Part 2: Picture-based password system Alice wants to evaluate a picture-based password system.

The system has a database of 100 different pictures. To select a password, the user is allowed to browse through the database of pictures and select 20 pictures as their password. To authenticate, the user is presented with 20 challenges. Each challenge consists of 2 pictures displayed to the user: one is randomly chosen from the user's password set, and the other is randomly chosen from the remaining 80 pictures. The user is asked to identify which of the two pictures is from their password set. If the user correctly answers all 20 challenges, the user is authenticated.

To analyze the security of this system, Alice will use two different methods:

Method 1: Alice will find the number of possible passwords, and use that to calculate the probability that an adversary could guess a user's password.

Method 2: Alice will calculate the probability of impersonating the user by correctly responding to the set of 20 challenges presented by the system.

After analyzing the system with the above methods, Alice will determine the level of security as the highest success chance of the two methods.

Q2.1 Outline the calculations by Alice for both methods, and comment on her final verdict regarding the security of the system.

Q2.2 Compare both the usability and security of this system with a Passfaces based system described in Question 1. Assume that both systems would lock an account after 3 invalid attempts. In particular, (i) compare the success chance of an adversary in an online attack, and (ii) comment on the security and usability of password selection method of the two systems. (in Passfaces, passwords are randomly selected by the system; in the picture-based system a user selects their favorite set).

Q2.3 Bonus question: Suppose an adversary has an unlimited access to a verification terminal, which will not block any accounts regardless of the number of unsuccessful attempts. Describe an effective algorithm that would allow the attacker to fully learn a user's password. Include an estimate of how many guesses the attacker would need. (5 bonus points)