New Test to Detect Clustered Graphical Passwords in Passpoints Based on the Perimeter of the Convex Hull

Abstract

This research paper presents a new test based on a novel approach for identifying clustered graphical passwords within the Passpoints scenario. Clustered graphical passwords are considered a weakness of graphical authentication systems, introduced by users during the registration phase, and thus it is necessary to have methods for the detection and prevention of such weaknesses. Graphical authentication methods serve as a viable alternative to the conventional alphanumeric password-based authentication method, which is susceptible to known weaknesses arising from user-generated passwords of this nature. The test proposed in this study is based on estimating the distributions of the perimeter of the convex hull, based on the hypothesis that the perimeter of the convex hull of a set of five clustered points is smaller than the one formed by random points. This convex hull is computed based on the points that users select as passwords within an image measuring 1920 × 1080 pixels, using the built-in function convhull in Matlab R2018a relying on the Qhull algorithm. The test was formulated by choosing the optimal distribution that fits the data from a total of 54 distributions, evaluated using the Kolmogorov–Smirnov, Anderson–Darling, and Chi-squared tests, thus achieving the highest reliability. Evaluating the effectiveness of the proposed test involves estimating type I and $II$ errors, for five levels of significance $\alpha \in \{0.01,0.02,0.05,0.1,0.2\}$, by simulating datasets of random and clustered graphical passwords with different levels of clustering. In this study, we compare the effectiveness and efficiency of the proposed test with existing tests from the literature that can detect this type of pattern in Passpoints graphical passwords. Our findings indicate that the new test demonstrates a significant improvement in effectiveness compared to previously published tests. Furthermore, the joint application of the two tests also shows improvement. Depending on the significance level determined by the user or system, the enhancement results in a higher detection rate of clustered passwords, ranging from $0.1\%$ to $8\%$ compared to the most effective previous methods. This improvement leads to a decrease in the estimated probability of committing a type $II$ error. In terms of efficiency, the proposed test outperforms several previous tests; however, it falls short of being the most efficient, using computation time measured in seconds as a metric. It can be concluded that the newly developed test demonstrates the highest effectiveness and the second-highest efficiency level compared to the other tests available in the existing literature for the same purpose. The test was designed to be implemented in graphical authentication systems to prevent users from selecting weak graphical passwords, enhance password strength, and improve system security.

1. Introduction

Studies conducted by various researchers [1,2] indicate that using alphanumeric passwords as an authentication method is not advisable due to the vulnerabilities arising from users’ password creation practices. The primary vulnerabilities in the security of this password type stem from users’ improper selection of characters during the registration process and their tendency to reuse passwords across multiple websites. To facilitate memorization, passwords are typically designed to be short, with limited character variation, and frequently incorporate personal information, thereby enhancing the potential for unauthorized access by imposters [3]. The utilization of artificial intelligence in a recent application aimed at compromising alphanumeric passwords serves as additional evidence for implementing alternative authentication methods [4]. As a means of addressing this issue, graphical passwords have emerged as a potential solution. These authentication systems offer a significantly larger password space compared to alphanumeric passwords. The efficiency of this approach relies on the human capacity to recognize and recall patterns in visual representations, as opposed to memorizing lengthy and intricate sequences of characters [5].

The Passpoints system, developed by Wiedenbeck in 2005 [6], is notable for its security and usability compared to other cued-recall type systems [7]. The process involves the user choosing a sequence of five points within an image during the registration phase to serve as their password. During the process of authentication, it is imperative for the user to accurately and precisely repeat the sequence in the correct order, adhering to the specific tolerance set by the system. The system’s weaknesses lie in the quality of the images chosen by the user or system, the presence of predictable patterns in password creation, and the use of discretization mechanisms that decrease the password space and provide valuable information for conducting dictionary attacks.

To enhance the security of Passpoints, it is crucial to incorporate tools during the registration phase that can notify users about the weakness of their graphical passwords. Additionally, implementing a method during the authentication phase to assess the level of authenticity for each user is equally important. Several articles have been published in recent years addressing the topic at hand. For instance, in the work by [8], a probabilistic model of graphical authentication is proposed for the authentication phase. This model enables the practical measurement of the level of authenticity for each user, categorizing them as high, medium, low or shallow. Only users with high or medium authenticity levels are authenticated based on the results obtained. In [9,10], two spatial randomness tests were introduced to identify non-random, clustered and regular graphical passwords in the Passpoints. These tests were developed in response to the limited effectiveness of traditional tests in verifying the complete spatial randomness in this specific scenario [9,11]. Recently, the joint application of the previously mentioned tests has been proposed by [12], making it the most effective alternative currently available as of the time of writing this article. Finally, the proposal of an effective test [13], the only one in the consulted bibliography, has been proven effective in detecting patterns characterized by points that exhibit a linear or near-linear shape, commonly referred to as smooth patterns. These recent contributions have positioned this graphical authentication system as a viable alternative to conventional authentication methods, offering enhanced security and usability.

The convex hull of a set of n points in the plane is a fundamental concept in computational geometry [14,15,16,17], being the convex hull of a set of points the smallest convex polygon that contains all the points of the set [14,17,18,19], whose efficient implementation is an ongoing area of research [20,21,22,23,24] with applications in various fields. However, there is a lack of references to applications related to security issues, such as the one presented in this work. There exist several algorithms for computing the convex hull, whose complexities are of the order $O\left(n^3\right),O\left(n^2\right),O(nlogn)$. However, in the specific scenario considered in this study, where the n points are randomly distributed, the complexity can be reduced to a linear function of the n of $O\left(n\right)$ points.

The primary attributes of the convex hull of a set of points in the plane include its perimeter, area, and the number of vertices. There have been studies on the statistical properties when the number of points tends to infinity [25,26,27]. Additionally, the convex hull of a random walk determined by an ordered set of points can be calculated, and the statistical properties of this convex hull were also investigated [28,29]. Research in this field has primarily concentrated on examining the mean limit values of the functional of the convex hull [27], assuming some properties for the set of n points. Currently, the distribution of the perimeter of the convex hull of a random set of points in the plane remains unknown for a finite and significantly small number of points.

This study presents a novel spatial randomness test that can effectively identify clustered graphical passwords in the Passpoints scenario. In this study, a comparative analysis is conducted to evaluate the effectiveness and efficiency of the proposed test in detecting a specific pattern in the graphical passwords of Passpoints. The comparison is made with other tests found in the existing literature that can identify similar patterns. All the implementations and experiments were conducted using MATLAB R2018a to compare the tests on a PC Laptop equipped with an AMD Athlon Silver 3050U processor, running at 2.30 GHz and with 8 GB. of RAM. The work is organized into five sections: Section 1, Introduction, provides an overview of the study; Section 2 presents the preliminaries, Passpoints, and known tests to detect graphical passwords in the Passpoints scenario; Section 3 presents our contribution, which is a new test designed to detect clustered graphical passwords in Passpoints; Section 4 shows the comparison with the antecedents; and finally, Section 5 presents the conclusions drawn from the study and outlines potential future research directions.

2. Preliminaries

2.1. Passpoints

Using graphical passwords has emerged as a potential solution to address the primary challenge associated with alphanumeric passwords, namely the user’s struggle to remember highly secure passwords. Alphanumeric passwords typically consist of alphabets with up to 90 symbols. The standard length for these passwords, as recommended by the National Institute of Standards and Technology (NIST) [30], is eight characters. This results in a total key space of ${90}^8=4.3\times {10}^{15}$. In the context of Passpoints systems, the key space about the outdated image resolutions of $800\times 480$ pixels is $V_5^{800\times 480}=8.3\times {10}^{25}$. Since ${10}^{15}<<{10}^{25}$, Passpoints not only outperforms alphanumerics in terms of usability but also in terms of security. Graphical authentication methods can be categorized into three groups: recognition-based techniques, recall-based techniques, and cued-recall-based techniques [31]. The cued-recall type systems distinguish themselves from previous systems due to their unique characteristic of only necessitating users to recall and concentrate on specific locations within an image. This feature aims to alleviate users’ cognitive burden by providing a simplified alternative to memorizing a complex array of characters.

Passpoints are notable within the category of graphical authentication systems of the cued recall-type due to their commendable combination of usability and security. The system’s usability involves the user’s selection of five points within an image to serve as their password during the registration phase. The user can choose the image themselves or have one the system provides. In the authentication process, the user must select the points chosen during the registration phase within a specified neighborhood or tolerance region in the same sequential order. However, despite the security provided by the large password space, not all images are appropriate for use in Passpoints. One vulnerability of this technique is the potential attack on the points most likely to be selected in the image, commonly referred to as hotspots in the literature [32]. The recommendation in [6] is to enhance the security of this technique by selecting an image with hundreds of hotspots that are evenly distributed throughout. Other vulnerabilities arising from user actions, irrespective of the image itself, include the inadvertent selection of specific regions within the image, such as the edges or the center, and the inherent interdependence often observed among the chosen points, such as the password [33,34]. These interdependencies among points are referred to as point patterns [35]. Hackers can exploit the predictability of certain patterns in graphical passwords through various techniques to gain unauthorized access. Therefore, graphical passwords should adhere to a random pattern to maintain security. The strength of a graphical password is compromised when the points are not distributed randomly. Several common non-random patterns have been identified in the study conducted by [36].

2.2. Known Tests to Detect Clustered Graphical Passwords in Passpoints

In this subsection, we present and describe some known tests to detect clustered graphical passwords in Passpoints.

First, we present a test based on the average distance between the points. In [9], an effective spatial randomness test was proposed to detect non-random graphical passwords in Passpoints. Concluding that the mean distances between the five points of a graphical password follow a normal distribution, a two-tailed hypothesis test was constructed to differentiate between the clustered, random, and regular graphical passwords. Their experiments demonstrated the overall effectiveness of the test in detecting non-random graphical passwords, with a particular emphasis on its ability to identify clustered patterns. They further demonstrated that the efficacy of the intervention is independent of the image size chosen by the user or system. Utilizing an image of dimensions $1920\times 1080$ pixels as a point of reference, the authors created three distinct databases characterized by varying levels of clustering. In the three levels of clustering examined, the test successfully identified approximately $94\%$, $99\%$, and $100\%$ of the passwords analyzed at a significance level $\alpha =0.1$, as recommended by the authors for widespread application.

A test was proposed in [10] based on the average of the perimeters of the Delaunay triangles. This study focuses on identifying non-random graphical passwords composed of five clustered or regularly positioned points. The analysis involves conducting a two-tailed test centered around the mean of the perimeters of the Delaunay triangles. To ensure normality, the perimeters are transformed using the Johnson SB [37] transformation. To effectively implement this test, the authors have underscored the importance of considering the selected image size, as the Johnson SB parameters vary depending on the image sizes. As in the previous test, passwords were simulated for the same clustering levels. A reference image of 1920 × 1080 pixels was used, and it was determined that the effectiveness of the test does not depend on the size of the image selected. For the three levels of clustering, the test yielded detection rates of $87.07\%$, $99.66\%$, and $100\%$, respectively, with a significance level of $\alpha =0.1$. Their results showed that the clustering detection is more accurate than regularity.

A joint application of the previous tests in Passpoints. Both tests were designed to be included in graphical authentication systems with the Passpoints technique to enable the system to check the randomness of a password established by the user during the registration phase. Figure 1, extracted from the work of [12], illustrates the schematic representation of the joint application of both tests during the Passpoints registration phase. The authors’ decision to initially employ the test utilizing the mean distances between points is justified by its greater efficiency and effectiveness. This approach enables the prompt rejection of non-random passwords with high accuracy. Until the time of this publication, this joint test was the one that reported the most significant effectiveness in detecting clustered graphical passwords.

Table 1. Number of clustered graphical passwords detected using the joint application of both tests for each of the three clustering levels, consisting of 10,000 passwords each. Taken from [12].

Significance Level	First Clustering Level	Second Clustering Level	Third Clustering Level
0.2	9922	10,000	10,000
0.1	9358	10,000	10,000
0.05	7931	9987	10,000
0.02	5365	9576	9987
0.01	3652	8300	9805

shows the number of clustered graphical passwords detected using the joint application of both tests for each of the three clustering levels, consisting of 10,000 passwords each.

3. Our Contribution: New Test to Detect Clustered Graphical Passwords in Passpoints

3.1. Our Hypothesis

The clustered graphical passwords in Passpoints can be characterized as those with points concentrated in a smaller image area. Considering the above, the hypothesis proposes using the perimeter of the convex hull delimited by the five points as an indicator of the clustering measure of the points. Figure 1 shows the convex hull determined by three graphical passwords with patterns of clustering (a), randomness (b), and regularity (c), respectively. Figure 2 supports the proposed hypothesis.

Knowing the probability distribution that best fits the perimeter of the convex hull delimited by five randomly distributed points on the image would enable the development of a hypothesis test capable of differentiating between the three alternative patterns with a predetermined significance level, $\alpha$.

3.2. Estimate of the Probability Distribution of the Perimeter of the Convex Hull

The following experiment was conducted to determine the probability distribution of the perimeter of the convex hull formed by five points uniformly distributed on an image with dimensions of $1920\times 1080$ pixels.

Experiment 1: A total of 1000 graphical passwords were randomly distributed over an image with dimensions of $1920\times 1080$ pixels were simulated. For each of these passwords, the perimeter of the convex hull they determine was calculated, resulting in a database (DB.1) of 1000 real values that can be analyzed. To assess the goodness of fit of the data to various probability distributions, we utilized the EasyFit v.5.6 software.

Results of Experiment 1: The data showed an excellent fit to the Johnson SB distribution with parameters $\gamma =-0.65612$, $\delta =1.5922$, $\lambda =4575.1$, $\xi =495.15$. Figure 3 illustrates the fit of the Johnson SB distribution to the data. Three goodness-of-fit tests were used to measure the fit of the data: Anderson–Darling, Kolmogorov–Smirnov, Chi-squared;

Table 2. Results of the goodness-of-fit tests applied to the Johnson SB distribution estimated from the data contained in DB.1, for the significance levels $\alpha \in \{0.02,0.01,0.05,0.1,0.2\}$.

Goodness-of-Fit Test	Kolmogorov–Smirnov	Chi-Square	Anderson–Darling
p-value	0.98139	Accepted	0.79775
Accepted for each $\alpha$	5/5	5/5	5/5

shows the results of these tests.

Knowing these results, it is assumed that the distribution sought is a Johnson SB, whose parameters, estimated using EasyFit v5.6 software, are shown in

Table 3. Parameters of the Johnson SB distribution ($\gamma ,\delta ,\lambda ,\xi$) of the perimeter of the convex hull $P_{P_{EC}}\sim J_{SB}(\gamma ,\delta ,\lambda ,\xi )$.

Image Size	$\mathit{\gamma }$	$\mathit{\delta }$	$\mathit{\lambda }$	$\mathit{\xi }$
$1920\times 1080$	$-0.65612$	$1.5922$	$4575.1$	$495.15$

.

3.3. Hypothesis Test Based on the Perimeter of the Convex Hull

Once the probability distribution is known as a Johnson SB, the practical application of this criterion is facilitated by considering the desirable characteristic of the Johnson SB distribution, which can be transformed into a standard Normal distribution by applying Equation (1) [37]

$$P_{EC}^N=J_{SB}\left(P_{EC}\right)=\gamma +\delta \times ln[(P_{EC}-\xi )/(\lambda +\xi -P_{EC})],$$

(1)

using the parameters of Table 3, it is obtained that $P_{E.C.}^N\sim N(0,1)$, where $P_{E.C.}^N$ represents the perimeter of the convex hull after performing the Johnson SB transformation. Using this property, the definition of a clustered graphical password detection test is reduced to applying a mean test for the standard normal distribution $P_{E.C.}^N$.

The proposal consists of a two-tailed test based on the perimeter of the convex hull delimited by the five points of a graphical password. The Johnson SB transforms these points into a standard Normal distribution. To apply this test, the image size that the user selects must be considered, as the estimated parameters for the Johnson SB distribution depend on it.

3.3.1. Definition of the Proposed Test

The null hypothesis

$$H_0:E\left[P_{E.C.}^N\right]=0$$

is proposed, indicating that the graphical password selected by the user is random if the transformation through the Johnson SB of the perimeter of the convex hull to a standard Normal distribution is equal to 0. As an alternative hypothesis, we have

$$H_1:E\left[P_{E.C.}^N\right]\ne 0$$

if the evidence is less than zero, which indicates clustering; otherwise, it indicates regularity. As a test statistic, the Johnson SB transformation of the perimeter of the convex hull is bounded by the points of a graphical password

$$Z=J_{SB}\left(P_{P_{EC}}\right)=\gamma +\delta \times ln[(P_{P_{EC}}-\xi )/(\lambda +\xi -P_{P_{EC}})],$$

(2)

with the selection of values for the parameters according to the size of the image, with the critical region $\{z:Z<-z_{\alpha /2}$ or $Z>z_{\alpha /2}\}$, where $\alpha$ is the significance level previously established by the user or system. In this specific problem, type I error means rejecting random passwords, which can reduce usability; while committing a type $II$ error means not rejecting non-random passwords, which is a threat to the security of the system.

3.3.2. Evaluation of the Effectiveness of the Proposed Test

According to the definition of the test, obtaining values of $E\left[P_{E.C.}^N\right]>0$ would indicate a pattern of regularity. However, the results obtained in this aspect during the experiments are not significant compared to those reported by previous studies. Therefore, it is not necessary to include them in this article. In this section, only the results concerning the detection of clustered patterns are reported, which constitutes the main contribution of this work. The following experiments were conducted to estimate the type I and type $II$ errors committed by the proposed test.

Experiment 2: To estimate the probabilities of committing a type I error, we simulated $10,000$ new graphical passwords. The points in these passwords were randomly distributed over the image. These passwords are stored in the database and are labeled as DB.2. The proposed test was applied to each of these passwords, and the number of false positives obtained for each significance level were counted for $\alpha \in \{0.2,0.1,0.05,0.02,0.01\}$. The results of experiment 2 are summarized in the following

Table 4. Comparison between the probability of committing a type I error by the test ($\widehat{\alpha }$) and the expected theoretical error ($\alpha$).

$\mathit{\alpha }$ (Theoretical)	$\mathit{CR}.$ of ${\mathit{H}}_0$	$\widehat{{\mathit{\alpha }}_1}$ DB.2
0.2	$Z<-1.282\mathrm{or}Z>1.282$	0.2029
0.1	$Z<-1.645\mathrm{or}Z>1.645$	0.1019
0.05	$Z<-1.960\mathrm{or}Z>1.960$	0.0535
0.02	$Z<-2.326\mathrm{or}Z>2.326$	0.0234
0.01	$Z<-2.575\mathrm{or}Z>2.575$	0.0136

.

In each case, the estimated probability of committing a type I error corresponds to the predetermined theoretical significance levels. Observe that this proper adjustment is only expected if the procedures carried out up to the moment of adjusting to the Johnson SB distribution and its subsequent transformation are correct. Therefore, these values contribute to the validity of the proposed test.

Experiment 3: To evaluate the effectiveness of the proposed test in detecting clustered graphical passwords, a total of 30,000 graphical passwords distributed across three clustering levels were generated. The first clustering level, DB.3.1, comprises 10,000 graphical passwords generated using an aggregation distance of 410 pixels. The second clustering level, DB.3.2, comprises 10,000 graphical passwords generated using an aggregation distance of 335 pixels. The third level, DB.3.3, comprises 10,000 graphical passwords generated using a 290-pixel aggregation distance. The proposed test was applied to each of these passwords, and the number of passwords detected for each clustering level was recorded, obtaining an estimate of the type $II$ error committed.

Table 5. Estimated probability ($\widehat{\beta }$) on DB.$3.1$, DB.$3.2$, and DB.$3.3$ of accepting a clustered graphical password as a random password.

Significance Level	Critical Region	($\widehat{\mathit{\beta }}$) DB.3.1	($\widehat{\mathit{\beta }}$) DB.3.2	($\widehat{\mathit{\beta }}$) DB.3.3
0.2	−1.282 $<Z<$ 1.282	0.0024	0	0
0.1	−1.645 $<Z<$ 1.645	0.0555	0	0
0.05	−1.960 $<Z<$ 1.960	0.2026	0.0003	0
0.02	−2.326 $<Z<$ 2.326	0.4402	0.0241	0.0002
0.01	−2.575 $<Z<$ 2.575	0.5889	0.0927	0.0055

and Figure 4 present the estimation of the probability of committing a type $II$ error. Figure 4 illustrates the number of clustered passwords detected by the test for each database.

The obtained results provide evidence of the validity and effectiveness of the proposed test. Observe that, while for DB.3.1, the minimum detection value recorded is $41.1\%$, for DB.3.2 and DB.3.3, the values exceed $90.7\%$ and $99.4\%$, respectively. This is a clear sign that the test becomes more effective with the increase in the clustering level, which is consistent with the formulated hypothesis. The test is particularly effective for the significance levels $\alpha =0.1$ and $\alpha =0.2$, achieving detection rates of over $94.4\%$ and $99.7\%$, respectively, in all cases. These two levels may be suitable for systems or users with high-security requirements. However, due to their high rate of false positives, using $\alpha =0.05$ as the standard for more general purposes is recommended. This threshold achieves a detection rate close to $80\%$ in all cases, with a false positive rate of 1 in 20.

It is important to note that this test is not only valid for $1920\times 1080$ pixel images. For all images with the same aspect ratio, 16:9, the distribution of the perimeter of the convex hull of the points would be the same, only its parameters would change. Therefore, this test will not present usability problems with changing resolutions of future images of the same aspect ratio. The test can be implemented without limitations or impediments on any type of device that can be interacted with via a screen, such as mobile phones, tablets, laptops, or desktop computers.

4. Comparison with Other Tests in the Literature

The test proposed in this article was compared to the previous methods in terms of its effectiveness in detecting clustered graphical passwords and its efficiency. For this study, the tests to be compared will be denoted as follows: Test 1, which is based on the average distance between the points [9]; Test 2, which is based on the average of the perimeters of the Delaunay triangle [10]; Test 3, which is the joint application of the previous tests [12]; and Test 4, which is the test proposed in this study. Of the references consulted, the one that has shown the highest effectiveness is test 3. Therefore, it will serve as our benchmark in this regard. Regarding efficiency, the best option is test 1; we will compare our test with it.

4.1. Effectiveness

Since the clustered password databases used in this work were generated following the same algorithm described in [12], it is possible to compare the reported results directly.

Table 6. Variation (↓) in the estimated probability of the type $II$ error ($\widehat{\beta }$) committed by the test 4 concerning test 3 in the DB.$3.1$, DB.$3.2$, and DB.$3.3$.

Significance Level	Critical Region	($\widehat{\mathit{\beta }}$) DB.3.1	($\widehat{\mathit{\beta }}$) DB.3.2	($\widehat{\mathit{\beta }}$) DB.3.3
0.2	−1.282 $<Z<$ 1.282	↓0.0054	0	0
0.1	−1.645 $<Z<$ 1.645	↓0.0087	0	0
0.05	−1.960 $<Z<$ 1.960	↓0.0043	↓0.0010	0
0.02	−2.326 $<Z<$ 2.326	↓0.0233	↓0.0241	↓0.0011
0.01	−2.575 $<Z<$ 2.575	↓0.0459	↓0.0773	↓0.0140

shows the difference in type $II$ errors of Test 3 compared to the proposed Test 4.

The proposed test reduces the type $II$ error concerning the most effective antecedents for each of the analyzed significance levels of $\alpha$. This led to an increase in the percentage of graphical passwords detected, as illustrated in Figure 5, and consequently, in the overall effectiveness of the test.

4.2. Efficiency

To assess the efficiency of the proposed tests, they were implemented in Matlab 2018 software, adhering to the guidelines outlined in their respective original articles. Subsequently, the execution time of 100 graphical passwords was measured. The results are summarized in

Table 7. Execution times (s), taking 100 passwords as a sample.

	Minimum Time	Average Time	Maximum Time
Test 1	0.001	0.006	0.084
Test 3	0.001	0.045	0.155
Test 4	0.017	0.033	0.110

. Regarding efficiency, the proposed test outperforms Test 3 in the three times measured but is surpassed by Test 1 in all cases.

5. Conclusions and Future Work

This paper proposes a new test for detecting clustered graphical passwords in Passpoints, extensible to all images with a 16:9 aspect ratio. This test’s novelty is that its estimated type $II$ error and detection rate are the best reported so far. The execution time of the test was greater in the experiments conducted than in the previous best results. However, this difference is insignificant regarding the test’s usability, as it is imperceptible to the users.

In this work, we proposed the hypothesis that the perimeter of the convex hull determined by the 5 points of a graphical password Passpoints would be an effective test statistic in detecting clustering patterns. This hypothesis is based on intuitive and visual evidence that the perimeter decreases when the points are closest. It was demonstrated using the EasyFit software 5.6 and several goodness-of-fit tests that the proposed test statistic follows a Johnson SB distribution with parameters $\gamma =-0.65612$, $\delta =1.5922$, $\lambda =4575.1$, $\xi =495.15$. The Johnson SB transformation was used to convert the data to a standard normal distribution. A mean test was then conducted to evaluate graphical passwords. The effectiveness experiments considered three levels of clustering, following the guidelines established by the antecedents to enable a direct comparison with them. For the first clustering level, the test was able to detect significance levels $\alpha \in \{0.2,0.1,0.05,0.02,0.01\}$ with percentages greater than $99.7\%$, $94.4\%$, $79.7\%$, $55.9\%$, and $41.1\%$, respectively. In the second level, the percentages were $100\%$, $100\%$, $99.9\%$, $97.5\%$, and $90.7\%$, respectively. In the third level, the percentages were $100\%$, $100\%$, $100\%$, $99.9\%$, and $99.4\%$, respectively. These results allowed us to accept the proposed hypothesis and validate the effectiveness of the proposed test.

In comparison to the antecedents, it can be observed that the effectiveness was superior to that reported by other tests available in the literature for the three clustering levels and the five significance levels. Consequently, this new proposal’s estimated type $II$ error was also lower than that reported in previous studies, reducing up to about $0.08$ in the best cases. The measured execution time of the proposed test ranks it second among the previous tests. However, the differences between these times are indistinguishable in practice. Therefore, its effectiveness is the most important factor to consider when selecting a test. The experiments conducted in this study and the comparisons made with the existing literature suggest that the proposed test is the most effective option for determining clustered graphical passwords in Passpoints. However, depending on their security needs, the significance level selection is left to the user or system. The authors recommend using a standard significance level of $\alpha =0.05$ for general purposes. With this level, a detection rate of more than $79.7\%$ is achieved in each case, with one false positive for every 20 attempts. Increasing the significance level to $\alpha =0.1$ or $\alpha =0.2$ allows for a reduction in the probability of committing a type $II$ error and increases the power of the test, reaching approximately $94.45\%$ and $99.76\%$ for those levels (Table 5). This would be advantageous for systems with high-security standards, as it would improve the detection of weak passwords. However, it would also increase the risk of obtaining statistically significant erroneous results, raising the probability of committing a type I error. In practice, this translates to a higher rate of false positives: up to 1 in 10 random passwords could be rejected with $\alpha =0.1$ and 1 in 5 with $\alpha =0.2$. Thus, while security is improved, usability may be compromised.

The test was designed to be integrated into the graphical authentication systems of the cued-recall type, preventing users from selecting easily guessable graphical passwords with clustered patterns. The test contributes to password strength and enhances the resistance to various security threats, such as automated attacks, targeted password guessing, or dictionary attacks. However, currently, we only have values obtained through simulations and theory. The effectiveness against real attacks should be evaluated in future research.

We are currently developing our implementation of the Passpoints system, which will enable experiments to be conducted using real data and users rather than simulations as previously done in most of the background information about Passpoints. In this implementation, we will incorporate the test proposed in this article and others in the literature capable of detecting various non-random patterns in Passpoints graphical passwords. This will enable us to assess the efficacy of the tests in real-world scenarios. In future work, the hypothesis of complementarity between the newly proposed test and those already existing in the literature is left open. A possible scenario where two or more of the tests complement each other would allow for increased detection values and a reduction in type $II$ error. Furthermore, future research will assess the feasibility of using the convex hull area to detect regular patterns in Passpoints graphical passwords. This approach is based on the intuitive and geometric concept that the convex hull area of five regular points is greater than that of a set of random points.