Graphical passwords are considered to be one of the promising alternatives to conventional textual passwords. However, while offering potential theoretical improvements over their textual ...counterparts, it is important to evaluate how these authentication methods would fare in practice. In this study, we were interested in the user-generated passwords from the security and usability perspective. We conducted an experiment in which the participants were tasked to create and memorize three types of passwords: a textual password, a chess-based graphical password, and an association-based hybrid textual-graphical password. Two weeks after the initial registration, the users were prompted to login using their previously created passwords. By comparing the authentication methods, we showed that despite the graphical passwords' advantages, the user-created chess passwords were the weakest, and the users had the most difficulty remembering them after the two-week period. On the contrary, the association-based passwords were just as strong and memorable as the textual passwords. The conclusions drawn from this paper are therefore two-fold: firstly, alternative authentication methods should be evaluated and compared against textual passwords in reallife scenarios to determine their practical value; and secondly, association-based approaches have the potential to augment both the security and memorability of the existing and novel authentication mechanisms.
To protect the password from visual attacks, most password entry screens use a password masking scheme that displays a series of placeholder characters (e.g., dots and asterisks) instead of the ...actual password. Recent research has however shown the security provided by this form of password masking to be weak against keystroke timing-analytics attacks. The underlying idea behind these attacks is that, even when a password is masked as described above, the timing between consecutive placeholder characters gives away information about the password since the relative locations of characters on the keyboard dictate how fast fingers move between them. In this paper we argue that, for security-sensitive applications, password masking mechanisms ought to hide the true intervals between password characters in order to overcome these kinds of attacks. Making adjustments to these timings however has the potential to pose usability issues given the fact that the typing would not perfectly align with the display of typed content. The paper proposes 3 different password masking schemes and undertakes a usability evaluation on them. Our early results suggest that user receptiveness to two of the schemes is not much worse than that seen with the conventional (insecure) scheme.