as a 6 letter long password containing only lower case letters. The round is in three parts, first the user must make a pattern that is of length at least 9 in a 4 × 4 grid, next the user has to make a pattern of length at least 8 in a 5 × 5 grid and finally a pattern of length at least 7 in a 6 × 6 grid. All the patterns in the first round had to contain at least 2 strokes.

All the pattern requirements can be seen in table 3. The users always had to confirm their patterns by repeating it. At the end of the round the users were asked which size they preferred.

The second round is almost identical to the first one except that the pattern requirements have increased. In this round the entropy aimed for is about 36 which is the entropy of a 6 letter password containing upper case letters, lower case letters and numbers. The requirements for each part can be seen in table 3.

The third round is the same as the two before but now the entropy is about 47 which is the same as an 8 letter password containing upper case letters, lower case letters and numbers. The requirements for each part can be seen in table 3.

Grid size Minimum length Strokes required

4 × 4 9 2

Round 1 5 × 5 8 2

6 × 6 7 2

4 × 4 11 3

Round 2 5 × 5 10 3

6 × 6 9 3

4 × 4 14 4

Round 3 5 × 5 13 4

6 × 6 11 4

Table 3: The minimum requirements for each part of the test.

Finally we asked the users to choose one of the grid sizes and try to make a pat- tern as complicated as they could which they would be capable of remembering.

Once they had chosen their pattern they were asked to take a break from the app to answer the questions in the questionnaire and then return to the app to try to repeat the pattern they had chosen. The patterns and answers to the questions were then sent automatically to us so we could do an analysis on their answers.

5.3 Graphical Decisions

One of the main decisions when implementing the Abagram was the grid size.

When it comes to choosing the size of the grid the main thing to keep in mind is the trade-off between entropy and usability. A larger grid increases the entropy but on the other hand it makes the pattern more difficult to remember and recreate accurately. Because of the screen size of a regular cellphone we figured it would be infeasible to have the grid larger than 6 × 6 since then it would be too difficult to create a desired pattern, the fingers are too big to accurately work the grid. We decided to have three different sizes, 4 × 4, 5 × 5 and 6 × 6, and see what the users preferred. To compensate for a smaller grid the pattern had to be longer.

When dealing with the 6 × 6 grid we found it a bit difficult to remember exactly where the patterns we had created started so we added some different colours in the background to help, as can be seen in figure 22.

Figure 22: The Abagram implementation with a 6 × 6 grid.

It has been noted that one of the things people find most difficult to remember when using graphical password schemes similar to the Abagram is the order in which they draw their pattern [7]. To counter this problem we used different colours for every stroke, the first stroke is always yellow, the second one pink, the third one green, the fourth one blue and then this order is repeated if there are more strokes⁵. Users seemed to like this addition and claimed that this was helpful. In figure 23 we see an example of a pattern using all the colours, by using the order of the colours it is easy to find out in which order the strokes were drawn.

5The order of the colours is based on an Icelandic kindergarten song.

Figure 23: An example of a pattern that utilises all the colours.

The implementation also included buttons to erase the whole pattern and to erase the last step of the pattern.

5.4 Possible Improvements

There are a few things that in hindsight could have been done better. The test was probably too long which resulted in people getting bored with it by the end, or did not have time for it anymore, and did not choose as good patterns as they were capable of. This can quite easily be seen in some of the results, halfway through the test the patterns they make become simpler than before, for example just 4 straight lines.

The main problem with the test was however a programming oversight. It was possible to ”skip” past a cell if the pattern was drawn quickly or by taking a curved path between two cells. This problem is illustrated in figure 24, the pattern in figure (a) generates the password x#} whereas the pattern in figure (b) generates the password x}. This caused people to do some errors when trying to repeat their patterns. The patterns would look the same but the app would not accept them as the same pattern. In a future implementation this is something that should be eliminated, i.e. it should not be possible to create patterns as the one in figure 24 (b) but unfortunately that was possible in this implementation.

(a) (b)

Figure 24: Almost identical patterns giving different passwords.

6 Survey Analysis

In the previous section we mentioned the reasons for doing the survey. In this section we will look at the data we gathered and try to make some conclusions from it. By looking at the patterns people chose we can do a further security analysis of the scheme. The answers to the questionnaire are used to answer the usability questions whereas we gain some insight into human limitations from both the patterns and the questionnaire. There were 17 people who participated in the study, thereof 11 with a background in computer security.

6.1 Pattern Analysis

In section 3 we did a theoretical analysis of the security of the scheme, in more detail we made the assumption that patterns were chosen uniformly from the set of all possible patterns. This is of course not the case and therefore we will study the patterns from the survey to try to see how big of a role human preferences play.

6.1.1 Pattern Length and Number of Strokes

As we saw in section 3 the length of the pattern and the number of strokes play the biggest role when it comes to entropy. Since the first three rounds of the test had restrictions on the length and number of strokes we will only look at the final pattern where we put no restrictions on the users.

The distribution of the lengths can be seen in figure 25 and the average length is 18.9. Note that 10 of the 17 that participated created a pattern of length between 17 and 25 so that seems to be a natural length for people.

Figure 25: The length of the pattern people chose as their final pattern.

The distribution of the number of strokes can be seen in figure 26 with the

average number of strokes at 4.6.⁶ It is interesting to see that 11 patterns use 4 strokes but that has probably to do with the different colours of the strokes. It might be interesting to test this and do another survey using more colours and see if the number of strokes increases.

Figure 26: The number of strokes in the pattern people chose as their final pattern.

6.1.2 Grid Size

In every round the participants were asked to choose the grid size they preferred for that round. Even though the answers varied it was mostly between partici- pants, i.e. each participant usually chose the same grid size for all the rounds, independent of the security requirements of the round.

The results for what size the participants chose for their final pattern can be seen in figure 27

Figure 27: The size chosen for the final pattern.

6There was no significant difference between the participants with a security background and the ones without it. The participants without security background chose patterns with average length 18.8 and average number of strokes 4.7