Draw a Secret (DAS) is a graphical password input scheme developed by Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter and Aviel D. Rubin and presented in a paper at the 8th USENIX Security Symposium in Augusts 1999.[1]
The scheme replaces alphanumeric password strings with a picture drawn on a grid. Instead of entering an alphanumeric password, this authentication method allows users to use a set of gestures drawn on a grid to authenticate. The user's drawing is mapped to a grid on which the order of coordinate pairs used to draw the password are recorded in a sequence. New coordinates are inserted to the recorded "password" sequence when the user ends one stroke (the motion of pressing down on the screen or mouse to begin drawing followed by taking the stylus or mouse off to create a line or shape) and begins another on the grid.
Overview
In DAS, a password is a picture drawn free-form on a grid of size N x N. Each grid cell is denoted by two-dimensional discrete coordinates (x, y) ∈ [1, N] × [1, N]. A completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst constructing the secret.[2]
The predominant argument in favor of graphical over alphanumeric passwords is use of the Picture superiority effect which describes the improved performance of the human mind in recalling images and objects over strings of text. This effect is utilized through DAS, as complex drawings are less difficult for the human mind to memorize than a long string of alphanumeric characters. This allows for the user to input stronger and more secure sequences through graphical password input schemes than conventional text input with relative ease.
Variations
Background Draw a Secret (BDAS)
This variation on the original DAS scheme is meant to improve both the security of the scheme and the ease of verification by the user. The same grid is used as the original Draw a Secret, but a background image is simply shown over the grid. The background image aids in the reconstruction of difficult to remember passwords. This is because when using the original system, the user must not only remember the strokes associated with the password, but also the grid cells that the strokes pass through. This may introduce difficulty as all the grid cells are alike and have no uniqueness. With BDAS, the user can choose an image to place over the grid, which has unique features to aid in correct placement of the drawing.
A study done at Newcastle university showed that with a background image, participants in the study tended to construct more complex pass phrases (e.g. with a larger length or stroke count) than others that had used DAS, though the rate of recall after a one-week period showed an almost identical percentage of participants having the ability to recall DAS sequences over BDAS sequences.[2]
Rotational Draw a Secret (R-DAS)
R-DAS is a variation on the original Draw a Secret system, whereby the user is allowed to rotate the drawing grid either between strokes in the sequence or after the entire sequence has been inputted and the "secret" has been drawn. After one rotation is done, any following rotations in the same direction, without a counter rotation in a different direction between them, are treated as one rotation.[3]
An example of the added password strength is shown below:[3]
If the original password is entered as follows (Presented as the sequence of strokes through the grid):
The encoding of a particular secret has a one-to-many relationship with the possible drawings it can represent. This implies that more than one drawing may in fact be accepted as a successful authentication of the user.[2] This is especially true with a small number of cells in the N x N grid.
To resolve this issue, more cells can be included in the grid. This process makes it more difficult to cross through all of the cells required to fulfill the password sequence. The cost of this added security is an increase in difficulty to reproduce the password by the actual user. The more cells that are present in the grid, the more accurate the user must be when entering the password to stroke through all of the required cells in the correct order.
Graphical Dictionary Attacks
Through the use of common "hotspots" or "Points-of-interest" in a grid or background image, a graphical dictionary attack can be initiated to guess users' passwords
.[4]
Other factors such as similar shapes and objects in the background image also form "click order" vulnerabilities as these shapes may be clumped together and used in a sequence
.[5]
These attacks are far more common to the Background variation of Draw a Secret as it utilizes an image that can used to exploit the vulnerabilities explained above.
A study in 2013
[6]
also showed that users have the tendency to go through similar password selection processes across different background images.
Shoulder Surfing Attacks
This form of an attack is initiated by a bystander watching the user enter their password. This attack is present in most input schemes for authentication, but DAS schemes are especially vulnerable as the users strokes are displayed on the screen for all to see. This is unlike alphanumeric text input where the characters entered are not actually displayed on screen.
Three techniques have been designed for protecting DAS and BDAS systems from shoulder surfing attacks:[7]
Decoy Strokes - the use of strikes which are inputted simply to confuse potential onlookers, they may be differentiated by colors chosen by the user.[7]
Disappearing Strokes - each stroke is removed from the screen after it is inputted by the user.[7]
Line Snaking - an extension of the disappearing strokes method, where shortly after a stroke is started, the end of the stroke begins disappearing shortly after, giving the appearance of a "line snaking"[7]
Implementations
The initial implementation of DAS was on PDAs (Personal digital assistant). Recently with the release of Windows 8, Microsoft included the option of switching to a "picture password". This is essentially an implementation of BDAS (as it requires the choice of a picture in the background) but is only limited to a three gesture sequence to set a password reducing the actual security that BDAS provides over conventional alphanumerical passwords.[8]