Can background baroque music help to improve the memorability of graphical passwords?
Haichang Gao, Xiuling Chang, Zhongjie Ren, Uwe Aickelin, Liming Wang
CCan Background Baroque Music Help to Improve the Memorability?
Can Background Baroque Music Help to ImprovetheMemorability of Graphical Passwords?
Haichang Gao , Xiuling Chang , Zhongjie Ren ,Uwe Aickelin , and Liming Wang [email protected] Abstract.
Graphical passwords have been proposed as an alternative to alpha-numeric passwords with their advantages in usability and security. However,they still tend to follow predictable patterns that are easier for attackers to ex-ploit, probably due to users’ memory limitations. Various literatures show thatbaroque music has positive effects on human learning and memorizing. To alle-viate users’ memory burden, we investigate the novel idea of introducing ba-roque music to graphical password schemes (specifically DAS, PassPoints andStory) and conduct a laboratory study to see whether it is helpful. In a ten min-utes short-term recall, we found that participants in all conditions had high recallsuccess rates that were not statistically different from each other. After one week,the music group coped PassPoints passwords significantly better than the groupwithout music. But there was no statistical difference between two groups inrecalling DAS passwords or Story passwords. Furthermore, we found that themusic group tended to set significantly more complicated PassPoints passwordsbut less complicated DAS passwords.
Keywords:
Graphical password, Baroque music, Memorability, DAS,Passpoints.
Graphical passwords have been proposed as an alternative to alphanumericpasswords and the main motivation is the hypothesis that people perform far betterwhen remembering pictures rather than words [1, 2]. Visual objects seem to offer amuch larger set of usable passwords. It is conceivable that humans would be able toremember stronger passwords of a graphical nature. However, users still tend tochoose passwords that are memorable in some way, which means that the graphicalpasswords still tend to follow predictable patterns that are easier for attackers to ex-ploit [6, 13, 14].Various literatures reveal that users are the ‘weakest link’ in any password authenti-cation mechanism, probably due to their memory limitations [11]. Although humanmemory capacity is unlikely to increase significantly over the next few years, recentpsychological and physiological studies indicate that certain music like baroque musichas positive effects of great importance on human memorizing and learning [20, 22].otivated by these observations, we investigate the novel idea of introducing back-ground baroque music to graphical password schemes with the purpose of alleviatingusers’ memory burden and improving usable security. Based on DAS, PassPoints andStory schemes, we conduct a laboratory study to explore the efficiency of backgroundbaroque music on memorizing graphical passwords. We are also interested in whetherthe background music would enable users to choose more complicated or less predict-able passwords, which are usually more resistant to dictionary and other guess attacks.The following section briefly reviews graphical password schemes and relatedworks. Sections 3 and 4 describe the methodology of our studies and present theresults respectively. Section 5 provides several interpretations to the experiment anddiscusses the experimental results. Conclusion and future work are addressed inSection 6.
In the open literature to date, the ubiquity of graphical interfaces for applications andinput devices, such as the mouse, stylus and touch-screen, has enabled the emergenceof graphical authentications. There have been three dominant techniques availablewhich can be defined as: Drawmetrics (DAS [4], Syukri [9], YAGP [21]), Locimet-rics (Blonder [3], PassPoints [7]) and Cognometrics (Déjà Vu [5], Story [6], Passfaces[10]) [19].Drawmetrics systems require users to reproduce a pre-drawn outline drawing on agrid. A well-known scheme in this category is DAS which liberates users from re-membering complicate text strings and has the advantage of better security over alpha-numerical passwords [4]. Nevertheless, Passdoodle revealed that people are able toremember complete doodle images while less likely to recall the stroke order [8]. Fur-thermore, Thorpe and Van Oorschot found that users tend to design symmetrical andcentered or approximately centered passwords, significantly reducing password spacein practice and impacting the security [14]. Gao et al. proposed a modification to DASwhere approximately correct drawings can be accepted, based on Levenshtein distancestring matching and “trend quadrants” looking at the direction of strokes [21].Locimetrics systems are based on the method of loci, an old and well-known mne-monic [18]. Originating in Blonder’s work, the approach involves users choosingseveral sequential locations in an image [3]. PassPoints [7] is a representative schemeof this category, where users may choose any place in the image as a password clickpoint. Since it is a cue of great importance for users to recall their passwords, theimage should be complex and visually rich enough to have many potentially memora-ble click points. This scheme was found that although relatively usable, security con-cerns remains. A primary security problem is hotspots: people tend to select obviouspoints in the image with high visual salience, leading to a reduced effective passwordspace that facilitates more successful dictionary attacks [12,13].In the Cognometrics systems, users must recognize the target images embeddedamongst a set of distractor images. This category includes Passfaces which relies onface recognition [10], Déjà Vu [5] based on abstract images and Story [6] where usersare suggested to create a story and so on. User studies by Valentine have shown thatPassfaces has a high degree of memorability [15, 16], but Davis found that peopletended to select faces of their own race and gender [6]. Assigning faces to users arbi-trarily may alleviate the problem, whereas it would lead people hard to remember the an Background Baroque Music Help to Improve the Memorability? password. A similar scheme to Passfaces is Story where the password selection issufficiently free from bias [6]. But, the Story is not as good as Passfaces in memora-bility, because few people actually choose stories despite the suggestion. In addition,memorability for abstract images in Déjà Vu was found to be only half as good as thatfor photographic images with a clear central subject [17].Through the above discussion, we find that most graphical passwords either tend tofollow predictable patterns or have a low degree of memorability. The crux of theproblem is the users’ memory limitations. As human memory capacity is unlikely toincrease significantly over the next few years, creating a nice environment for memo-rizing passwords might alleviate users’ burden. There are demonstrations that musiccan improve memory and in what flows we will illustrate it.
Extensive researches have shown that music has different uses for education andtherapy [20]. As our particular interest is to explore the role of music in learning andmemorizing graphical passwords, we will briefly review the researches into the effectsof music on learning in this subsection.Georgi Lozanov, a Bulgarian psychologist, made remarkable impact in integratingmusic into teaching practice. He created a teaching method called ‘Suggestopedia’,wherein the use of background music, particularly the baroque music with a rate of 50to 70 beats per minute (BPM), is a cornerstone of accelerated learning techniques. It isstated that the method of Suggestopedia involves three stages where different types ofmusic are used for specific purposes. First, introduce music to relax participants andhelp them to achieve the optimum state for learning. Second, listen to an “activeconcert” with music from Mozart, Beethoven and Brahms. Finally, apply a “passiveconcert” to help participants move the information into the long-term memory. Whileno details are given as to which exact music is suggested for the first stage, both theconcerts in the latter two stages result in high memory retention [22]. Furthermore,Lozanov says that “well organized Suggestopedia accelerates learning 5 times on anaverage” [22].Baroque music can help the brain produce alpha waves, and information imbuedwith music has a greater likelihood of being encoded in the long-term memory by thebrain. That is why accelerated learning techniques introduce music into the learningprocess. For example, ‘Mozart Effect’ [23] is a phenomenon that music has a positiveeffect on learning and memory. In the following sections, we bring background ba-roque music to graphical password schemes, specifically, PassPoints, DAS and Story,and do an investigation to check whether it can improve users’ memory or induceusers to set stronger passwords.
As mentioned earlier, our evaluation is based on three representative graphical passwordschemes. For the purpose of collecting and analyzing the success rate, user habits, and logintime automatically, we reproduce three schemes which are intentionally very closelymodeled after DAS [4], PassPoints [7] and Story [6], respectively. We still adopt thenames “DAS”, “PassPoints” and “Story” for convenience. In this section, after de-scribing the three schemes deployed in our experiments, we will present our methodol-ogy in great detail. .1 Brief Introduction of the Reproduced Schemes
DAS is a drawing reproduction based scheme, where a × grid was deployed forusers to draw on. Each grid cell is denoted by rectangular discrete coordinates (x, y)[0, 4] × [0, 4]. A completed drawing is encoded as the ordered sequence of cellsthat the user crosses whilst constructing the secret, with a distinguished coordinatepair (5, 5) inserted in both ends of each stroke. Two passwords are identical if theencoding is the same. Figure 1 shows how DAS works. Input a graphical passwordconsisting of three strokes, which are colored by black, green and red in sequence.The drawing is mapped to (5,5)(1,2)(1,3)(2,3)(3,3)(3,2)(5,5);(5,5)(2,1)(2,2)(2,3)(5,5); (5,5)(2,1)(5,5). Fig. 1.
An example of DAS password with length being 9In the PassPoints scheme, users are required to select several positions in a singleimage as their passwords and click close to the chosen points in correct order andwithin a tolerance distance for authentication. For example, the password in Figure 2contains five click points orderly labeled by small red rectangle.In Story, a password is a sequence of k (k9) images selected by the user to make a“story”. To keep consistent with that in [6], the images used here are also classifiedinto nine categories, which are animals, cars, women, food, children, men, objects,nature, and sports. Images of “men” and “women” are gathered from FordMod-els.com and the others http://images.google.com. Figure 3 shows the interface ofStory, where the man, woman, car and the house are orderly selected and the underly-ing story is “a gentle man and his girlfriend drive a car to their house”. an Background Baroque Music Help to Improve the Memorability?
Fig. 2.
Passwords in PassPoints with length being 5
Fig. 3.
An example of Storypassword
We conducted a lab study with 28 subjects (16 males and 12 females). All the sub-jects were university students of computer science and in the age range of 20 to 30.We hypothesized that background music could improve humans memory and theninduced people to choose more complex passwords and take less time to log in. Thisstudy used a between-subjects design and had two conditions; half of the subjectswere assigned to the control group (without background music) and half to the musicgroup. None of them had previously used DAS, PassPoints or Story passwords. Wechose the baroque music suggested by Lozanov with a rate of 50 to 70 BMP as thebackground music and utilized a Lenovo speaker to play it. The volume was set to3040 decibels as suggested.Our study included two lab-based sessions. Session 1 took about two hours. At thebeginning of Session 1, each participant was asked to read an instruction document.This provided information of their activities on the experiments and helped them knowhow DAS, PassPoints and Story work. To make the rules clearer, an example wasincluded in each scheme. Then participants were required to complete the registrationand login of DAS, then PassPoints, and finally Story. People were asked to reenter thepassword to confirm it. After a short delay (about 10 minutes), participants were askedto log in within three attempts. In the end, participants need answer a demographicquestionnaire collecting information including age, sex and experience on graphicalpasswords.One week later, at Session 2, all the participants returned to the lab and tried to login each scheme within three attempts using their previously created passwords.
We used two types of statistical tests to assess whether differences in the data reflectactual differences between conditions or whether these may have occurred by chance.A t-test (two tails) was used for comparing the means of two groups and Fisher’s xacttest was used to compare recall success rates. In all cases, we regard a value of P<0.20as indicating that the groups being tested are different from each other with at least0% probability, making the result statistically significant. In the tables, “notsignificant” indicates that the test revealed no statistically significant difference be-tween the two conditions (i.e., P>0.20).
We first examine success rates as a measure of participants’ performance. Table 1compares the successful recalls in each group.
Table 1.
Success rates in each group for DAS, PassPoints and StoryGroup 10-minute test 1-week testratio Fisher-test ratio Fisher-testDAS (no music) 78.6% 71.4%DAS (music) 92.9%
P=0.59 64.3%
P=1PassPoints (no music) 100% 35.7%PassPoints (music) 100% P=1 92.9% P=.004Story (no music) 100% 92.9%Story (music) 100% P=1 92.9% P=1In the 10 minutes short term phase, the success rates were high on the whole, indi-cating that participants’ memory was not strongly taxed. In PassPoints and Story,participants under both conditions recalled their passwords. In DAS, the success rateof the music group was 92.9%, higher than that of the control one (78.6%). However,a Fisher’s exact test yields a result of P=0.59, indicating that the difference was notstatistically significant.
Table 2.
Complexity of DAS secretsGroup DAS DAS(no music) (music)Strokes Avg. t-testS.d.MaxMin 3.36 3.71Not significant1.71 2.257 71 1PasswordLength Avg. t-testS.d.MaxMin 13.79t=1.34,6.39272 10.43P<0.206.41211After one week, the performances of two groups varied in schemes. Both groups inStory had the same success recall rate 92.9%, but differed in DAS and PassPoints. InDAS, only 64.3% of the music group and 71.4% of the control group were able torecall their passwords. It appears that the control group performed better than the musicgroup. It should be noted that it was only a difference of one person in practice. Theresult of Fisher’s exact test showed that there was no statistical difference between twoconditions. In PassPoints, we found a significant difference between two groups. The an Background Baroque Music Help to Improve the Memorability? music group was significantly more likely to successfully recall the passwords than thecontrol group. In addition, the success rate of the control group decreased from 100%in the previous phase to 35.7% while the success rate of the music group onlydecreased by 7.1%. It aligns with psychology research which continues to show thatcertain music advance the long-term memory.The results suggest that the background music works differently when it was avail-able in different graphical password schemes. In Drawmetrics and Cognometricssystems, background music seems to have no influence on short-recalls or long-termmemory. But in Locimetrics systems, it appears that background music could signifi-cantly help people remember passwords in long-term memory.
For each scheme, we compare password complexity in both groups. While the pass-word length in PassPoints or Story is easy to understand, it is necessary to explain it inDAS. In DAS, the length of a password yields by adding the lengths of its componentstrokes wherein the length of a stroke is the number of coordinate pairs it containsexclusive of the distinguished ones(5,5). For example, for the password in Figure2, thelength of each stroke is 5, 3 and 1 respectively, producing a password length of 9.
Table 3.
Complexity of PassPoints and Story secretsGroup Password lengthAvg. t-test S.d. Max MinPassPoints (no music) 3.79 t=1.61, P<0.20 1.20 5 1PassPoints (music) 4.5 1.05 6 3Story (no music) 3.64 0.97 6 2Not significantStory (music) 4.07 0.70 6 3In DAS (see Table 2), the average password length with music was 10.43 andwithout, 13.79. The standard deviation of password length with music was 6.41, com-pared to 6.39 without. A t-test yields a result of t=1.34, P<0.20(two tails), indicatingthat the password length in the music group was significantly shorter than that in thecontrol group. The background music increased the stroke count of passwords onaverage, but not to a statistically significant level. The standard deviation with respectto stroke count was higher with music (2.25 vs. 1.71).While background music reduced the password length in DAS, it increased thepassword lengths in PassPoints and Story. As shown in Table 3, the average passwordlength with music in PassPoints was 4.5 as opposed to 3.79 without. A t-test yields aresult of t=1.61, P<0.20(two tails), indicating that there was statistically significantdifference between two conditions. In Story, the password length for two groups dif-fered by 0.43 (4.07 vs. 3.64), which is not statistically significant.As such, the background music had a negative effect on DAS password length, butencouraged people to choose more complex passwords in PassPoints and Story.
Discussion
Based on the results of our study, we now revisit our hypotheses that backgroundmusic could improve humans’ memory and then induced people to choose more com-plex passwords. This hypothesis was only supported in PassPoints. In PassPoints,people in the music condition not only chose significantly more complicated pass-words, but also had significantly higher recall success rates in the long-term test.However, in DAS, the average password length of the music group was much shorterthan that of the control group.
This subsection will discuss the recall errors in DAS and PassPoints (Few errors oc-curred in Story and thus be ignored). People committed different types of error shownin Figure 4 (DAS) and Figure 5 (PassPoints). In DAS, there are three types of error:Stroke (i.e., entering more or less strokes), Pwd-Len (i.e., people could recall strokecount but forget the length of password) and Position (others including mixing up thestroke order or crossing incorrect cells). From figure 4, we can see that errors in Strokeand Pwd-Len account for the main proportion of recall errors. At the same time, musicgroup committed more errors than the non-music group and the difference resultedpossibly from the long-term recall test.
Fig. 4.
Recall errors in DAS
Fig. 5.
Recall errors in PassPointsThere are also three types of error in PassPoints: Pwd-Len (i.e., forgetting thepassword length), Position (i.e., people can recall the password length but click pointsoutside the tolerance region) and Order (i.e., only mixing up the click-points order)(see Figure 5). In this scheme, the nature of many recall failure was down to eitherforgetting the password length or clicking points outside the tolerance region. In recallerrors and especially in Position errors, music group had a great advantage over non-music group, probably due to its higher success recall rate in the long-term recall test. an Background Baroque Music Help to Improve the Memorability?
Our intent in this study was to examine the effects of background music on thememorability of graphical passwords. We made our study follow the establishedmethods of experimental psychology as much as possible and acknowledged that itdid not mirror real-life usage. First, the participants in our study (all of them wereuniversity students of computer science) only represented a small part of the whole. Itwas important to get a good selection of people with various backgrounds in thefurther studies. Second, users are unlikely to familiar with and create three differentgraphical passwords one after the other in real life, or be asked to recall in quicksuccession them after one week (without having used any of them in the interveningtime). Third, the participants had no incentive to perform as if protecting or accessinganything of real-life value to them, therefore it was not difficult to understand thatmany passwords created in both conditions were weak. For example, in Story, theaverage password length of the control group was less than 4. Furthermore, the effectof the background music volume remains to be discussed when it was embedded intoa scheme. Despite these limitations, our controlled laboratory experiment paved theroad to numerous further studies.
Results of the user study have shown that it is an effective enhancement to introducebaroque music to the PassPoints scheme. Surrounding with music, people not onlytended to construct significantly more complicated passwords than their counterpartswithout the music stimulus, but also performed significantly better in terms of recallsuccess in the long-term tests. This result indicated that the background music im-proved the memorability of passwords in PassPoints.In DAS and Story, the introduction of background music has been shown unneces-sary for security and usability. The recall of the passwords in both conditions was notstatistically different from each other in short-term or long-term test. Furthe more, thebackground music significantly impaired the complexity of DAS passwords.Although results obtained in three representative schemes are not consistent andshould be treated with caution, we believe that this work provides a significant exten-sion to the study of security and usability of graphical passwords. The future workincludes a larger sale of studies with careful experimental design and Locimetricssystems will be our focus.
Acknowledgments.
The authors would like to thank the reviewers for their carefulreading of this paper and for their helpful and constructive comments. Project60903198 supported by National Natural Science Foundation of China.
References
1. Madigan, S.: Picture memory. In: Imagery, Memory, and Cognition, pp. 65–86.Lawrence Erlbaum Associates, Mahwah (1983)2. Nelson, D.L., Reed, U.S., Walling, J.R.: Picture superiority effect. Journal of ExperimentalPsychology: Human Learning and Memory 3, 485–497 (1977) . Blonder, G.E.: Graphical password. US Patent 5559961, Lucent Technologies, Inc.,Murray Hill (August 30, 1995)4. Jermyn, I., Mayer, A., Monrose, F., Reiter, M., Rubin, A.: The design and analysis ofgraphical passwords. In: Proceedings of the 8th USENIX Security Symposium (August1999)5. Dhamija, R., Perrig, A.: Déjà Vu: A User Study Using Images for Authentication. In: 9thUSENIX Security Symposium (2000)6. Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In:Proceedings of the 13th Usenix Security Symposium, San Diego, CA (2004)7. Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: Design and longitudi-nal evaluation of a graphical password system. International J. of Human-Computer Stud-ies 63, 102–127 (2005)8. Goldberg, J., Hagman, J., Sazawal, V.: Doodling Our Way to Better Authentication. Pre-sented at Proceedings of Human Factors in Computing Systems (CHI), Minneapolis, Min-nesota, USA (2002)9. Syukri, A.F., Okamoto, E., Mambo, M.: A User Identification System Using SignatureWritten with Mouse. In: Boyd, C., Dawson, E. (eds.) ACISP 1998. LNCS, vol. 1438, pp.403–441. Springer, Heidelberg (1998)10. Passfaces, (site accessed January 10, 2010)11. Notoatmodjo, G.: Exploring the ‘Weakest Link’: A Study of Personal Password Security.Thesis of Master Degree, The University of Auckland, New Zealand (2007)12. Dirik, A.E., Memon, N., Birget, J.C.: Modeling user choice in the PassPoints graphicalpassword scheme. In: Symp. on Usable Privacy and Security, SOUPS (2007)13. Thorpe, J., van Oorschot, P.C.: Human-Seeded Attacks and Exploiting Hot-Spots inGraphical Passwords. In: USENIX Security Symp. 2007 (2007)14. Nali, D., Thorpe, J.: Analyzing User Choice in Graphical Passwords.Technical Report,School of Information Technology and Engineering, University of Ottawa, Canada (May27, 2004)15. Valentine, T.: An evaluation of the Passface personal authentication system. TechnicalReport, Goldsmiths College, University of London (1998)16. Valentine, T.: Memory for Passfaces after a Long Delay, Technical Report, GoldsmithsCollege, University of London (1999)17. Weinshall, D., Kirkpatrick, A.S.: Passwords you’ll never forget, but can’t recall. In: Proc.CHI 2004 (2004)18. Higbee, K.L.: Your Memory: How it Works and How to Improve it, 2nd edn. Prentice-Hall Press, New York (1988)19. DeAngeli, A., Coventry, L., Johnson, G., Renaud, K.: Is a picture really worth a thousandwords? Exploring the feasibility of graphical authentication systems. International Journalof Human-Computer Studies 63, 128–152 (2005)20. Fassbender, E., Richards, D., Kavakli, M.: Game engineering approach to the effect ofmusic on learning in virtual-immersive environments. In: International Conference onGames Research and Development: CyberGames, Western Australia (2006)21. Gao, H., Guo, X., Chen, X., Wang, L., Liu, X.: YAGP: Yet Another Graphical PasswordStrategy. In: ACSAC, California, USA, pp. 121–129 (2008)22. Lozanov, G.: Suggestology and Suggestopedy, http://lozanov.hit.bg/http://lozanov.hit.bg/