On automated image choice for secure and usable graphical passwords

Paul Dunphy, Patrick Olivier

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

5 Citations (Scopus)


The usability of graphical passwords based upon recognition of images is widely explored. However, it is likely that their observed high memorability is contingent on certain attributes of the image sets presented to users. Characterizing this relationship remains an open problem; for example, there is no systematic (and empirically verified) method to determine how similarity between the elements of an image set impacts the usability of the login challenge. Strategies to assemble suitable images are usually carried out by hand, which represents a significant barrier to uptake as the process has usability and security implications. In this paper, we explore the role of simple image processing techniques to provide automated assembly of usable login challenges in the context of recognition-based graphical passwords. We firstly carry out a user study to obtain a similarity ranked image set, and use the results to select an optimal per-pixel image similarity metric. Then we conduct a short-term image recall test using Amazon Mechanical Turk with 343 subjects where we manipulated the similarity present in image grids. In the most significant case, we found that our automated methods to choose decoy images could impact the login success rate by 40%, and the median login duration by 35 seconds.

Original languageEnglish
Title of host publicationProceedings - 28th Annual Computer Security Applications Conference, ACSAC 2012
Number of pages10
Publication statusPublished - 1 Dec 2012
Externally publishedYes
Event28th Annual Computer Security Applications Conference, ACSAC 2012 - Orlando, FL, United States of America
Duration: 3 Dec 20127 Dec 2012


Conference28th Annual Computer Security Applications Conference, ACSAC 2012
Country/TerritoryUnited States of America
CityOrlando, FL


  • Security
  • Usability
  • User authentication

Cite this