In human guessing attacks,
humans need to enter password manually which is slower compared to machine. For
8-character passwords, the password space is 338 ? 240 for ClickText with an alphabet of 33
? 226 for
ClickAnimal with an alphabet of 10 animals, and 10 × 467 ? 242 for AnimalGrid with the
setting as ClickAnimal plus 6 × 6 grids.
If user assume that 1000
people are employed to work 8 hours per day without any stop in a human
guessing attack, and that each person takes 30 seconds to finish one trial. It
would take them on average 0.5 · 338 ·30/ (3600 · 8 · 1000 · 365) ? 2007 years to
break a ClickText password, 0.5 · 108 · 30/(3600 · 8 · 1000) ? 52 days to break a
ClickAnimal password, or 0.5 · 10 · 467 · 30/(3600 · 8 · 1000 · 365) ? 6219
years to break an AnimalGrid password 29.
Because of larger password
space for TextPoints, it needs much longer time than those on ClickText.
A recent study on text
passwords 29 indicates that users tend to choose passwords of 6–8 characters
and have a strong dislike of using non-alphanumeric characters, and that an
acceptable benchmark of effective password space is the expected number of
optimal guesses per account needed to break 50% of accounts, which is
equivalent to 21.6 bits for Yahoo! users. If we assume that ClickText has
roughly the same effective password space as text passwords, it requires on
average 1000 people to work 1.65 days or one person to work 4.54 years to find
a ClickText password.
Human surfers act as the
relay to solve captcha challenges for further surfing website, or sweatshops
where humans are hired with small payments to pass captcha challenges. But in
CaRP has CbPA-protocol 18 which is robust for relay attacks. Methods used by
humans for captcha challenge are very different from CaRP. So for CaRP, it
needs a large number of unwitting people to mount human guessing attacks.
Let us assume that
sweatshops are hired to mount human guessing attack and cost to click one
password on CaRP is $1, lowest. There are 1000 Captcha Challenges the estimated
cost is the average cost to break a 26-bit password is 0.5 · 226 · 1/1000 or about 33.6 thousand US
not robust to shoulder-surfing attacks, but when CaRP is combined with
dual-view technology, CaRP can thwart shoulder-surfing attacks. Shoulder-surfing
attacks are dangerous when entering graphical passwords in bank ATM machines.
Normal or commonly used LCDs are limited to brightness and color depending on
view angles 33, but a software is used in dual-view technology so that it
displays on two LCD screens concurrently, where one LCD has one public image in
most viewable angles and another private image in specific view-angle. CaRP
image is on the private image, a shoulder-surfing attacker can collect
user-clicked points on the screen, but cannot capture the private CaRP image
user clicked points because the only user can see it. The user- clicked points
collected by an attacker are useless because for every login attempt CaRP
generates a new computationally-independent image, so captured points will not
for traditional implementation of graphical passwords such as PassPoints which
uses a static image for every login attempt, even though the image is on
private LCD by dual-view technology, the captured user click points can be used
to log in successfully.