Exploring the Guessability of Image Passwords Using Verbal Descriptions

One claimed advantage of the image passwords used in recognition based graphical authentication systems (RBGSs) over text passwords is that they cannot be written down or verbally disclosed. However, there is no empirical evidence to support this claim. In this paper, we present the first published comparison of the vulnerability of four different image types -Mikon, doodle, art and everyday object images to verbal/spoken descriptions, when used as passwords in RBGS. This paper considers one of the human factors in security i.e. password sharing through spoken descriptions. The user study conducted with 126 participants (56 callers/ describer and 70 listeners/ attacker) measures how easy it is for an attacker to guess a password in a RBGS, if the passwords are verbally described. The experimental set up is a two way dialogue between a caller and a listener over telephone using repeated measures protocol, which measures mean successful login percentage. The results of the study show the object images to be most guessable, and doodles follow close behind. Mikon images are less guessable than doodle followed by art images, which are the least guessable. We believe that unless, the human factors in security like the one considered in this paper is taken into account, the RBGSs will always look secure on paper, but fail in practice.