5 Additional Observations and Future Work
One may question the likelihood of users choosing symmetric graphical passwords, based solely on cognitive studies on visual recall. It is interesting to note that out of the 8 example passwords in the original DAS paper [11], 5 fall under our definition of globally symmetric and 7 fall under our definition of locally symmetric. We believe it is difficult to conjure many visually pleasing patterns that do not exhibit symmetry.
The graphical dictionaries discussed earlier do not include repetition symmetry when the components are asymmetric (e.g. Fig. 15) or rotational symmetry. These two forms of symmetry could be classified as Class II and III memorable passwords. These symmetries were not addressed in this analysis as cognitive studies report that they do not hold the same special status as mirror (reflective) symmetry in human perception. It is unknown whether people are as likely to recall repetitive or rotational symmetry more or less efficiently as mirror symmetry. It would be interesting to explore the effect of adding these two forms of symmetry on our graphical dictionaries.
Another interesting direction would be to determine the effect on a dictionary of limiting the number of strokes in DAS passwords to e.g. 3 or 4. One psychological study [7] has shown that people optimally recall 6 to 8 dots in a pattern when given 0.5 seconds to memorize each. Another study [9] found that the number of dots recalled in different grid sizes decreases drastically after 3 or 4 dots. Note that a user must recall two points for each stroke: the start and end points. A conservative analogy of how these studies relate to our dictionaries is to assume users naturally recall at most 4 strokes.
An attacker could use this knowledge to further prioritize a dictionary and/or reduce its size. We note that all permutations of dots that lie on a cell that is cut by a reflection axis are counted in these graphical dictionaries, as each is considered an enclosed case. All permutations of dots form a significant part of the set of enclosed cases (and the full DAS password space), as the number of dot permutations for a given Lmax is
The summation counts all passwords up to length Lmax; ( W × H )i counts all possible dot permutations of length i, as each dot is of length 1 and there are (W × H) cells that may be chosen for each dot. When all axes are used, Lmax = 12, H=5, and W=5, the number of dot permutations is approximately 256. This is because when a password's strokes are longer for a password of fixed length, there are fewer strokes and thus fewer permutations of its composite strokes. This limitation would not restrict the overall length of the password -- it could still be very long. We expect that if one models 4 as the maximum number of strokes per password, the size of the Class I memorable password space will be significantly less than our results for Lmax > 4. The implication of this would be that DAS passwords may be less secure than otherwise believed.
One way to increase the password space without increasing the required password lengths would be to increase the grid size. However, this may have a negative effect on the memorability of DAS passwords, since it has been found that the recall performance of subjects decreases as a function of the grid size [9]. Alternatively, the DAS password space could be increased by adding user-selected characteristics to the drawing such as colour, backgrounds, and textures.
Although the focus of our work is the hypothetical application of a mirror symmetric graphical dictionary on the DAS scheme, this method of analysis could be applied to a variety of other graphical password schemes. For example, Birget et al. [2] propose the users be provided an image, and asked to choose a given number of click points. One could assume that a user would be more likely to choose symmetric objects in an image as click points. The same assumption might be valid for the Déjà Vu scheme [6], where the attacker would presume the user's portfolio is more likely to contain symmetric random art images.