IEEE Access (Jan 2024)

A Systematic Literature Review on the Security Attacks and Countermeasures Used in Graphical Passwords

  • Lip Yee Por,
  • Ian Ouii Ng,
  • Yen-Lin Chen,
  • Jing Yang,
  • Chin Soon Ku

DOI
https://doi.org/10.1109/ACCESS.2024.3373662
Journal volume & issue
Vol. 12
pp. 53408 – 53423

Abstract

Read online

This systematic literature review delves into the dynamic realm of graphical passwords, focusing on the myriad security attacks they face and the diverse countermeasures devised to mitigate these threats. The core objective of this paper is to identify existing security threats to graphical password schemes and the corresponding countermeasures developed to mitigate these attacks. The study process begins by identifying the usable databases and search engines to identify all the relevant resources. The inclusion and exclusion criteria were carefully selected to prioritize the study, focusing mostly on attacks and countermeasures related to graphical password schemes between 2009 and 2023. After thorough identification and selection progress, 59 studies met all the criteria. Among these studies, 47 mentioned shoulder surfing as a threat to graphical password schemes, while 20 discussed brute force attacks. Additionally, there were 21 papers on dictionary attacks, 13 on smudge attacks, spyware attacks, and social engineering, and 19 that discussed guessing attacks as threats to graphical password schemes. Furthermore, the papers identified several other attacks, including frequency of occurrence analysis attacks, video recording, eavesdropping, computer vision, sonar, and image gallery attacks, with the corresponding numbers of papers being 9, 17, 5, 2, 2, and 1, respectively. The results also highlight the countermeasures proposed in the study papers to mitigate the aforementioned attacks. Among the various countermeasures identified, most revolve around randomization, obfuscation, and password space complexity as the most commonly used techniques for enhancing the security of graphical password schemes.

Keywords