New Test to Detect Graphic Passwords Clustered in Passpoints, Based on the Perimeter of the Convex Hull

1. Introduction

Studies conducted by various researchers [1,2] indicate that using alphanumeric passwords as an authentication method is not advisable due to the vulnerabilities arising from users’ password creation practices. The primary vulnerabilities in the security of this password type stem from users’ improper selection of characters during the registration process and their tendency to reuse passwords across multiple websites. To facilitate memorization, passwords are typically designed to be short, with limited character variation, and frequently incorporate personal information, thereby enhancing the potential for unauthorized access by imposters [3]. The utilization of artificial intelligence in a recent application aimed at compromising alphanumeric passwords serves as additional evidence for implementing alternative authentication methods [4]. As a means of addressing this issue, graphical passwords have emerged as a potential solution. These authentication systems offer a significantly larger password space compared to alphanumeric passwords. The efficiency of this approach relies on the human capacity to recognize and recall patterns in visual representations, as opposed to memorizing lengthy and intricate sequences of characters [5,6].

The Passpoints system, developed by Wiedenbeck in 2005 [7], is notable for its security and usability compared to other cued-recall type systems [8]. The process involves the user choosing a sequence of five points within an image during the registration phase to serve as their password. During the process of authentication, it is imperative for the user to accurately and precisely repeat the sequence in the correct order, adhering to the specific tolerance set by the system. The system’s weaknesses are evident in the quality of the images chosen by the user or system, the presence of predictable patterns in password creation, and the use of discretization mechanisms that decrease the password space and provide valuable information for conducting dictionary attacks.

To enhance the security of Passpoints, it is crucial to incorporate tools during the registration phase that can notify users about the weakness of their graphic passwords. Additionally, implementing a method during the authentication phase to assess the level of authenticity for each user is equally important. Several articles have been published in recent years addressing the topic at hand. For instance, in the work by [9], a probabilistic model of graphic authentication is proposed for the authentication phase. This model enables the practical measurement of the level of authenticity for each user, categorizing them as high, medium, low, or shallow. Only users with high or medium authenticity levels are authenticated based on the results obtained. In [10] and [11], two spatial randomness tests were introduced to identify non-random, clustered, and regular graphical passwords in Passpoints. These tests were developed in response to the limited effectiveness of traditional tests in verifying complete spatial randomness in this specific scenario [10,12]. Recently, the joint application of the previously mentioned tests has been proposed by [13], making it the most effective alternative currently available as of the time of writing this article. Finally, the proposal presents two tests [14,15] that are proven effective in identifying patterns characterized by points that exhibit a linear or near-linear shape, commonly called smooth patterns. These recent contributions have positioned this graphic authentication system as a viable alternative to conventional authentication methods, offering enhanced security and usability.

The convex hull of a set of n points in the plane is a fundamental concept in computational geometry [16,17,18,19], being the convex hull of a set of points the smallest convex polygon that contains all the points of the set [16,19,20,21], whose efficient implementation is an ongoing area of research [22,23,24,25,26] with applications in various fields. However, there is a lack of references to applications related to security issues, such as the one presented in this work. There exist several algorithms for computing the convex hull, whose complexities are of the order $O\left(n^3\right),O\left(n^2\right),O(nlogn)$. However, in the specific scenario considered in this study, where the n points are randomly distributed, the complexity can be reduced to a linear function of the n of $O\left(n\right)$ points.

The primary attributes of the convex hull of a set of points in the plane include its perimeter, area, and the number of vertices. There have been studies on the statistical properties when the number of points tends to infinity [27,28,29]. Additionally, the convex hull of a random walk determined by an ordered set of points can be calculated, and the statistical properties of this convex hull have also been investigated [30,31]. Research in this field has primarily concentrated on examining the mean limit values of the functional of the convex hull [29], assuming some properties for the set of n points. Currently, the distribution of the perimeter of the convex hull of a random set of points in the plane remains unknown for a finite and significantly small number of points.

This study presents a novel spatial randomness test that can effectively identify graphic passwords clustered in the Passpoints scenario. In this study, a comparative analysis is conducted to evaluate the effectiveness and efficiency of the proposed test in detecting a specific pattern in the graphic passwords of Passpoints. The comparison is made with other tests found in the existing literature that can identify similar patterns. All the implementations and experiments were conducted using M.A.T.L.A.B. R2018a to compare the tests on a P.C. Laptop equipped with an AMD Athlon Silver 3050U processor, running at 2.30GHz, and with 8 G.B. of RAM. The work is organized into five sections: Section 1 1, Introduction, provides an overview of the study; Section 2 2 presents the preliminaries, Passpoints, and known tests to detect graphic passwords in the Passpoints scenario; section 3 3 presents our contribution, which is a new test designed to detect graphical passwords clustered in Passpoints; Section 4 4 shows the comparison with the antecedents; and finally, Section 5 5 presents the conclusions drawn from the study and outlines potential future research directions.

2. Preliminaries

2.1. Passpoints

Using graphical passwords has emerged as a potential solution to address the primary challenge associated with alphanumeric passwords, namely, the user’s struggle to remember highly secure passwords. Alphanumeric passwords typically consist of alphabets with up to 90 symbols. The standard length for these passwords, as recommended by the National Institute of Standards and Technology (N.I.S.T.) [32], is eight characters. This results in a total key space of ${90}^8=4.3\times {10}^{15}$. In the context of Passpoints systems, the key space about outdated image resolutions of $800\times 480$ pixels is $V_5^{800\times 480}=8.3\times {10}^{25}$. Since ${10}^{15}<<{10}^{25}$, Passpoints not only outperforms alphanumerics in terms of usability but also in terms of security. Graphical authentication methods can be categorized into three groups: Recognition Based Technique, Recall Based Technique, and Cued-Recall Based Technique [33]. The cued-recall type systems distinguish themselves from previous systems due to their unique characteristic of only necessitating users to recall and concentrate on specific locations within an image. This feature aims to alleviate users’ cognitive burden by providing a simplified alternative to memorizing a complex array of characters.

Passpoints are notable within the category of graphical authentication systems of the cued-recall type due to their commendable combination of usability and security. The system’s usability involves the user’s selection of five points within an image to serve as their password during the registration phase. The user can either choose the image themselves or have one the system provides. In the authentication process, the user must select the points chosen during the registration phase within a specified neighborhood or tolerance region and in the same sequential order. However, despite the security provided by the large password space, not all images are appropriate for use in Passpoints. One vulnerability of this technique is the potential attack on the points most likely to be selected in the image, commonly referred to as Hotspots in the literature [34]. The recommendation in [7] is to enhance the security of this technique by selecting an image with hundreds of Hotspots that are evenly distributed throughout. Other vulnerabilities arising from user actions, irrespective of the image itself, include the inadvertent selection of specific regions within the image, such as the edges or the center, and the inherent interdependence often observed among the chosen points, such as the password [35,36]. These interdependencies among points are referred to as point patterns [37]. Hackers can exploit the predictability of certain patterns in graphical passwords through various techniques to gain unauthorized access. Therefore, graphical passwords should adhere to a random pattern to maintain security. The strength of a graphical password is compromised when the points are not distributed randomly. Several common non-random patterns have been identified in the study conducted by [38].

2.2. Known Tests to Detect Graphical Passwords Clustered in Passpoints

In this subsection, we present and describe some known tests to detect graphical passwords clustered in Passpoints.

First, we present a test based on the average distance between the points. In [10], an effective spatial randomness test was proposed to detect non-random graphical passwords in Passpoints. Concluding that the mean distances between the 5 points of a graphic password follow a normal distribution, a two-tailed hypothesis test was constructed to differentiate between clustered, random, and regular graphic passwords. Their experiments demonstrated the overall effectiveness of the test in detecting non-random graphic passwords, with a particular emphasis on its ability to identify clustered patterns. They further demonstrated that the efficacy of the intervention is independent of the image size chosen by the user or system. Utilizing an image of dimensions $1920\times 1080$ pixels as a point of reference, the authors created three distinct databases characterized by varying levels of clustering. In the three levels of clustering examined, the test successfully identified approximately $94\%$, $99\%$, and $100\%$ of the passwords analyzed at a significance level $\alpha =0.1$, as recommended by the authors for widespread application.

A test was proposed in [11] that is based on the average of the perimeters of the Delaunay triangles. The study focuses on identifying non-random graphic passwords composed of five clustered or regularly positioned points. The analysis involves conducting a two-tailed test that is centered around the mean of the perimeters of the Delaunay triangles. The perimeters are transformed using the Johnson SB [39] transformation to ensure normality. To effectively implement this test, the authors have underscored the importance of considering the selected image size, as the Johnson SB parameters vary depending on the image sizes. As in the previous test, passwords were simulated for the same clustering levels. A reference image of $1920\times$1080 pixels was used, and it was determined that the effectiveness of the test does not depend on the size of the image selected. For the three levels of clustering, the test yielded detection rates of $87.07\%$, $99.66\%$, and $100\%$, respectively, with a significance level of $\alpha =0.1$. Their results showed that clustering detection is more accurate than regularity.

A joint application of the previous tests in Passpoints. Both tests were designed to be included in graphic authentication systems with the Passpoints technique to enable the system to check the randomness of a password established by the user during the registration phase. Figure 1, extracted from the work of [13], illustrates the schematic representation of the joint application of both tests during the Passpoints registration phase. The authors’ decision to initially employ the test utilizing mean distances between points is justified by its greater efficiency and effectiveness. This approach enables the prompt rejection of non-random passwords with high accuracy. Until the time of this publication, this joint test was the one that reported the most significant effectiveness in detecting clustered graphic passwords. Table 1 shows the number of clustered graphical passwords detected using the joint application of both tests for each of the three clustering levels, consisting of 10,000 passwords each.

3. Our Contribution: New Test to Detect Graphic Passwords Clustered in Passpoints

3.1. Our Hypothesis

The graphic passwords clustered in Passpoints can be characterized as those with points concentrated in a smaller image area. Considering the above, the hypothesis proposes using the perimeter of the convex hull delimited by the five points as an indicator of the clustering measure of the points. Figure 1 shows the convex hull determined by three graphic passwords with patterns of clustering (a), randomness (b), and regularity (c), respectively. Figure 2 supports the proposed hypothesis.

Knowing the probability distribution that best fits the perimeter of the convex hull delimited by five randomly distributed points on the image would enable the development of a hypothesis test capable of differentiating between the three alternative patterns with a predetermined significance level, $\alpha$.

3.2. Estimate of the Probability Distribution of the Perimeter of the Convex Hull

The following experiment was conducted to determine the probability distribution of the perimeter of the convex hull formed by five points uniformly distributed on an image with dimensions of $1920\times 1080$ pixels.

Experiment 1: A total of $1000$ graphical passwords were randomly distributed over an image with dimensions of $1920\times 1080$ pixels were simulated. For each of these passwords, the perimeter of the convex hull they determine was calculated, resulting in a database (DB.1) of $1000$ real values that can be analyzed. To assess the goodness of fit of the data to various probability distributions, we utilized the EasyFit v.5.6 software.

Results of Experiment 1: The data showed an excellent fit to the Johnson SB distribution with parameters $\gamma =-0.65612$, $\delta =1.5922$, $\lambda =4575.1$, $\xi =495.15$. Figure 3 illustrates the fit of the Johnson SB distribution to the data. Three goodness-of-fit tests were used to measure the fit of the data: Anderson-Darling, Kolmogorov-Smirnov, Chi-Square; Table 2 shows the results of these tests.

Knowing these results, it is assumed that the distribution sought is a Johnson SB, whose parameters are shown in Table 3.

3.3. Hypothesis Test Based on the Perimeter of the Convex Hull

Once the probability distribution is known as a Johnson SB, the practical application of this criterion is facilitated by considering the desirable characteristic of the Johnson SB distribution, which can be transformed into a standard Normal distribution. Applying the transformation

$$P_{EC}^N=J_{SB}\left(P_{EC}\right)=\gamma +\delta \times ln[(P_{EC}-\xi )/(\lambda +\xi -P_{EC})],$$

(1)

using the parameters of Table 3, it is obtained that $P_{E.C.}^N\sim N(0,1)$, where $P_{E.C.}^N$ represents the perimeter of the convex hull after performing the Johnson SB transformation. Using this property, the definition of a clustered graphical password detection test is reduced to applying a mean test for the standard Normal distribution $P_{E.C.}^N$.

The proposal consists of a two-tailed test based on the perimeter of the convex hull delimited by the 5 points of a graphic password. The Johnson S.B. transforms these points into a standard Normal distribution. To apply this test, the image size that the user selects must be considered, as the estimated parameters for the Johnson SB distribution depend on it.

3.3.1. Definition of the Proposed Test

The null hypothesis

$$H_0:E\left[P_{E.C.}^N\right]=0$$

is proposed, indicating that the graphic password selected by the user is random if the transformation through the Johnson SB of the perimeter of the convex hull to a standard Normal distribution is equal to 0. As an alternative hypothesis, we have

$$H_1:E\left[P_{E.C.}^N\right]\ne 0$$

if the evidence is less than zero, which indicates clustering; otherwise, it indicates regularity. As a test statistic, the Johnson SB transformation of the perimeter of the convex hull is bounded by the points of a graphic password

$$Z=J_{SB}\left(P_{P_{EC}}\right)=\gamma +\delta \times ln[(P_{P_{EC}}-\xi )/(\lambda +\xi -P_{P_{EC}})],$$

(2)

with the selection of values for the parameters according to the size of the image, with critical region $\{z:Z<-z_{\alpha /2}$ or $Z>z_{\alpha /2}\}$, where $\alpha$ is the significance level previously established by the user or system.

3.3.2. Evaluation of the Effectiveness of the Proposed Test

According to the definition of the test, obtaining values of $E\left[P_{E.C.}^N\right]>0$ would indicate a pattern of regularity. However, the results obtained in this aspect during the experiments are not significant compared to those reported by previous studies. Therefore, it is not necessary to include them in this article. In this section, only the results concerning the detection of clustered patterns are reported, which constitutes the main contribution of this work. The following experiments were conducted to estimate the type I and type $II$ errors made by the proposed test.

Experiment 2: To estimate the probabilities of committing a Type I error, we simulated $10000$ new graphic passwords. The points in these passwords were randomly distributed over the image. These passwords are clustered in the database and labeled as DB.2. The proposed test was applied to each of these passwords, and the number of false positives obtained for each significance level were counted for $\alpha \in \{0.2,0.1,0.05,0.02,0.01\}$. The results of experiment 2 are summarized in the following Table 4.

In each case, the estimated probability of committing a type I error corresponds to the predetermined theoretical significance levels. Observe that this proper adjustment is only expected if the procedures carried out up to the moment of adjusting to the Johnson SB distribution and its subsequent transformation are correct. Therefore, these values contribute to the validity of the proposed test.

Experiment 3: To evaluate the effectiveness of the proposed test in detecting clustered graphical passwords, a total of $30000$ graphical passwords distributed across three clustering levels were generated. The first clustering level, DB.3.1, comprises $10000$ graphical passwords generated using an aggregation distance of 410 pixels. The second clustering level, DB.3.2, comprises $10000$ graphical passwords generated using an aggregation distance of 335 pixels. The third level, DB.3.3, comprises $10000$ graphical passwords generated using a 290-pixel aggregation distance. The proposed test was applied to each of these passwords, and the number of passwords detected for each clustering level was recorded, obtaining an estimate of the type $II$ error committed. Table 5 and Figure 4 present the estimation of the probability of committing a type $II$ error. Figure 4 illustrates the number of clustered passwords detected by the test for each database.

The obtained results provide evidence of the validity and effectiveness of the proposed test. Observe that while for DB.3.1, the minimum detection value recorded is $41.1\%$, for DB.3.2 and DB.3.3, the values exceed $90.7\%$ and $99.4\%$, respectively. This is a clear sign that the test becomes more effective with the increase in the clustering level, which is consistent with the formulated hypothesis. The test is particularly effective for the significance levels $\alpha =0.1$ and $\alpha =0.2$, achieving detection rates of over $94.4\%$ and $99.7\%$, respectively, in all cases. These two levels may be suitable for systems or users with high-security requirements. However, due to their high rate of false positives, using $\alpha =0.05$ as the standard for more general purposes is recommended. This threshold achieves a detection rate close to $80\%$ in all cases, with a false positive rate of 1 in 20.

4. Comparison with Other tests in the Literature

The test proposed in this article was compared to previous methods in terms of its effectiveness in detecting clustered graphic passwords and its efficiency. For this study, the tests to be compared will be denoted as follows: Test 1, which is based on the average distance between the points [10]; Test 2, which is based on the average of the perimeters of the Delaunay triangle [11]; Test 3, which is the joint application of the previous tests [13]; and Test 4, which is the test proposed in this study. Of the references consulted, the one that has shown the highest effectiveness is test 3. Therefore, it will serve as our benchmark in this regard. Regarding efficiency, the best option is test 1; we will compare our test with it.

4.1. Effectiveness

Since the pooled password databases used in this work were generated following the same algorithm described in [13], it is possible to compare the reported results directly. Table 6 shows the difference in type $II$ errors of Test 3 compared to the proposed Test 4.

The proposed test reduces the type $II$ error when determining the best antecedents for each analyzed significance level $\alpha$. This results in an increase in the percentage of graphic passwords detected, as shown in Figure 5 and, therefore, in the overall effectiveness of the test.

4.2. Efficiency

To assess the efficiency of the proposed tests, they were implemented in Matlab 2018 software, adhering to the guidelines outlined in their respective original articles. Subsequently, the execution time of 100 graphical passwords was measured. The results are summarized in Table 7. Regarding efficiency, the proposed test outperforms Test 3 in the three times measured but is surpassed by Test 1 in all cases.

5. Conclusions and Future Work

This paper proposes a new test for detecting clustered graphic passwords in Passpoints. This test’s novelty is that its estimated type $II$ error and detection rate are the best reported so far. The execution time of the test was greater in the experiments conducted than in the previous best results. However, this difference is insignificant regarding the test’s usability, as it is imperceptible to the users.

In this work, we proposed the hypothesis that the perimeter of the convex hull determined by the 5 points of a graphical password Passpoints would be an effective test statistic in detecting clustering patterns. This hypothesis is based on intuitive and visual evidence that the perimeter decreases when the points are closest. It was demonstrated using the EasyFit software and several goodness-of-fit tests that the proposed test statistic follows a Johnson SB distribution with parameters $\gamma =-0.65612$, $\delta =1.5922$, $\lambda =4575.1$, $\xi =495.15$. The Johnson S.B. transformation was used to convert the data to a standard Normal distribution. A mean test was then conducted to evaluate graphical passwords. The effectiveness experiments considered three levels of clustering, following the guidelines established by the antecedents to enable a direct comparison with them. For the first clustering level, the test was able to detect significance levels $\alpha \in \{0.2,0.1,0.05,0.02,0.01\}$ with percentages greater than $99.7\%$, $94.4\%$, $79.7\%$, $55.9\%$, and $41.1\%$ respectively. In the second level, the percentages were $100\%$, $100\%$, $99.9\%$, $97.5\%$, and $90.7\%$, respectively. In the third level, the percentages were $100\%$, $100\%$, $100\%$, $99.9\%$, and $99.4\%$, respectively. These results allowed us to accept the proposed hypothesis and validate the effectiveness of the proposed test.

In comparison to the antecedents, it can be observed that the effectiveness was superior to that reported by other tests available in the literature for the three clustering levels and the five significance levels. Consequently, this new proposal’s estimated type $II$ error was also lower than that reported in previous studies, reducing up to about $0.08$ in the best cases. The measured execution time of the proposed test ranks it second among the previous tests. However, the differences between these times are indistinguishable in practice. Therefore, we believe the most important factor to consider when selecting a test is its effectiveness. The experiments conducted in this study and the comparisons made with the existing literature suggest that the proposed test is the most effective option for determining clustered graphic passwords in Passpoints. However, the selection of the significance level to be used is left to the choice of the user or system, depending on their security needs. The authors recommend using a standard significance level of $\alpha =0.05$ for general purposes. With this level, a detection rate of more than $79.7\%$ is achieved in each case, with one false positive for every 20 attempts. The test was designed to be integrated into graphical authentication systems of the cued-recall type, preventing users from selecting easily guessable passwords. Graphics with clustered patterns contribute to the strength of passwords and enhance the system’s security.

In future work, the hypothesis of complementarity between the newly proposed test and those already existing in the literature is left open. A possible scenario where two or more of the tests complement each other would allow for increased detection values and a reduction in type $II$ error.