Abstract
In commonplace textual password schemes, users choose passwords that are
easy to recall. Since memorable passwords typically exhibit patterns, they are
exploitable by brute-force password crackers
using attack dictionaries. This leads us to ask
what classes of graphical passwords users find memorable.
We postulate one such class
supported by a collection of cognitive studies on visual recall,
which can be characterized as mirror symmetric (reflective) passwords.
We assume that an attacker would put this class in an
attack dictionary for graphical passwords and propose how an attacker
might order such a dictionary.
We extend the existing analysis of graphical passwords by analyzing the size
of the mirror symmetric password space relative to
the full password space of the graphical password scheme
of Jermyn et al. (1999), and show it to be exponentially
smaller (assuming appropriate axes of reflection).
This reduction in size can be compensated for by longer passwords:
the size of the space of mirror symmetric passwords of length
about L+5 exceeds that of the full password
space for corresponding length L ≤ 14 on a 5 × 5 grid.
This work could be used to help in
formulating password rules for graphical password users and in creating
proactive graphical password checkers.