Graphical dictionaries and the memorable space of graphical passwords

In commonplace textual password schemes, users choose passwords that are easy to recall. Since memorable passwords typically exhibit patterns, they are exploitable by brute-force password crackers using attack dictionaries. This leads us to ask what classes of graphical passwords users find memorable. We postulate one such class supported by a collection of cognitive studies on visual recall, which can be characterized as mirror symmetric (reflective) passwords. We assume that an attacker would put this class in an attack dictionary for graphical passwords and propose how an attacker might order such a dictionary. We extend the existing analysis of graphical passwords by analyzing the size of the mirror symmetric password space relative to the full password space of the graphical password scheme of Jermyn et al. (1999), and show it to be exponentially smaller (assuming appropriate axes of reflection). This reduction m size can be compensated for by longer passwords: the size of the space of mirror symmetric passwords of length about L + 5 exceeds that of the full password space for corresponding length L less than or equal to 14 on a 5 x 5 grid. This work could be used to help in formulating password rules for graphical password users and in creating proactive graphical password checkers.