The effect of baroque music on the PassPoints graphical password
Haichang Gao, Zhongjie Ren, Xiuling Chang, Xiyang Liu, Uwe Aickelin
TThe Effect of Baroque Music on the PassPoints GraphicalPassword
Haichang Gao, Zhongjie Ren, XiulingChang, Xiyang Liu
Software Engineering InstituteXidian UniversityXi’an, Shaanxi 710071, P.R.China [email protected]
ABSTRACT
Graphical passwords have been demonstrated to be the pos-sible alternatives to traditional alphanumeric passwords.However, they still tend to follow predictable patterns thatare easier to attack. The crux of the problem is users’ mem-ory limitations. Users are the weakest link in password au-thentication mechanism. It shows that baroque music haspositive effects on human memorizing and learning. We in-troduce baroque music to the PassPoints graphical passwordscheme and conduct a laboratory study in this paper. Resultsshown that there is no statistic difference between the musicgroup and the control group without music in short-termrecall experiments, both had high recall success rates. But inlong-term recall, the music group performed significantlybetter. We also found that the music group tended to setsignificantly more complicated passwords, which are usuallymore resistant to dictionary and other guess attacks. Butcompared with the control group, the music group took moretime to log in both in short-term and long-term tests.Besides, it appears that background music does not work interms of hotspots.
Categories and Subject Descriptors
H.1.2 [
User/Machine Systems ]: Human factors; D.4.6[
Security and Protection ]: Authentication
General Terms
Security, Human Factors
Keywords
Graphical password, Baroque music, Memorability, Pass-Points
1. INTRODUCTION
Alphanumeric passwords are widely used in identity au-thentication to protect users’ privacy. But the password
Uwe Aickelin
School of Computer ScienceThe University of NottinghamNottingham, NG8 1BB, U.K. [email protected] problem arises because such passwords are expected to meettwo conflicting requirements: (1) Passwords should be easy toremember, and the user authentication protocol should beexecutable quickly and easily. (2) Passwords should besecure, i.e. they should be random-looking and should be hardto guess; they should be changed frequently, and should bedifferent for multi-accounts; they should not be written downor stored in plain text. Meeting these conditions is almostimpossible for humans, with the result that the use ofalphanumeric passwords was putted in dilemma: that longcomplicated passwords are hard for people to remember,while shorter ones are susceptible to attack.Graphical passwords have been proposed as an alternativeto textual passwords with their advantages in usability andsecurity. The main motivation is that the psychologists haveshown that in both recognition and recall tasks, images aremore memorable than words or sentences [15, 17]. It is con-ceivable that humans would be able to remember strongerpasswords of a graphical nature. However, users still tend tochoose passwords that are memorable in some way, whichmeans that the graphical passwords still tend to follow pre-dictable patterns that are easier for attackers to exploit [4,16, 23].There have been three dominant techniques available ofgraphical passwords which can be defined as: Drawmetrics,Locimetrics and Cognometrics [5, 22]. PassPoints is a repre-sentative Locimetric scheme of particular interest and wor-thy of extensive study. In PassPoints, passwords consist of asequence of several click-points on a given image, and hotspots is a primary security problem [2, 7].Literatures reveal that users are the ’weakest link’ in pass-word authentication, probably due to their memory limita-tions [18, 20, 29]. Psychological and physiological studiesindicate that baroque music has positive effects of great im-portance on human memorizing and learning [8, 10]. In thispaper, we investigate the novel idea of introducing back-ground baroque music to the PassPoints graphical passwordscheme with the purpose of alleviating users’ memory bur-den and improving usable security. A laboratory study wasconducted to explore the efficiency of background baroquemusic on memorizing graphical passwords. We are also in-terested in whether the background music has other effectson graphical password, like the login time and the passwordcomplexity.The results of our empirical study are very encouraging inPassPoints scheme. The music group coped significantlybetter than the group without music when recalling pass-ords after one week. The music group also tended to setsignificantly more complicated passwords. This appeared tosuggest that the applied music could improve memorability ofPassPoints password. Besides, the background music had nosignificant influence on login times.The remainder of the paper if outlined as follows: Section2 reviews graphical password schemes and Baroque music.Sections 3 and 4 describe the methodology of our studiesand present the results respectively. Section 5 discusses theexperimental results. Conclusion and future work are ad-dressed in Section 6.
2. RELATED WORKS2.1 Graphical Passwords
The ubiquity of graphical interfaces for applications andinput devices, such as the mouse, stylus and touch-screen, hasenabled the emergence of graphical authentications. Therehave been three kinds of dominant techniques available whichcan be defined as: Drawmetrics (DAS [14], BDAS [9], YAGP[11]), Locimetrics (Blonder [1], PassPoints [27]) and Cogno-metrics (Deja Vu [6], Passfaces [9], ColorLogin [12]) [5, 22].Drawmetrics systems require users to reproduce a pre-drawn outline drawing on a grid. DAS is a typical draw-metric scheme based purely on recall, and requires the userto create a unique image on a drawing grid [14]. BDAS is avariant of DAS [9], which can encourage users to set strongpasswords and enhance memorability by introducingbackground images. YAGP proposed a modification to DASwhere approximately correct drawings can be accepted,based on Levenshtein distance string matching and trendquadrants of pen strokes [11]. As consequences of this ap-proximation algorithm, a finer grid may be used.Originating in Blonder’s work, the Locimetrics approachinvolves users choosing several sequential locations in an im-age [1, 13]. PassPoints [27] is a representative scheme of thiscategory, where users may choose any place in the image as apassword click point. This scheme was found that althoughrelatively usable, security analyses find it vulnerable tohotspots and simple patterns within images [2, 23]. To reducethe security impact of hotspots, CCP (Cued Click-Points) [3]and PCCP (Persuasive-CCP) [2] are proposed.In the Cognometrics systems, users must recognize the targetimages embedded amongst a set of distractor images. Thiscategory includes Deja Vu [6] based on abstract images,Passfaces which relies on face recognition [19] and Color-Login [12] using multiple background color to decrease logintime. Memorability for abstract images in Deja Vu was foundto be only half as good as that for photographic images with aclear central subject [26]. User studies by Valentine haveshown that Passfaces has a high degree of memorability [24,25], but Davis found that people tended to select faces of theirfavorite [4]. ColorLogin uses background color to decreaselogin time. Multiple colors are used to confuse the peepers,while not burdening the legitimate users [12]. Meanwhile, thescheme is resistant to shoulder surfing and intersection attackto a certain extent. However, the hotspot is still a problem thatneeds addressing.It can be concluded that most graphical passwords eithertend to follow predictable patterns or have a low degree ofmemorability. The crux of the problem is the users’ memorylimitations. Extensive researches have shown that Baroquemusic has different uses for education and therapy [27]. Our
Figure 1: Different brain waves. particular interest is to explore the role of music in learning andmemorizing graphical passwords.
As human memory capacity is unlikely to increase sig-nificantly over the next few years, creating a nice environ-ment for memorizing passwords might alleviate users’ bur-den. Our investigation was mainly motivated by scientificliterature in psychology and physiology. There are demon-strations that music can improve memory and in what flowswe will illustrate it. Georgi Lozanov made remarkable im-pact in integrating music into teaching practice [8, 21]. Hecreated a teaching method called
Suggestopedia , wherein theuse of background music, particularly the baroque musicwith a rate of 50 to 70 beats per minute (BPM), is a cor-nerstone of accelerated learning techniques. We will brieflyreview the researches into the effects of music on learning inthis subsection.There are various researches with regards to our brain anddifferent cycles it works in. As shown in Figure 1, the brainwave can be divided into four types according to thefrequency. They are named beta, alpha, theta and delta indecreasing order, which represent different states of mind.The frequency of beta state is 13-25 CPS (Cycles per Sec-ond), alpha 8-12 CPS, theta 4-7 CPS and delta 0.5-3 CPS.When we are wide awake and alert, figuring out complexproblems and talking, our brain will probably stay at betastate, which characterizes logical thought, analysis and ac-tion. This is the brain wave of our conscious mind and thusnot the best state for stimulating our long-term memory [8].Instead, alpha lets us reach our subconscious in which mostinformation we learn will be stored. It is a state of relaxedalertness, facilitating inspiration, fast assimilation of factsand heightened memory. While alpha characterizesrelaxation and meditation, the theta deep meditation andreverie. The theta state can be best described as being the twilight zone between being fully awake and fully asleep andthe delta state is reached when we are in deep sleep [8]. Inconclusion, the alpha state is optimal for learning and mem-orizing.Baroque music can help the brain produce alpha waves,and information imbued with music has a greater likelihoodof being encoded in the long-term memory by the brain.That is why accelerated learning techniques introduce musicinto the learning process. For example,
Mozart Effect [21] isa phenomenon that music has a positive effect on learningand memory.In the previous subsection, we have found that human able 1: The login times (Seconds) for both groupsin each session of the study
Group Avg. t-test S.d. Max Min10Minutestest Nomusic 16.5 No Figure2: Passwords in PassPoints with length being 5. memory limitations have caused lots of security problems. Webring background baroque music to the PassPoints graphicalpassword scheme and do an investigation to check whether itcan improve users’ memory or induce users to set strongerpasswords.
3. EXPERIMENTS
For the purpose of collecting and analyzing the successrate, user habits, and login time automatically, we reproducethe scheme which is intentionally very closely modeled afterthe original PassPoints [27]. We still adopt the namePassPoints for convenience.Users are required to select several positions in a single im-age as their passwords and click close to the chosen points incorrect order and within a tolerance distance for authen-tication. To maintain compatibility with previous studies [27]as much as possible, PassPoints application used pool images(315 ×
236 pixel) and tolerance area of 20 ×
20 pixels [28].For example, the password in Figure 2 contains five clickpoints orderly labeled by small red rectangle.A population of 28 participants was invited to the exper-iment study. All the participants were university students andthe average age of the participants was 26 years old. Wehypothesized that background music could improve humansmemory and then induced people to choose more complexpasswords and take less time to log in. This study used abetween-subjects design, 14 participants were assigned to thecontrol group without background music and the other half tothe music group. None of them had previously usedPassPoints password. We chose the baroque music suggestedby Lozanov with a rate of 50 to 70 BMP as the backgroundmusic. The speaker volume was set to 30 to 40 decibels assuggested.There were two lab-based sessions in our user study. Ses-sion 1 was a short-term one, taking about two hours. At thebeginning of Session 1, each participant was asked to readan instruction document. This provided information of theiractivities on the experiments and helped them know howPassPoints works. To make the rules clearer, an examplewas included. Then participants were required to completethe registration and login of PassPoints. People were askedto reenter the password to confirm it. After 10 minutes shortdelay, participants were asked to log in within at most threeattempts. In the end, participants need answer ademographic questionnaire collecting information includingage, sex and experience on graphical passwords. One week later, at Session 2, all the participants returned to the laband tried to log in the scheme within three attempts usingtheir previously created passwords.
4. RESULTS
Two types of statistical tests were used to evaluate whetherdifferences in the data reflect actual disparity between con-ditions or whether these may have occurred by chance. A twotails t-test was used for comparing the means of two groupsand Fisher’s exact test was used to compare recall successrates. In all cases, we regard a value of P < Since people were not familiar with graphical passwordsand then it usually takes much more time to either create orenter graphical passwords, we are interested in finding amethod to reduce it. Previous sections have claimed thatbackground music could improve humans’ memory, so weassumed that less time were needed to recall the passwordsfor the music group. In Table 1, the login time representedthe total time spent during the authentication, which beganwhen the login screen first appeared and continued until theuser entered their username and password. ’No’ means notsignificant in t-test.Compared with the control group, the music group tookmore time to log in a scheme both in short-term and longtermtests. The results of t-tests (two tails) showed that none ofthe differences were statistically significant. It wasworthwhile to note that one person of the music group took213s to log in PassPoints in the long-term test and data fromtwo groups did not satisfy the requirements of ”homogeneityof variances”. A t-test was thus not available to test thedifference. Excluding the data 213s, the max time was 80sfor the music group and the average 48.6s.
We examine success rates as a measure of participants’performance. Table 2 compares the successful recalls in eachgroup. During the recall after ten minutes, the success rateswere high on the whole, both 100% success rate indicatingthat participants’ memory was not strongly taxed during thisphase.After one week, the performances of two groups varied inschemes. We found a significant difference between two able 2: Success rates in each group for PassPoints
Group 10-minute test 1-week testratio Fisher-test ratio Fisher-testNo music 100% P=1 37.5% P=0.004With music 100% 92.9%
Table 3: Complexity of PassPoints
Group Password lengthAvg. t-test S.d. Max MinNo music 3.79 t=1.61,P < Figure 3: Hotspots in music group. groups. The music group was significantly more likely tosuccessfully recall the passwords than the control group. Inaddition, the success rate of the control group decreased from100% in the previous phase to 35.7% while the success rate ofthe music group only decreased by 7.1%. P=0.004 in fisher-test means that the groups being tested are different from eachother with great probability. It aligns with psychologyresearch which continues to show that certain music advancethe long-term memory. The results suggest that thebackground music could significantly help people rememberpasswords in long-term memory.
5. DISCUSSION
Based on the previous results, we now revisit our hypothesesthat background music could improve humans’ memory and theninduced people to choose more complex passwords. Thishypothesis was supported in PassPoints considering the passwordcomplexity. People in the music condition not only chosesignificantly more complicated passwords, but also hadsignificantly higher recall success rates in the long-term test. Inrespect of login time and other aspects, there were somedifferences but not statistically significant between two groupswith and without music.
People committed different types of error as shown in Ta-ble 4. There are three types of error in PassPoints: pwd-Lenerror, i.e., people forgetting the password length; positionerror, i.e., people can recall the password length but clickoutside the tolerance region; and order error, i.e., people canrecall the password length and position but mixing up theclick-points order. In PassPoints scheme, the nature of manyrecall failure was down to either forgetting the passwordlength or clicking points outside the tolerance region. Inrecall errors and especially in position errors, music grouphad a great advantage over non-music group, probably due toits higher success recall rate in the long-term recall test.
Table 4: Recall errors in PassPoints
Group Pwd-len Position Order10 minutestest No music 14 16 2With music 9 9 3One weektest No music 2 2 1With music 1 2 0
Figure 4: Hotspots in control group without music.
Hotspots are areas of the image with higher probability ofbeing chosen by users as individual click-points. Hotspot is aserious security problem in click-based schemes. Figure 3shows the hotspots distribution of PassPoints passwords inmusic group, Figure 4 shows the hotspots in control groupwithout music, and Figure 5 shows the total hotspots in twogroups. We can see similar slight clustering of click-points inboth groups. It appears that background music does not workin terms of hotspots. Points with high visual salience werestill more likely to be selected as passwords.
Contrary to our expectation, participants in the musiccondition took a little more time to log in a scheme in twotests. We now take a closer look at this issue to understandwhere the offset arose. We found that participants in themusic group had a slightly higher average username length(5.93 vs. 4.21). Furthermore, username was greater thanpassword in average length, which means that the time toenter the username can not be ignored. Besides, we foundthat the music group took less attempts to log in the short-recall test (1.21 vs. 1.38) and partially hold in the long-termtest.Therefore, it might be the time to recall and enter theusername that results in the slight difference between twogroups in login time. To evaluate the login time more precise,another program collecting the time to recall and enterpasswords is necessary.
6. CONCLUSIONS
Study results have shown that it is an effective means to igure 5: Total hotspots in two groups. introduce baroque music to the PassPoints graphical pass-word scheme considering the password memorability andcomplexity. With music stimulus, people not only tended toconstruct significantly more complicated passwords thantheir counterparts without music, but also performed sig-nificantly better in terms of recall success in the long-termtests. This result indicated that the background music im-proved the memorability of passwords in PassPoints. But inrespect of login time and hotspots, there were no statisticallysignificant differences between two groups.We made our study follow the established methods of ex-perimental psychology as much as possible and admittedthat it did not reflect the true situation strictly. First, theparticipants in our study (all of them were university stu-dents and very young) only represented a small part of thewhole. It was important to get a wider selection of peoplewith various backgrounds in the further studies. Second, theparticipants had no incentive to perform as if protecting oraccessing anything of real-life value to them, therefore itwas not difficult to understand that many passwords createdin both conditions were weak. Third, the effect of thebackground music volume remains to be discussed when itwas embedded into a scheme. Despite these limitations, ourcontrolled laboratory experiment laid a good foundation tofurther deep studies.This work provides a significant extension to the study ofsecurity and usability of the click-based PassPoints graphicalpassword. The future work includes a larger scale of studies withcareful experimental design and comprehensive study of theBaroque music effect on graphical password.
7. ACKNOWLEDGMENTS
The authors would like to thank the reviewers for theirhelpful and constructive comments of this paper. Project60903198 supported by National Natural Science Founda-tion of China.
8. REFERENCES [1] G. E. Blonder. Graphical password.
US Patent5559961, Lucent Technologies, Inc., Murray Hill, NJ ,August 30, 1995.[2] S. Chiasson, A. Forget, R. Biddle, and P. vanOorschot. Influencing users towards better passwords:Persuasive cued click-points. In
British ComputerSociety Conference on Human-Computer Interaction ,2008. [3] S. Chiasson, P. van Oorschot, and R. Biddle.Graphical password authentication using cuedclick-points.
ESORICS , 2007.[4] D. Davis, F. Monrose, and M. K. Reiter. On userchoice in graphical password schemes. In
Proceedings of the 13th Usenix Security Symposium.San Diego, CA , 2004.[5] A. DeAngeli, L. Coventry, G. Johnson, and K.Renaud. Is a picture really worth a thousandwords? exploring the feasibility of graphicalauthentication systems. In
International Journal ofHuman-Computer Studies , 2005.128-152.[6] R. Dhamija and A. Perrig. Deja vu: A user study usingimages for authentication. In , 2000.[7] A. Dirik, N. Memon, and J. Birget. Modeling userchoice in the passpoints graphical password scheme. In
Symp. on Usable Privacy and Security , 2007.[8] G. Dryden and J. Vos.
The Learning Revolution - Tochange the way the world learns . Stafford: NetworkEducational Press, 2001.[9] P. M. Dunpy and J. Yan. Do background images improve aˇrdraw a secret a´sgraphical passwords? In Proceedingsof the 14th ACM Conference on Computer andCommunications Security , 2007, 36-47.[10] E. Fassbender, D. Richards, and M. Kavakli. Gameengineering approach to the effect of music on learning invirtual-immersive environments. In
InternationalConference on Games Research and Development:CyberGames, Western Australia , 2006.[11] H. Gao, X. Guo, X. Chen, L. Wang, and X. Liu. Yagp:Yet another graphical password strategy. In
AnnualComputer Security Applications Conference , 2008,121-129.[12] H. Gao, X. Liu, R. Dai, S. Wang, and X. Chang.Analysis and evaluation of the colorlogin graphicalpassword scheme. In
Fifth International Conference onImage and Graphics , 2009, 722-727.[13] K. Higbee.
Your Memory: How it Works and How toImprove it, Second ed . Prentice- Hall Press, New York,1988.[14] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A.Rubin. The design and analysis of graphicalpasswords. In
Proceedings of the 8th USENIX SecuritySymposium , August 1999.[15] S. Madigan. Picture memory.
Imagery, Memory, andCognition, Lawrence Erlbaum Associates , pages 65–86,1983.[16] D. Nali and J. Thorpe. Analyzing user choice ingraphical passwords. Technical report, School ofInformation Technology and Engineering, Universityof Ottawa, Canada, 2004.[17] D. L. Nelson, U. S. Reed, and J. R. Walling. Picturesuperiority effect.
Journal of Experimental Psychology:Human Learning and Memory
Realuser website , Mar10, 2010.[20] A. S. Patrick, A. C. Long, and S. Flinn. Hci andecurity systems. In
ACM Conference on HumanFactors in Computing Systems, Ft. Lauderdale,Florida, USA , 2003.[21] F. Rauscher, G. Shaw, and K. Ky. Music and spatial taskperformance.
Nature , 365(6447):611–611, 1993.[22] X. Suo, Y. Zhu, and G. Owen. Graphical passwords: Asurvey. In
Annual Computer Security ApplicationsConference , 2005.[23] J. Thorpe and P. Oorschot. Human-seeded attacks andexploiting hot-spots in graphical passwords. In
USENIXSecurity Symp , 2007.[24] T. Valentine. An evaluation of the passface personalauthentication system. Technical report, GoldsmithsCollege, University of London, 1998.[25] T. Valentine. Memory for passfaces after a long delay.Technical report, Goldsmiths College, University ofLondon, 1999.[26] D. Weinshall and A. S. Kirkpatrick. Passwords you’llnever forget, but can’t recall. In
Internationalconference for human-computer interaction , 2004.[27] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, andN. Memon. Design and longitudinal evaluation of agraphical password system.
International J. ofHuman-Computer Studies , 63:102–127, 2005.[28] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy,and N. Memon. Authentication using graphicalpasswords: Effects of tolerance and image choice. In
Symposium on Usable Privacy and Security,Carnegie-Mellon University, Pittsburgh , 2005.[29] J. Yan, A. Blackwell, R. Anderson, and A. Grant.Password memorability and security: Empirical results.