Abstract

Graphical passwords offer advantages for memorability over conventional alphanumeric passwords, but in some cases they have been vulnerable to over-the-shoulder-attacks (OSA). Thus, many second-generation graphic based schemes are specifically designed to be resistant to OSA. This is often achieved by not having users select targets directly, but by adding cognitive operations to create seemingly random response patterns. This study takes the first step to directly compare three prototypical graphical password schemes to determine their relative resistance to OSAs employing a within-subjects design. We found that schemes requiring cognitive operations in response to target patterns were superior to direct selection of targets. Convex Hull Click was most secure, followed by What You See is What You Enter, while Use Your Illusion showed high vulnerability to OSA. In addition, we discuss a diversity of previous measurements, which are meant to examine security strength of new approaches. We highlight the need for standard OSA resistance measures depending on threat model needs.