Download Full Image
Later this month, Ahn’s research team will give a presentation on the work, titled “On the Security of Picture Gesture Authentication,” at the USENIX Security Symposium in Washington, D.C., a prominent gathering of leading computer security experts. The symposium is organized by USENIX, the Advanced Computing Systems Association.
Ahn is a professor in the School of Computing, Informatics and Decision Systems Engineering, one of ASU’s Ira A. Fulton Schools of Engineering. He is also founder and chief technology officer of GFS Technology Inc., an ASU-incubated company.
He has been researching the vulnerability of the Windows 8 password-protection system with a team that includes computer science doctoral student Ziming Zhao and computer science master’s degree student Jeong-Jin Seo, along with Hongxin Hu, an ASU graduate and now an assistant professor of computer and information sciences at Delaware State University.
Ahn says the system will provide significantly more security to protect Windows users from hackers who may use automated scripts to crack passwords.
The team began by identifying common traits in an experiment group’s selection of password patterns. They gathered data from a group of participants using Amazon.com, as well as from students who used the Windows 8 security platform to log into class work. The researchers found the users tended to pick predictable patterns to create passwords.
The patterns showed a common trend in concentrating patterns around an image’s “points of interest,” such as faces, eyeglasses or brightly colored objects. Ahn’s team developed algorithms that identified possible points of interest in images users created for password patterns.
“Based on the user habits and patterns, we created a ranked pattern dictionary,” he explains. With that finding, Ahn’s team was able to figure out the password patterns used by the experiment group – showing there was more work to be done to better protect the Windows 8 system.
The team created password-strength meters similar to those commonly used to test the effectiveness of common text passwords in remaining secure. By predetermining the strength of a pattern, users can guard against hacking by selecting unusual patterns that do not utilize obvious points of interest.
Ahn has been granted a provisional U.S. patent securing the results of his research while he and his team organize documentation and data for an application to have the system approved for a permanent patent.