Exploring the Effect of Resolution on the Usability of Locimetric Authentication
Antonios Saravanos, Dongnanzi Zheng, Stavros Zervoudakis, Donatella Delfino, Laura Hynes-Keller
AAn Exploration of Hot-Spots in Locimetric Passwords
Antonios Saravanos
New York University
Dongnanzi Zheng
Columbia University
Stavros Zervoudakis
New York University
Donatella Delfino
New York University
Laura Hynes-Keller
LHK Communications, LLC
Abstract
Locimetric authentication is a form of graphical authentica-tion where users validate their identity by selecting predeter-mined points on a predetermined image. Its primary ad-vantage over the ubiquitous text-based approach stems from users' superior ability to remember visual information over textual information, coupled with the authentication process being transformed to one requiring recognition (instead of re-call). Ideally, these differentiations enable users to create more complex passwords, which theoretically are more se-cure. Yet, locimetric authentication has one significant weak-ness, hot-spots, that is, areas in an image that users gravitate towards and consequently have a higher probability of being selected. This paper investigates whether the hot-spot prob-lem persists with high-resolution images, as well as whether user characteristics and password length play a role. Our find-ings confirm the presence of hot-spots in high-resolution im-ages, thus influencing the locimetric authentication scheme's effectiveness. Furthermore, we find that neither user charac-teristics (such as age, gender, and income) nor password length radically influence their extent. We conclude by pro-posing strategies to mitigate the hot-spot phenomenon.
Locimetric authentication (also known as click-based authen-tication) is a graphical mechanism that verifies users’ identity through their selection of a series of predetermined points on an image in a particular order. Originally described by Blonder [5] in his patent filing (US5559961A), it serves as the first form of graphical authentication. Over the years, sev-eral other implementations of the scheme have been devel-oped, such as PassPoints [31], Cued Click Points [8], and Persuasive Cued Click-Points [6]. Yet, none of these imple-mentations enjoy the level of diffusion as Microsoft’s Picture Password, which is installed by default on any machine run-ning the Windows 8 operating system or higher. In actuality, Picture Password is a combination of two schemes, locimet-ric and drawmetric, with the user empowered to select how much of each method they prefer to use. Thus, the password that is created could be fully locimetric, fully drawmetric, or a combination of both schemes. Drawmetric authentication is a form of graphical authentication which validates users by requiring them “to draw a preset outline figure, either on top of an image or on a grid” [9]. Given the prominence of the Windows operating system, especially in the desktop market, insight into the potential weaknesses inherent with locimetric authentication is valuable. In this paper, we focus on one of these weaknesses: the users’ propensity to select the same point on images to form their passwords, known colloquially as hot-spots [8] (or sometimes as click-point clustering [23]).
The existence of hot-spots was initially speculated by Wiedenbeck et al. [31], who wrote, “logically, it seems that many users may be attracted to incongruous or unexpected elements in an image”. Indeed, while theoretically, locimetric authentication has the potential to be superior to text-based authentication, as illustrated by Wiedenbeck et al. [31], if us-ers only select from specific regions, the effectiveness of the scheme drops. Several authors have reported the presence of hot-spots when studying the usability of locimetric authentication. Wiedenbeck et al. [29] investigated using the ClickPoints im-plementation relying on images with a resolution of 451 by 331 pixels. When their study [29] was conducted in 2005, the resolution could be described as adequate. At the time of this writing, it is considered a particularly low-resolution. To ac-count for backward compatibility, later studies retained the low-resolution specification. This includes other evaluations using PassPoints [30], web-based simulations inspired by PassPoints [24], Java-based simulations inspired by PassPoints [10], and Persuasive Cued Click-Points [7]. . his presence of hot-spots on previously studied images used for authentication hypothetically could be attributed to their low-resolution. Accordingly, increasing the resolution should then resolve the hot-spot problem. Indeed, as the resolution increases, there would be more points for users to click on. We were able to find one paper that examines high-resolution images within the context of the Picture Password mecha-nism. Gao et al. [11] undertook a holistic evaluation of the usability of Microsoft’s Picture Password. Simulating the Windows 8 operating system, the authors do not explicitly state the size of the images that they used, but they do disclose that they used “a PC with a 19-inch screen and 1024 x 1280 screen resolution”. The authors go on to report the presence of hot-spots in the three images that they studied. Our re-search builds on Gao et al.’s [11] efforts, focusing exclusively on the locimetric aspects of Picture Password, looking at a greater spectrum of images, to determine if: (1) Evidence of clustering can be observed with high-resolution images, thereby influencing the effective-ness of the scheme. (2)
Increasing the points for passwords (e.g., from 3 points to 5 points) affects the presence of clustering. (3)
User demographics (in particular, gender, age, and income) are related to the quality of locimetric pass-words that are established.
To evaluate the effect that usability plays on the security of locimetric authentication, a series of web-based experiments were held. Participants were asked to generate a series of lo-cimetric passwords using software designed to simulate the password setup phase to generate a series of locimetric pass-words based upon preselected images (which can be seen in Table 1). Participants were asked to create a total of 7 pass-words, each comprised of five-points, and then reinput each password for verification. Participants were required to open the locimetric authentication simulator to a resolution of 1280 by 720 pixels (or higher) in order to participate. Table 1. Images used for the experiment. Id Image / Title / Reference Sample Size 1 Home Interior [15] 118 2 Vegetables [16] 117 3 Landscape [17] 119 4 Vehicle [18] 117 Spices [19] 116 6 Hot Air Balloons [20] 118 7 Drawing Tools [21] 119
We recruited participants using Amazon Mechanical Turk (also known as MTurk), which has become quite popular for computing experiments [13]. Indeed, a cursory search of the term ‘MTurk’ on the Association of Computing Machinery’s digital library (as of January 1 st , 2020) yielded 1,430 records. Our sample was comprised of a total of 123 participants from the United States who were all properly compensated, well above the federal minimum wage of $7.25 / hour for partici-pating in the experiment [26]. From these, 69 (56.10%) of them identified as male, 53 (43.09%) as female, and 1 (0.81%) as non-binary. The majority (26.02%) of participants were aged between 31 and 35 years, followed by 36 and 45 years (24.39%). Slightly over two-thirds of our participants (73.17%) were white. Concerning income, participants re-ported a wide range, which included values that were less than $10,000 to more than $150,000. Most of the participants (61.79%) had an income from $20,000 to $69,999, with 87 (70.74%) reporting that they had earned at least an associate degree. In comparison, 24 (19.51%) had some college educa-tion in their backgrounds, but no degree. These characteris-tics are outlined in greater detail in Table 2. Table 2. Participants’ Profile Factor Category N % Gender Male 69 56.10% Female 53 43.09% Non-Binary 1 0.81% Income $10,000 - $19,999 8 6.50% $20,000 - $29,999 15 12.20% $30,000 - $39,999 13 10.57% $40,000 - $49,999 15 12.20% $50,000 - $59,999 20 16.26% $60,000 - $69,999 13 10.57% $70,000 - $79,999 7 5.69% $80,000 - $89,999 5 4.07% $90,000 - $99,999 4 3.25% $100,000 - $149,999 11 8.94% $150,000 or more 5 4.07% Prefer not to answer 1 0.81% Age 18-25 15 12.20% 26-30 21 17.07% 31-35 32 26.02% 36-45 30 24.39% 46-55 16 13.01% 56 or older 9 7.32% Race Asian 6 4.88% Black or African American 23 18.70% Other 4 3.25% White 90 73.17% Education High school graduate 10 8.13% Some college - no degree 24 19.51% Associate's degree 7 5.69% Bachelor's degree 62 50.41% Master's degree 16 13.01% Professional degree 2 1.63% No response 2 1.63% The mean number of passwords that were created for each default image was 117.71 (with a standard deviation of 1.11). To identify whether clustering was present, we first generated scatterplots (see Figure 1) to visualize where each of the pass-word points were located on each of the images, using the seaborn visualization package (version 0.11.1) [27]. We then proceeded to inspect those scatterplots and found clear evi-dence of clustering. To further support this initial finding, we conducted two tests designed explicitly to identify spatial randomness. The first was the Clark-Evans test, and the sec-ond was the Hopkins-Skellam test. For both tests, we relied a) (b) (c) (d) (e) (f) (g) Figure 1. Scatterplot of points that users selected to form their locimetric password. n the R language and software environment for statistical computing (version 4.0.3) [1,3,22] using the spatstat package [2]. According to Petrere [14], one can interpret the results of the Clark-Evans test by examining the R index: indeed, Petrere states that “when R = 0, there is a limit situation of complete aggregation” and then “when R = 1 the pattern of distribution of individuals is random” [14]. The results for both of the Clark-Evans tests (with and without the
Donnelly correction) support the conclusion that clustering was present in all of the high-resolution images tested, as the R values were all between 0 and 1 and were statistically significant. Similarly, the Hopkins-Skellam Test values were all below 1 and statistically significant, again indicating the presence of clustering. Table 3. Spatial Randomness by Image Clark-Evans Test Hopkins-Skellam Test Image R R† A A‡ 1 0.43358 0.42580 0.02623 0.02637 2 0.42951 0.42179 0.01723 0.01557 3 0.38903 0.38210 0.01980 0.02202 4 0.37447 0.36773 0.01667 0.01768 5 0.52127 0.51186 0.02951 0.02715 6 0.35613 0.34975 0.02715 0.02893 7 0.51364 0.50449 0.02061 0.02015 Note: Clustering for 5-points locimetric password. For all values, p < 0.01 † Donnelly edge correction ‡ Monte Carlo simulation
We also examined whether requiring more points for a lo-cimetric password would lead to the reuse of the same point(s) multiple times. To make that determination, we com-pared the presence of clustering when passwords used the first three points selected by users as part of their passwords to when all five points formed their password. Therefore, we conclude that increasing the points for passwords from 3-points to 5-points does not make the randomness stronger. No clear pattern to provide evidence that would indicate reuse was found. Table 4. Clustering for 3-Point Locimetric Passwords Image Clark-Evans Test Hopkins-Skellam Test R † A ‡
1 0.42127 0.02924 2 0.41877 0.02774 3 0.41407 0.04008 4 0.36013 0.01779 5 0.50530 0.03257 6 0.36154 0.03581 7 0.49463 0.02851 Note: For all values, p < 0.01 † Donnelly edge correction ‡ Monte Carlo simulation
In addition, we investigated whether users were likely to se-lect points with approximately the same x-coordinate (and re-spectively, y-coordinate) and within a 10-pixel threshold. In other words, participants would pick points within the same column or row of the image. We discovered that very few participants reuse the same points, ranging between 6 to 12, depending on the image. However, there was a greater ten-dency to pick points within a specific dimension. This result was dependent on the image, from 10 users in one instance to 95 in another. The results can be seen in Table 5. Further-more, we visualized the links between the different points, which illustrate the path that a representative sample of users take when setting up their locimetric passwords, in Figure 2. Table 5. Number of Users who Repeat Points Image x-Dimension y-Dimension Both Dimensions 1 65/118 80/118 6/118 2 19/117 67/117 6/117 3 50/119 41/119 7/119 4 26/117 53/117 12/117 5 10/116 95/116 6/116 6 29/118 56/118 10/118 7 32/119 41/119 6/119 Note: Within 10 pixels.
We also wanted to ascertain whether demographics (gender, age, and income) affect randomness. We applied Clark Evans (with Donnelly edge correction) and Hopkins-Skellam tests (with Monte Carlo simulation) amongst different demo-graphic groups. The test results with 5-point passwords as compared between males (56.10% of the sample size) and fe-males (43.09%) presented in Table 6 revealed that gender doesn’t affect randomness. The test results with 5 point pass-words between people in the age group over 35 (44.72%) and those in the age group of 35 (55.28%) and below, shown in Table 7, revealed that age doesn’t affect randomness. The test results with 5-point passwords between people with an in-come larger than and equal to $50K (52.85%) and people with smaller than $50K (46.34%), shown in Table 8, revealed that income doesn’t affect randomness. a) (b) (c) (d) (e) (f) (g) Figure 2. Sample paths of users’ password selected points, superimposed. able 6. Clustering with Respect to Gender Male Female Clark-Evans Test Hopkins-Skellam Test Clark-Evans Test Hopkins-Skellam Test Image R † A ‡ R † A ‡
1 0.44549 0.04509 0.47393 0.04884 2 0.38146 0.02206 0.47604 0.02068 3 0.41286 0.04011 0.46859 0.05453 4 0.36848 0.03348 0.41173 0.03792 5 0.52598 0.04007 0.45563 0.03808 6 0.31102 0.03071 0.38364 0.02510 7 0.55421 0.04618 0.50748 0.04367 Note: As only one participant reported a gender of non-bi-nary, we did not have sufficient data to evaluate the possibil-ity of clustering for that specific category. For all values, p < 0.01 † Donnelly edge correction ‡ Monte Carlo simulation
Table 7. Clustering with Respect to Age <=35 >35 Clark-Evans Test Hopkins-Skellam Test Clark-Evans Test Hopkins-Skellam Test Image R † A ‡ R † A ‡ Note: For all values, p < 0.01 † Donnelly edge correction ‡ Monte Carlo simulation
Table 8. Clustering with Respect to Income <50k >=50k Clark-Evans Test Hopkins-Skellam Test Clark-Evans Test Hopkins-Skellam Test Image R† A‡ R† A‡ 1 0.46363 0.05326 0.43471 0.03153 2 0.43403 0.03141 0.41517 0.01536 3 0.42185 0.04741 0.36020 0.02401 4 0.41166 0.03711 0.37291 0.03150 5 0.55946 0.06000 0.50922 0.05535 6 0.31172 0.01907 0.38351 0.04824 7 0.51595 0.02800 0.53149 0.04127 Note: For all values, p < 0.01 † Donnelly edge correction ‡ Monte Carlo simulation
The locimetric scheme is presented as an alternative to tradi-tional forms of authentication (i.e., the ubiquitous text-based approach). Its advantage stems from users’ superior ability to work with visual information (over textual information, see picture superiority effect [28]). Moreover, the locimetric scheme is lighter in terms of cognitive demands on users, as it transforms the authentication process from one of recall to one of recognition. Theoretically, these advantages should empower users to generate stronger passwords. However, one well-known weakness of the scheme is that users are at-tracted to hot-spots. These are regions in images that users are drawn to and, therefore, more likely to contain user pass-word points, lowering the effective password space. In this paper, we examined whether the presence of hot-spots per-sists with high-resolution images, building on the work of Gao et al. [11]. Additionally, we studied whether user char-acteristics (i.e., age, income, and gender), as well as the length of the password, influence the existence of hot-spots. Our findings reveal that hot-spots are present even in high-resolution images irrespective of the length of the locimetric password. Of particular interest was the realization that im-age content appeared to influence the level of clustering. We speculate this is a consequence of users trying to form pass-words by clicking particular objects or colors within each im-age that they find to be eye-catching and would hence be eas-ier to remember. For example, Images 4 (vehicle) and 7 (drawing tools) have less clustering, therefore were better suited for use with locimetric authentication. We speculate that this is a consequence of there being a plethora of similar objects in Image 5 (spices), which are distributed more evenly throughout the image. Thus, it provides multiple areas for users to find and mark placement. With respect to Image 7 (drawing tools), there are again a great number of similar objects in the image for users to select. Additionally, there are several varying colors in close proximity to each other. This is in contrast, for example, to Image 4 (vehicle), where there are a limited number of large objects (e.g., the wheel and in-strument board) without any particular colors (e.g., mostly blue with a bit of chrome) that stand out. Thus, the majority of users focus their attention on those (limited) objects where the clustering occurs. Another example of a poor image choice for use with locimetric authentication is that of Image 3 (landscape), where even though there are no specific ob-jects that explicitly stand out from each other, there are a lim-ited number of eye-catching colors (e.g., blue and yellow), which attract the users and are the source of the clustering. This opens up the possibility that certain images might be bet-ter suited for users to create stronger locimetric passwords, and this question should be examined in future research. For the purpose of better understanding where user attention is concentrated while selecting points on a given image, we omputed the attention probability for all pixels in that image. This was done using bivariate distributions coupled with the utilization of kernel density estimation, a non-parametric model that combines clustering and density estimators (spe-cifically, Gaussian Mixture models) for each point (i.e., pixel) on the respective image. This approach creates layers that contain similar probability values, which indicate that a user will select specific pixel areas for their password, given all points previously selected by the users in our study. Fur-thermore, it combines the probability distributions, centered at the pixels with the highest probabilities, and creates planes of similar probabilities using smoothing techniques. Corre-sponding probabilities, ranging from higher to lower, are rep-resented by colors and visible in the respective legends, which are illustrated in Figure 3 as overlayed heatmaps. This is a relative measure and the values are based on the total number of observations for each specific sample. We can make the following three observations. First, in all images, for the most part, users are more likely to select points away from the edges, rather than focusing on higher saliency points (i.e., the main focus areas of the image (i.e., the points of interest or principal points of focus). Second, as the images that we used had non-singular focus areas, we ob-served multiple cluster centers, which hint at varying visual ‘tastes’ by different individuals. This indicates that such im-ages may result in stronger locimetric passwords and, there-fore, should be preferred by systems that employ this authen-tication technique. Third, areas in an image that are of the same color and contain no objects have the lowest probability of being selected. This is expected, as those points would be harder to remember, a conclusion that is confirmed by the scatterplots (see Figure 1). Our observations hint at the importance of enforcing what would be considered as ‘strong image’ passwords, which could serve as a basis for system security aimed at the pre-vention of unauthorized system entry and cybersecurity breach. Strong images can be classified as those that are high-resolution, employ multiple focal points, have a large number of edges, utilize multiple color schemes and have various ob-jects throughout the image (for instance, there are no large sections with blue skies, sea, or an object with the same color occupying a large section of the image). Further studies are required to quantify the minimum requirements that a high-resolution image needs to have in order to be accepted as a ‘strong image’ for use by the authenticator program. This be-comes especially important for a system that allows users to upload their images and then select points for password cre-ation. Another area that should be explored is that of culture, as our study focused exclusively on the United States. Certainly, it is a consideration to be taken into account, as it has been demonstrated that cultural differences influence the way by which individuals interact with images. Begley’s [4] work highlights those differences, “westerners pay attention to the focal object, while Asians attend more broadly— to the over-all surroundings and to the relations between the object and the field.” Consequently, future studies may be directed to-wards investigating diverse cultural approaches to the crea-tion of locimetric passwords and whether any cultural differ-ences influence the effectiveness of the scheme with respect to system entry and security. Furthermore, we sought to determine whether user character-istics (i.e., age, income, and gender) influence the formation of the hot-spots that were observed. The benefit of finding such a pattern would inform the allocation of resources (such as training) exclusively to those users. However, no such a relationship was found; irrespectively, users generally appear to gravitate towards hot-spots equally. Of course, we would be remiss not to recognize that as technology advances and resolutions continue to increase, at some point the hot-spot problem may dissipate on its own. In the short term, however, increasing image size to solve the hot-spot problem is not a solution. There are several practical implications that result from our work. From the user and system administrator perspective, the presence of hot-spots, even in high-resolution images, ne-cessitates that the issue be addressed. To overcome the hot-spot phenomenon we propose user training, an idea that is not in itself a novel within the field of security [12,25,32]. There are many forms of training; we suggest three forms as exem-plars: 1.
Training users through guidelines on how to select images to use for their passwords which would be better suited for this scheme because they naturally lead to fewer hot-spots. For example, images with a plethora of objects and colors, as they offer mul-tiple focal points instead of a singular focus. 2.
Training users through guidelines on how to avoid selecting popular points which are within hot-spot areas, but instead selecting password points outside of those areas. 3.
A simulator with a strength meter offering users the opportunity to practice the creation of locimetric passwords through trial and error. These approaches should lead to stronger locimetric pass-words and minimize the hot-spot phenomenon. Should the hot-spot problem be overcome, the locimetric scheme has considerable potential to serve as a viable alternative to tra-ditional forms of authentication. a) (b) (c) (d) (e) (f) (g) Figure 3. Heatmaps indicating areas with similar probability for user passwords.
References [1] Adrian Baddeley, Ege Rubak, and Rolf Turner. 2015.
Spatial Point Patterns: Methodology and Applications with R
Journal of Statistical Software
12, 6 (January 2005), 1–42. [3] Adrian Baddeley, Rolf Turner, Jorge Mateu, and An-drew Bevan. 2013. Hybrids of Gibbs point process models and their implementation.
Journal of Statistical Software
55, 11 (November 2013), 1–43. DOI: 10.18637/jss.v055.i11 [4] Sharon Begley. 2003. East Versus West: One Sees Big Picture, Other Is Focused.
The Wall Street Journal
Pro-ceedings of the 22nd British HCI Group Annual Con-ference on People and Computers: Culture, Creativity, Interaction - Volume 1 (BCS-HCI ’08) , September 1-5, 2008, Liverpool, United Kingdom. BCS Learning & Development Ltd., Swindon, United Kingdom. 121–130. DOI: 10.5555/1531514.1531531 [7] Sonia Chiasson, Elizabeth Stobert, Alain Forget, Rob-ert Biddle, and Paul C. Van Oorschot. 2012. Persuasive Cued Click-Points: Design, implementation, and evalu-ation of a knowledge-based authentication mechanism.
IEEE Transactions on Dependable and Secure Compu-ting
9, 2 (March 2012), 222–235. DOI: 10.1109/TDSC.2011.55 [8] Sonia Chiasson, Paul C. Van Oorschot, and Robert Biddle. 2007. Graphical password authentication using Cued Click Points. In
Proceedings of the 12th Euro-pean Conference on Research in Computer Security (ESORICS 2007) , September 24-26, 2007, Dresden, Germany. Springer-Verlag Berlin Heidelberg, Berlin, Germany. 359–374. DOI: 10.1007/978-3-540-74835-9_24 [9] Antonella De Angeli, Lynne Coventry, Graham John-son, and Karen Renaud. 2005. Is a picture really worth a thousand words? Exploring the feasibility of graph-ical authentication systems.
International Journal of Human-Computer Studies
63, 1–2 (2005), 128–152. DOI: 10.1016/j.ijhcs.2005.04.020 [10] Ahmet Emir Dirik, Nasir Memon, and Jean-Camille Birget. 2007. Modeling user choice in the PassPoints graphical password scheme. In
Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS '07 , Pittsburg, PA. ACM Inc., New York, NY. 20–28. DOI: 10.1145/1280680.1280684 [11] Haichang Gao, Wei Jia, Ning Liu, and Kaisheng Li. 2013. The Hot-Spots Problem in Windows 8 Graphical Password Scheme. In
Proceedings of the 5th Interna-tional Symposium: Cyberspace Safety and Security (CSS 2013) , November 13-15, 2013, Zhangjiajie, China. Springer International Publishing, Cham, Swit-zerland. 349–362. DOI: 10.1007/978-3-319-03584-0_26 [12] Ding-Long Huang, Pei-Luen Patrick Rau, and Gavriel Salvendy. 2007. A survey of factors influencing peo-ple’s perception of information security. In
Proceed-ings of the 12th International Conference on Human-Computer Interaction: Applications and Services (HCI INTERNATIONAL 2007),
July 22-27, 2007, Beijing, China. Springer-Verlag Berlin Heidelberg, Berlin, Ger-many, 906–915. DOI: 10.1007/978-3-540-73111-5_100 [13] Gabriele Paolacci, Jesse Chandler, and Panagiotis Ipei-rotis. 2010. Running experiments on Amazon Mechani-cal Turk.
Judgment and Decision Making
5, 5 (2010), 411–419. [14] Miguel Petrere. 1985. The variance of the index (R) of aggregation of Clark and Evans.
Oecologia
68, 1 (De-cember 1985), 158–159. DOI: 10.1007/BF00379489 [15] Pixabay.
Home Interior Room House Furniture . Re-trieved February 2, 2021 from https://pixabay.com/pho-tos/home-interior-room-house-furniture-1438305/ [16] Pixabay.
Vegetables Carrots Garlic Celery . Retrieved February 2, 2021 from https://pixabay.com/photos/veg-etables-carrots-garlic-celery-1212845/ [17] Pixabay.
Santorini City Greece Tourism . Retrieved February 2, 2021 from https://pixabay.com/photos/san-torini-city-greece-tourism-4044972/ [18] Pixabay.
Car Vehicle Motor Transport . Retrieved Feb-ruary 2, 2021 from https://pixabay.com/photos/car-ve-hicle-motor-transport-3046424/ [19] Pixabay.
Mat Spices . Retrieved February 2, 2021 from https://pixabay.com/photos/mat-spices-3251064/ [20] Pixabay.
Hot Air Balloons Adventure Balloons . Re-trieved February 2, 2021 from https://pixabay.com/pho-tos/hot-air-balloons-adventure-balloons-1867279/ [21] Pixabay.
Brush Chalk Color Atelier Paint . Retrieved February 2, 2021 from https://pixabay.com/pho-tos/brush-chalk-color-atelier-paint-2927793/ [22] R Core Team. 2013.
A language and environment for statistical computing. R Foundation for Statistical Computing,
Proceedings of the 26th An-nual Computer Security Applications Conference (ACSAC '10) , December 6–10, 2010, Austin, Texas. CM Inc., New York, NY, 79–88. DOI: 10.1145/1920261.1920273 [24] Julie Thorpe and Paul C. Van Oorschot. 2007. Human-seeded attacks and exploiting hot-spots in graphical passwords. In
Proceedings of the 16th USENIX Secu-rity Symposium (USENIX SECURITY '07)
Proceedings of the 21st USENIX Security Symposium (SECURITY '12)
Changes in Basic Minimum Wages in Non-Farm Employment Under State Law: Selected Years 1968 to 2020 waskom2020seaborn . Zenodo. Retrieved from https://doi.org/10.5281/zenodo.592845 [28] Andrew J.O. Whitehouse, Murray T. Maybery, and Kevin Durkin. 2006. The development of the picture - superiority effect. British Journal of Developmental Psychology
24, 4 (2006), 767–773. DOI: 10.1348/026151005X74153 [29] Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. 2005. Authentica-tion using graphical passwords: Basic results. In
Pro-ceedings of the 11th International Conference on Hu-man-Computer Interaction (HCI INTERNATIONAL '05)
Proceedings of the 1st Symposium on Usable Privacy and Security (SOUPS '05) , July 6-8, 2005, Pittsburgh, Pennsylvania. ACM Inc., New York, NY,
International Journal of Human-Com-puter Studies
63, 1 (July 2005), 102–127. DOI: 10.1016/j.ijhcs.2005.04.010 [32] M. Yıldırım and I. Mackie. 2019. Encouraging users to improve password security and memorability.