Detection of DIAG and LINE Patterns in PassPoints Graphical Passwords Based on the Maximum Angles of Their Delaunay Triangles

Lisset Suárez-Plasencia; Joaquín Alberto Herrera-Macías; Carlos Miguel Legón-Pérez; Guillermo Sosa-Gómez; Omar Rojas

doi:10.3390/s22051987

Detection of DIAG and LINE Patterns in PassPoints Graphical Passwords Based on the Maximum Angles of Their Delaunay Triangles

Sensors (Basel). 2022 Mar 3;22(5):1987. doi: 10.3390/s22051987.

Authors

Lisset Suárez-Plasencia¹, Joaquín Alberto Herrera-Macías¹, Carlos Miguel Legón-Pérez¹, Guillermo Sosa-Gómez², Omar Rojas^{2

3}

Affiliations

¹ Instituto de Criptografía, Facultad de Matemática y Computación, Universidad de la Habana, Habana 10400, Cuba.
² Facultad de Ciencias Económicas y Empresariales, Universidad Panamericana, Álvaro del Portillo 49, Zapopan 45010, Jalisco, Mexico.
³ Faculty of Economics and Business, Universitas Airlangga, Surabaya 60286, East Java, Indonesia.

Abstract

An alternative authentication method to traditional alphanumeric passwords is graphical password authentication, also known as graphical authentication, for which one of the most valuable cued-recall techniques is PassPoints. This technique stands out for its security and usability. However, it can be violated if the user follows a predefined pattern when selecting the five points in an image as their passwords, such as the DIAG and LINE patterns. Dictionary attacks can be built using these two patterns to compromise graphical passwords. So far, no reports have been found in the state of the art about any test capable of detecting graphical passwords with DIAG or LINE patterns in PassPoints. Studies carried out in other scenarios have shown the effectiveness of the characteristics of Delaunay triangulations in extracting information about the dependence between the points. In this work, graphical passwords formed by five randomly selected points on an image are compared with passwords whose points contain patterns of the DIAG or LINE type. The comparison is based on building for each password its Delaunay triangulation and calculating the mean value of the maximum angles of the triangles obtained; such a mean value is denoted by amadt. It is experimentally shown that in passwords containing DIAG and LINE patterns, the value of amadt is higher than the one obtained in passwords formed by random dots. From this result, it is proposed to use this amadt value as a statistic to build a test of means. This result constitutes the work's main contribution: The proposal of a spatial randomness test to detect weak graphic passwords that contain DIAG and LINE type patterns. The importance and novelty of this result become evident when two aspects are taken into account: First, these weak passwords can be exploited by attackers to improve the effectiveness of their attacks; second, there are no prior criteria to detect this type of weak password. The practical application of said test contributes to increasing PassPoints security without substantially affecting its efficiency.

Keywords: DIAG patterns; LINE patterns; PassPoints; graphical passwords; maximum angles of a Delaunay triangle.